The Project Billboard application uses application-controlled authentication and access control to ensure that only registered users can use the application. As discussed in Chapter 12, your first choice should be to use container-controlled authentication and access control, but let’s assume that, in this case, there are valid reasons for going at it on our own.

Not all requests require a user to be logged in. For instance, if the login form and authentication request are protected, you’re faced with a Catch 22; it’s impossible to log in because you have to be logged in to load the login form. It’s also reasonable to accept a log-out request from a user who isn’t logged in; the session that contains the authentication information may have timed out before the user tries to log out.

You can use the URI path to distinguish between requests that need access control and those that don’t. In this application, all requests that need access control include the /protected path element, as shown in Table 18-1.