Looking for a simple, secure session design with servlets and JSP

I'm working on an intranet-only web application (J2EE) that requires some basic security features. There will be relatively few authorized users for the site, but I still need to implement some sort of secure session.

The basic flow I'm looking at is visit site => log in => use site => log out when done (or automatically log out when the browser is closed). Nothing fancy at all, not even a "remember me" option when logging in. Most of the work for authentication is already done - the site is accessible only over https, and I have a database which stores usernames and (encrypted) passwords.

So, once the user has logged in, what's the simplest (ideally no cookies beyond whatever JBoss/JSPs would do behind the scenes) way to implement a secure session? I.E. prevent users from just directly requesting pages beyond the login screen, etc.

Is it just a matter of checking the session for some "isUserAuthenticated"-like value, checking that the session exists (e.g. request.getSession(false)) for all incoming requests in my servlet? What about preventing users from getti开发者_运维问答ng JSP files and forcing them to use a servlet for all requests? Any other considerations (and their solutions)?

Sounds like you can use simple declarative security approach.

Take a look at Java EE Tutorial section for Securing Web Applications , particularly at declarative security section

To address your specific questions:

What's the simplest ... way to implement a secure session? I.E. prevent users from just directly requesting pages beyond the login screen, etc.

Declare your URLs in webapp descriptor (web.xml) with an appropriate security role. They'll be inaccessible to unauthorized users (and attempt to access them will bring forth a login page).

Is it just a matter of checking the session for some "isUserAuthenticated"-like value, checking that the session exists (e.g. request.getSession(false)) for all incoming requests in my servlet?

All that will be completely unnecessary; servlet container will do it for you behind the scenes.

What about preventing users from getting JSP files and forcing them to use a servlet for all requests?

As long as JSPs never need to be accessed publicly (e.g. you're forwarding to them from within your servlet; you're never redirecting to a JSP) you can declare their URLs in a collection with security role that is never actually assigned to a user.