Prentice Hall and Sun Microsystems. Personal use only; do not redistribute.

4.5 Restricting Access to Web Pages

109

tations. So, if you use this decoder class, make sure that you explicitly

include the class file when you distribute your application.

Listing 4.3 presents a password protected servlet. It is explicitly registered

with the Web server under the name 

SecretServlet

. The process for regis 

tering servlets varies from server to server, but Section 2.7 (An Example

Using Initialization Parameters) gives details on the process for Tomcat, the

JSWDK and the Java Web Server. The reason the servlet is registered is so

that initialization parameters can be associated with it, since most servers

don't let you set initialization parameters for servlets that are available merely

by virtue of being in the 

servlets

 (or equivalent) directory. The initializa 

tion parameter gives the location of a Java 

Properties

 file that stores user

names and passwords. If the security of the page was very important, you'd

want to encrypt the passwords so that access to the 

Properties

 file would

not equate to knowledge of the passwords. 

In addition to reading the incoming 

Authorization

 header, the servlet

specifies a status code of 401 and sets the outgoing 

WWW Authenticate

header. Status codes are discussed in detail in Chapter 6 (Generating the

Server Response: HTTP Status Codes), but for now, just note that they con 

vey high level information to the browser and generally need to be set when 

ever the response is something other than the document requested. The

most common way to set status codes is through the use of the 

setStatus

method of 

HttpServletResponse

, and you typically supply a constant

instead of an explicit integer in order to make your code clearer and to pre 

vent typographic errors. 

WWW Authenticate

 and other HTTP response headers are discussed in

Chapter 7 (Generating the Server Response: HTTP Response Headers), but

for now note that they convey auxiliary information to support the response

specified by the status code, and they are commonly set through use of the

setHeader

 method of 

HttpServletResponse

.

Figures 4 4, 4 5, and 4 6 show the result when a user first tries to access

the page, after the user enters an unknown password, and after the user

enters a known password. Listing 4.4 gives the program that built the simple

password file. 

Second edition of this book: www.coreservlets.com; Sequel: www.moreservlets.com.

Servlet and JSP training courses by book's author: courses.coreservlets.com.