JSP, Java, JSTL, and Servlets to implement PRG on MVC Management web app with login/logout

Question

I'm using JSP, Java, JSTL, and Servlets to implement a basic store manager Web app.

I'm attempting to implement the PRG (POST-Redirect-GET) pattern on top of the MVC (Model-View-Controller) pattern.

I'm not sure if PRG is going to work for what I want.

I want a user to be able to log in, visit several logged-in-only pages, logout, and then when he refreshes, goes back (or forward), he is only taken to the login page.

The problem arises when a logged-in user goes to a logged-in-only page. response.sendRedirect(urlInStringForm) kills all of the request parameters. Sure, you can store stuff in HTTP session, but if you have one PageController servlet, then that servlet will surely be looking for said session data... and the user ends up on the same page if he clicks back or forward (assuming forward goes to some other resource which is redirected to the PageController). I'd like to keep the 1-PageController approach if possible.

Seems like a lose-lose situation. Any workarounds?

Why you need to conserve request param when it is logged out. also what are the param can't you pass them in URL ? — jmj, Apr 28 '11 at 05:49
Use container managed security. It handles this kind of nasty details for you. — BalusC, Apr 28 '11 at 13:29
Can container security update periodically or in real time from a remote database? — Jacob Barnard, Apr 28 '11 at 15:39

score 2 · Answer 1 · edited May 23 '17 at 12:29

Thanks to the commenter, BalusC, I think I've figured it out. This is a super-basic approach:

Use JSPs for the views.
Use Java Servlets as controllers (yes, multiple controllers) and ALWAYS use response.sendRedirect(<url string>); followed by a return;.
- When the user needs to submit something for processing, use POST. Never POST to another view. Always post to a servlet (a controller).
- If the user just needs to jump to another view without processing, use GET.
Use HttpSession or cookies to store temporary communication data. You can even place Java objects inside HttpSession attributes.
Use Java Beans for the model; use JSTL to access their goodness inside of JSPs.
Use one dedicated Java class or a module of dedicated Java classes (beans perhaps) to interact with any databases you might be incorporating.
Use the link provided by BalusC below to find out what you need to do to prevent caching in certain browsers. That way you can eliminate those pesky instances where clicking the browser's back button might reveal logged-in-only information after logging out.
Use HTTPS as needed.

"Head First Servlets and JSP" is a good read for novices. "Murach's Java Servlets and JSP, 2nd Edition" seems to be good, too.

The `Cache-Control` header is not correctly set (the second set is overridding the first set) and it's incomplete and won't work for Firefox and others (for a complete set, check http://stackoverflow.com/questions/49547/making-sure-a-web-page-is-not-cached-across-all-browsers/2068407#2068407). The `IllegalStateException` is certainly not caused by caching issues. It's just caused by a flow logic fault in your code (for a common cause, see http://stackoverflow.com/questions/2123514/java-lang-illegalstateexception-cannot-forward-after-response-has-been-committed/2125045#2125045). — BalusC, Apr 28 '11 at 17:31

JSP, Java, JSTL, and Servlets to implement PRG on MVC Management web app with login/logout

1 Answers1