• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Session Tracking and Security Checking

 
Ranch Hand
Posts: 1309
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I am unable to pass a "session" from one page to the next page. For example, I am working on a "personal" project. A customer enters his/her ID number and password, and my SERVLET program "ServletProgramFileName.java" manages to find the customer from the database, create a session for the customer, and register the customer with the session generated:
BookCustomer customer = BookCustomer.findCustomer
(customerID, dataBase);
(This step is successfully done, and I create a session: )
HttpSession session = request.getSession(true);
session.putValue("Customer", customer);
(The customer object has a key name which is Customer.)

Then, in accordance with the customer's request for viewing IT books, the request is forwarded to a JavaServer Page "ITBooksPage.jsp" by the following statement:
if (request.getParameter("itbooks") != null) {
gotoPage("/books/ITBooksPage.jsp", request, response); }
private void gotoPage(String address,
HttpServletRequest request, HttpServletResponse response) {
throws ServletException, IOException {
RequestDispatcher dispatcher =
getServletContext().getRequestDispatcher(address);
dispatcher.forward(request, response);
}
This step is also successfully completed.
However, when I tried to test if the customer came to ITBooksPage.jsp by first entered ID number and obtained a session, my program tells me that this customer came to the website by the correct route (entered correct ID number and password, and requested to view the ITBooksPage) violates the security check.
I use the following statement to perform the security check:
if (Customer == null) { ...... ; }
I wonder the problem is caused by
A. It is not the correct way to check security; or
B. the session is not passed from the
ServletProgramFileName.java to ITBooksPage.jsp
I believe that all the experts at the JavaRanch with e-commerce experience can easily point out my mistakes. Please.
 
author
Posts: 3252
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Are they living in the same web-app (servlet context)?
- Peter
 
JiaPei Jen
Ranch Hand
Posts: 1309
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I am trying to answer your question although I do not quite understand the question.
This is an exercise that simulates an e-commerce environment. The design of this bookstore project is:
A customer must first fill out a form that asks user ID and password. The customer is also provided options to view lists of books in different categories. The customer selects a certain category and clicks on the submit button to submit the form. (done successfully)
Behind the scene, my servlet program gets the user ID and password, and tries to find the customer in the database. If the servlet program finds the customer in the database, a session is created for this customer, and the customer gets registerd with the session. The customer is then "directed" to the specific category of books ( the customer has selected ). And the list of books that appears in the browser window is a JSP program (ITBooksPage.jsp). (done successfully)
In the very JSP program, I then added security checking statement to make sure everybody comes to visit ITBooksPage.jsp through the correct route (entered user ID and password), "not" just by typing http://... /../ITBooksPage.jsp
But, after I inserted the security checking one single statement in ITBooksPage.jsp:

if (Customer == null) { ...... ; }
the program can "not" recognize customers coming to visit the site through the correct route (with user ID and password entered and submitted). These customers are treated like they jump directly by typing http://..../.../ITBooksPage.jsp.
It proves one thing: the session created and the customer registered in the servlet are not passed to ITBooksPage.jsp
Did I explain my problem clearly? or I have missed something? Please let me know.
 
JiaPei Jen
Ranch Hand
Posts: 1309
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thank you for your attention. To be more specific about my problem, let me show my code again:
In the Servlet program (which performs behind the scene), the session is created and customer is registered with the session like this:
HttpSession session = request.getSession(true);
session.putValue("customer", customer);
In the JSP program, security checking is like this:
<% session.getValue("customer");
if (customer == null) {
response.sendRedirect("Register.jsp"); }
else { %>
HTML statements to display lots of things.
<% } %>
The error log says: Cannot resolve symbol, probably due to error occurred in:
if (customer == null) { response.sendRedirect("Register.jsp"); }
Would you kindly tell me what I did wrong? Thank you.
 
Ranch Hand
Posts: 124
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by JiaPei Jen:

In the JSP program, security checking is like this:
<% session.getValue("customer");
if (customer == null) {
response.sendRedirect("Register.jsp"); }
else { %>
HTML statements to display lots of things.
<% } %>


Where do you declare your "customer" variable that you are checking in the if clause?
It should be something like this:
<%
BookCustomer customer = null;
customer = (BookCustomer) session.getValue("customer");
if (customer == null) {
response.sendRedirect("Register.jsp"); }
else { %>
HTML statements to display lots of things.
<% } %>
 
JiaPei Jen
Ranch Hand
Posts: 1309
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks a lot, Mr. Dhillon. Things are working now. Thank you for showing me the right code. I was stupid.
 
Are you here to take over the surface world? Because this tiny ad will stop you!
a bit of art, as a gift, the permaculture playing cards
https://gardener-gift.com
reply
    Bookmark Topic Watch Topic
  • New Topic