Below method is used to authenticate a general user and admin user, else error page.
There is some issue with the login process. This method is not working. If I remove ( if(username.equals("admin")&& password.equals("admin")) result="admin" ) this condition, code works fine and displays the general user page. However when I include the above code as below to authenticate admin user, it does not work for any user(general or admin). Please point my mistake.
Sorry I missed the semicolon here. But the actual code compiles. What I am trying to implement is, if admin has loged in direct to admin page, if General user has logged in, direct to general user page. If error show error page.
I mention some small changes to write your code more efficiently. Moreover, I don't understand how are validation user against user name and password. Are they hardcoded? [ October 16, 2006: Message edited by: Jignesh Patel ]
Personally I prefer Container-managed Security. You don't have to debug hardly any security code at all, since it's primarily declarative.
There's nothing in JSF that would affect SQL queries, so the question is probably better suited for the JDBC forum. I'm too lazy to plot out the logic paths, but I will make one suggestion:
"SELECT COUNT(*) FROM USER_PASSWORD WHERE USER_ID = ? AND PASSWORD = ?"
Actually that's several suggestions:
1. I coded this as a prepared statement, which helps protect from SQL injection attacks. There's nothing more embarrasing than having someone take over your server by exploiting the security code. I refuse to admit I know why that's true.
2. By selecting for the count (which should return only 0 or 1), you keep sensitive information from being passed back to the app, where it might be exploited. Since the app already has the original parameter values this might seem useless, but a more common fault is : "Select password from user_password where user = ?" followed by "if (password.equals(resultset.getString(1))", which potentially gets back things that weren't already known.
3. I consider the admin account to be just another entry in my security database. Admin just fulfills more security roles. Hard-coding separate security validation for the admin user is added complexity, which encourages security holes and other failures. Hard-coding the admin password is even worse, since if someone gets the password, the only way to resecure the app is modify its source code and rebuilding/deploying the app.
Customer surveys are for companies who didn't pay proper attention to begin with.
Ayub ali khan
Joined: Oct 20, 2005
Hi Tim & Jignesh,
Thanks for your valuable suggestions. I will review my code as per your suggestions.
I will come back for further enhancements on this.