File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes JSF and the fly likes simple logic to authenticate users Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » JSF
Bookmark "simple logic to authenticate users" Watch "simple logic to authenticate users" New topic
Author

simple logic to authenticate users

Ayub ali khan
Ranch Hand

Joined: Oct 20, 2005
Posts: 382
    
    2
Hi,

Below method is used to authenticate a general user and admin user, else error page.

There is some issue with the login process. This method is not working. If I remove
( if(username.equals("admin")&& password.equals("admin"))
result="admin"
) this condition, code works fine and displays the general user page. However when I include the above code as below to authenticate admin user, it does not work for any user(general or admin). Please point my mistake.

public String login() throws SQLException
{ Connection con;
MyDAO dao=new MyDAO();
Statement st;
ResultSet rs;
String result="success";
try{

con=dao.getConnection();
st=con.createStatement();
rs=st.executeQuery("select username,password from ACC_TB");

//hardcoded admin user name and password.

if(username.equals("admin")&& password.equals("admin"))
result="admin"

while(rs.next()){
String un=rs.getString("USERNAME");
String pwd=rs.getString("PASSWORD");

if ( username.equals(un) && password.equals(pwd))
result="success";

}//end while
if((result!=("success"))||(result!=("admin")))

{
FacesContext context = FacesContext.getCurrentInstance();
FacesMessage message = new FacesMessage("Invalid Username and/or Password");
context.addMessage("loginForm", message);
result="failure";
}

} catch(SQLException e){e.printStackTrace();}

return result;


}

---------------------------------------------------------------------------
Faces-config.xml
----------------------------------------------------------------------------
<faces-config>
<navigation-rule>
<from-view-id>/pages/login.jsp</from-view-id>

<navigation-case>
<from-outcome>admin</from-outcome>
<to-view-id>/pages/greeting.jsp</to-view-id>
</navigation-case>

<navigation-case>
<from-outcome>failure</from-outcome>
<to-view-id>/pages/login.jsp</to-view-id>
</navigation-case>

<navigation-case>
<from-outcome>success</from-outcome>
<to-view-id>/pages/user.jsp</to-view-id>
</navigation-case>

</navigation-rule>
<managed-bean>
<managed-bean-name>LoginBean</managed-bean-name>
<managed-bean-class>jsflogin.LoginBean</managed-bean-class>
<managed-bean-scope>session</managed-bean-scope>
</managed-bean>
</faces-config>

Thanks

Ayub


SCEA part I,TOGAF Foundation
Bauke Scholtz
Ranch Hand

Joined: Oct 08, 2006
Posts: 2458
Does the code compile? You're missing a semicolon.

Well, take attention to this piece of code ;) If the first is true, the 2nd will never be evaluated.

Ayub ali khan
Ranch Hand

Joined: Oct 20, 2005
Posts: 382
    
    2
Hi Bauke ,

Sorry I missed the semicolon here. But the actual code compiles. What I am trying to implement is, if admin has loged in direct to admin page, if General user has logged in, direct to general user page. If error show error page.

Can you advise further?

Best Regards Ayub
Jignesh Patel
Ranch Hand

Joined: Nov 03, 2001
Posts: 626



I mention some small changes to write your code more efficiently.
Moreover, I don't understand how are validation user against user name and password. Are they hardcoded?
[ October 16, 2006: Message edited by: Jignesh Patel ]
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16134
    
  21

Personally I prefer Container-managed Security. You don't have to debug hardly any security code at all, since it's primarily declarative.

There's nothing in JSF that would affect SQL queries, so the question is probably better suited for the JDBC forum. I'm too lazy to plot out the logic paths, but I will make one suggestion:

"SELECT COUNT(*) FROM USER_PASSWORD WHERE USER_ID = ? AND PASSWORD = ?"

Actually that's several suggestions:

1. I coded this as a prepared statement, which helps protect from SQL injection attacks. There's nothing more embarrasing than having someone take over your server by exploiting the security code. I refuse to admit I know why that's true.

2. By selecting for the count (which should return only 0 or 1), you keep sensitive information from being passed back to the app, where it might be exploited. Since the app already has the original parameter values this might seem useless, but a more common fault is : "Select password from user_password where user = ?" followed by "if (password.equals(resultset.getString(1))", which potentially gets back things that weren't already known.

3. I consider the admin account to be just another entry in my security database. Admin just fulfills more security roles. Hard-coding separate security validation for the admin user is added complexity, which encourages security holes and other failures. Hard-coding the admin password is even worse, since if someone gets the password, the only way to resecure the app is modify its source code and rebuilding/deploying the app.


Customer surveys are for companies who didn't pay proper attention to begin with.
Ayub ali khan
Ranch Hand

Joined: Oct 20, 2005
Posts: 382
    
    2
Hi Tim & Jignesh,

Thanks for your valuable suggestions. I will review my code as per your suggestions.

I will come back for further enhancements on this.

Thanks & Best regards

Ayub
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: simple logic to authenticate users