Forum:

Servlets

after login with wrong credentials, again login with correct credentials aslo giving login failed

Greenhorn

Posts: 12

posted 11 years ago

Number of slices to send:

Optional 'thank-you' note:

Send

Hi,
can any one could help me!!!

I am developing a login web project using servlets, filters and am using sesseions for login and logout.
my problem is when enter correct username and poss word works fine, but when user enters wrong credentials giving login failed , next if he enters correct credentials also giving Login failed.
if clears the Browser history again login with correct credentilas worksfine.

Thanks

Prasad Krishnegowda

Ranch Hand

Posts: 672

I like...

posted 11 years ago

Number of slices to send:

Optional 'thank-you' note:

Send

When login is successful, you create a new session or get an existing session? If you get an existing session, on login failure what are you setting in session, is this variable cleared on successful login?

P:S:You describe the problem and don't show us the code, so how do you expect us to help?
Please post the relevant codes, so that you get useful answers...

kumar shiva

Greenhorn

Posts: 12

posted 11 years ago

Number of slices to send:

Optional 'thank-you' note:

Send

Prasad Krishnegowda wrote:When login is successful, you create a new session or get an existing session? If you get an existing session, on login failure what are you setting in session, is this variable cleared on successful login?

Hi Prasad,

this is my code.
AuthenticationFilter.java

import java.io.IOException; import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; import javax.servlet.ServletContext; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpSession public class AuthenticationFilter implements Filter { FilterConfig mfilterConfig; public void init(FilterConfig filterConfig) throws ServletException { mfilterConfig = filterConfig; } public void doFilter(ServletRequest request, ServletResponse response,FilterChain chain) { //System.out.println("Authentication: Request received ..."); try { HttpSession session = ((HttpServletRequest) request).getSession(); //boolean sessionExist = false; boolean authorized = false; if (request instanceof HttpServletRequest) { if (session != null) { //sessionExist = true; String token = (String) session.getAttribute("userToken"); //System.out.println("Authentication: in session ..."); String uri = ((HttpServletRequest) request).getRequestURI(); //System.out.println(uri); if ( uri.contains("/images/") || uri.contains("/auth/")|| uri.contains("/js/")) // ALLOW IMAGES AND CSS TO { authorized = true; } else if (token != null) { authorized = true; } } else { ((HttpServletRequest) request).getSession().invalidate(); } } if (authorized) { chain.doFilter(request, response); } else if (mfilterConfig != null) { ServletContext context = mfilterConfig.getServletContext(); String uri = ((HttpServletRequest) request).getRequestURI(); String qstring = ((HttpServletRequest) request).getQueryString(); if(qstring==null){ session.setAttribute("path", uri); }else{ String uriquery = uri+"?"+qstring ; session.setAttribute("path", uriquery); System.out.println(session.getAttribute("path")); } //String Server_URL=context.getInitParameter("Server_URL"); context.getRequestDispatcher("/auth/login.jsp").forward(request,response); } else { throw new ServletException( "Unauthorized access, unable to forward to login page"); } } catch (IOException io) { System.out.println("IOException raised in AuthenticationFilter"); } catch (ServletException se) { se.printStackTrace(); System.out.println("ServletException raised in AuthenticationFilter"); } //System.out.print("Authentication: Response dispatched ..."); } public void destroy() { } }

and Login.java

import java.io.IOException; import java.io.PrintWriter; import java.sql.DriverManager; import java.sql.ResultSet; import java.sql.SQLException; import javax.servlet.ServletContext; import javax.servlet.ServletException; import javax.servlet.annotation.WebServlet; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; import com.mysql.jdbc.Connection; import com.mysql.jdbc.Statement; /** * Servlet implementation class Login */ @WebServlet("/Login") public class Login extends HttpServlet { private static final long serialVersionUID = 1L; /** * @see HttpServlet#HttpServlet() */ public Login() { super(); } /** * @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse response) */ protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { // TODO Auto-generated method stub } /** * @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse response) */ protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { String userName = request.getParameter("uname"); String password = request.getParameter("pword"); ServletContext sc = getServletContext(); String Server_URL=sc.getInitParameter("Server_URL"); HttpSession session = request.getSession(); String drivername = "com.mysql.jdbc.Driver"; Connection connection = null; Statement statement=null; String CONNECTION_URL="jdbc:mysql://"+"localhost"+":"+3306+"/antdb"; try{ Class.forName(drivername); connection = (Connection) DriverManager.getConnection(CONNECTION_URL,"shiva","kumar"); statement = (Statement) connection.createStatement(); // sql query String query = "select id from login WHERE username = '"+userName+"' and password = '"+password+"'"; ResultSet result = statement.executeQuery(query); if(!result.next()){ session.setAttribute("msg", "Login failed"); response.sendRedirect(Server_URL+"/login.jsp"); }else{ session.setAttribute("msg", "LoginSuccessful,welcome "+userName); session.setAttribute("userToken", userName); String path = (String)session.getAttribute("path"); if(path!=null){ response.sendRedirect(path); } else{ response.sendRedirect(Server_URL+"/school.jsp"); } } }//end of try block catch (Exception e) { e.printStackTrace(); } finally { try{ connection.close(); statement.close(); } catch(Exception e) { e.printStackTrace(); } } } }

please help me.

Thanks.

Prasad Krishnegowda

Ranch Hand

Posts: 672

I like...

posted 11 years ago

Number of slices to send:

Optional 'thank-you' note:

Send

Your code needs lot of refactoring, first accessing database from Servlets, a strict no no..
It would help if you learn Spring Security, take a look at it once..

However, is the session attribute path set properly? Did you try printing it, what's the result you got.?

kumar shiva

Greenhorn

Posts: 12

posted 11 years ago

Number of slices to send:

Optional 'thank-you' note:

Send

Prasad Krishnegowda wrote:Your code needs lot of refactoring, first accessing database from Servlets, a strict no no..
It would help if you learn Spring Security, take a look at it once..

However, is the session attribute path set properly? Did you try printing it, what's the result you got.?

Thanks for the advice,
But i'm new to Servlets.

Session attribute path is fine

Tim Holloway

Saloon Keeper

Posts: 27807

196

I like...

posted 11 years ago

Number of slices to send:

Optional 'thank-you' note:

Send

Keep it an intellectual exercise. I've never yet seen a user-designed login/security system that was actually secure. Most, in fact, are horribly insecure.

There's already well-documented, pre-debugged, proven login security system built right into the J2EE specification and implemented on every J2EE/JEE webapp server I know of - even the incomplete implementations like Tomcat.

For at least 98% of the webapps out there, that system will be more secure for less effort and expense than anything a person(s) who isn't a full-time security expert can produce.

The secret of how to be miserable is to constantly expect things are going to happen the way that they are "supposed" to happen.

You can have faith, which carries the understanding that you may be disappointed. Then there's being a willfully-blind idiot, which virtually guarantees it.

Prasad Krishnegowda

Ranch Hand

Posts: 672

I like...

posted 11 years ago

Number of slices to send:

Optional 'thank-you' note:

Send

where is this attribute set?

Also, path variable is constructed, only if authorized is false.. Is is this what you needed?
It might be the case that, on login failure userToken is set in session, since its not null, authorized becomes true, now, since authorized its true, path variable is not set properly..

kumar shiva

Greenhorn

Posts: 12

posted 11 years ago

Number of slices to send:

Optional 'thank-you' note:

Send

Prasad Krishnegowda wrote:where is this attribute set?

It might be the case that, on login failure userToken is set in session, since its not null, authorized becomes true, now, since authorized its true, path variable is not set properly..

Thanks Prasad.
It's working fine when i set the
session.setAttribute("path",null);
in login.java after line number 75

Thanks Javaranch

crispy bacon. crispy tiny ad:

a bit of art, as a gift, that will fit in a stocking

https://gardener-gift.com