Check if a User Is Logged-in With Servlets and JSP – 用Servlets和JSP检查用户是否已登录

最后修改: 2022年 2月 25日

1. Overview


In this tutorial, we’ll learn how to check a user’s login and ensure that the user has filled the login form with valid credentials and started a session. However, we’ll do this without using Spring Security and using only JSPs and servlets. Consequently, we’ll need a servlet container that can support it, like Tomcat 9.

在本教程中,我们将学习如何检查用户的登录,并确保用户已经用有效的凭证填写了登录表单并开始了会话。但是,我们将在不使用Spring Security的情况下完成这项工作,并且只使用JSP和servlets因此,我们将需要一个能够支持它的Servlet容器,比如Tomcat 9。

By the end, we’ll have a good understanding of how things work under the hood.


2. Persistence Strategy


Firstly, we need users. To keep it simple, we’ll use a preloaded map. Let’s define it along with our User:


public class User {
    static HashMap<String, User> DB = new HashMap<>();
    static {
        DB.put("user", new User("user", "pass"));
        // ...

    private String name;
    private String password;

    // getters and setters

3. Filtering Requests


We’ll start by creating a filter to check sessionless requests, blocking direct access to our servlets:


public class UserCheckFilter implements Filter {
    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) {
        // ...
        request.setAttribute("origin", request.getRequestURI());

        if (!request.getRequestURI().contains("login") && request.getSession(false) == null) {
            forward(request, response, "/login.jsp");

        chain.doFilter(request, response);

Here, by defining “/*” as our URL pattern on the @WebFilter, all requests will pass through our filter first. Then, if there’s no session yet, we redirect the request to our login page, storing the origin for later use. Finally, we return early, preventing our servlet from processing without a proper session.


4. Creating a Login Form With JSP


To build our login form, we’ll need to import the core Taglib from JSTL. Also, let’s set our session attribute to “false” in our page directive. As a result, a new session is not created automatically, and we can have full control:


<%@ page session="false"%>
<%@ taglib uri="" prefix="c"%>

<form action="login" method="POST">

Then, inside our form, we’ll have a hidden input to save the origin:


<input type="hidden" name="origin" value="${origin}">

Next, we’ll include a conditional element to output errors:


<c:if test="${not empty error}">
    * error: ${error} 

Finally, let’s add some input tags so the user can enter and submit the credentials:


<input type="text" name="name">
<input type="password" name="password"> 
<input type="submit">

5. Setting up Our Login Servlet


In our servlet, we’ll forward the request to our login form if it’s a GET. And most importantly, we validate the login if it’s a POST:


public class UserCheckLoginServlet extends HttpServlet {
    // ...

So, in our doGet() method, we’ll just redirect to our login JSP, passing the origin forward:


protected void doGet(HttpServletRequest request, HttpServletResponse response) {
    String referer = (String) request.getAttribute("origin");
    request.setAttribute("origin", referer);
    forward(request, response, "/login.jsp");

In our doPost(), we validate credentials and create a session, passing the User object forward and redirecting to origin:


protected void doPost(HttpServletRequest request, HttpServletResponse response) {
    String key = request.getParameter("name");
    String pass = request.getParameter("password");

    User user = User.DB.get(key);
    if (!user.getPassword().equals(pass)) {
        request.setAttribute("error", "invalid login");
        forward(request, response, "/login.jsp");
    HttpSession session = request.getSession();
    session.setAttribute("user", user);


In case of invalid credentials, we set a message in our error variable. Otherwise, we update the session with our User object.


6. Checking Login Info


Finally, let’s create our home page. It just shows session information and has a logout link:


    current session info: ${}

    <a href="logout">logout</a>

All that our home servlet does is forward the User to the home page:


public class UserCheckServlet extends HttpServlet {

    protected void doGet(HttpServletRequest request, HttpServletResponse response) {
        User user = (User) session.getAttribute("user");
        request.setAttribute("user", user);

        forward(request, response, "/home.jsp");

And this is how it looks:


login success

7. Logging Out


To log out, we simply invalidate the current session and redirect home. After that, our UserCheckFilter will detect a sessionless request and redirect us back to the login page, restarting the process:


public class UserCheckLogoutServlet extends HttpServlet {

    protected void doGet(HttpServletRequest request, HttpServletResponse response) {


8. Conclusion


In this article, we went through the creation of a full login cycle. We saw how we now have full control over access to our servlets, using a single filter. In short, with this approach, we can always be sure that there’s a valid session where we need one. Similarly, we could expand that mechanism to implement finer access control.


And as always, the source code is available over on GitHub.