aspose file tools*
The moose likes JSP and the fly likes Login thing Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » JSP
Bookmark "Login thing" Watch "Login thing" New topic
Author

Login thing

Ray Godfrey
Greenhorn

Joined: Mar 09, 2004
Posts: 2
Hello there,
I have a very simple login jsp that connects to an Oracle database. I want to be able to save the username that the user enters and then use it in subsequent pages for database queries. How should I go about this?
Here is the login page.
<%@ page language ="java" import="java.sql.*,oracle.jdbc.*" %>
<html>
<body bgcolor="white">
<H2 align=center>WIT Final Year Computing Projects Management System</H2><hr><br><H4 align=center>Log In Here</h4><br><p>
<form name="f1" method="post">
<TABLE cellSpacing=0 cellPadding=3 width="100%" align=center border=0><TBODY>
<TR vAlign=top>
<TD align=right width="40%"><B>User Name</b></td><td><input type="text" name="t1" ></td>
</TR>
<TR vAlign=top>
<TD align=right><B>Password:</B></TD>
<TD><input type="password" name="t2"></td>
</tr>
<TR vAlign=top>
<TD align=middle colSpan=2>
<TR vAlign=top>
<TD align=middle colSpan=2><input type="submit" name="b1" value="Log In"></td>
</tr>
</TBODY></table>
<%
String user=request.getParameter("t1");
String pass=request.getParameter("t2");
try{
Class.forName("oracle.jdbc.driver.OracleDriver");
Connection con=DriverManager.getConnection("jdbc racle:thin:@witnt07.wit.ie:1521 rawit","25CSD03", "25CSD03");
Statement st=con.createStatement();
ResultSet rs=st.executeQuery("select a_id,password from admindetails");
while(rs.next())
{
String username=rs.getString(1);
String password=rs.getString(2);
if(user.equals(username) && pass.equals(password))
{%>
<jsp:forward page="indexadmin.html"/>
<%}
else
%>
<jsp:forward page="loginfailed.html"/>
<%
}
}catch(Exception e1)
{}
%>
</form>
</body>
</html>

Thanks,
Ray (In a bad mood!)
Jeroen Wenting
Ranch Hand

Joined: Oct 12, 2000
Posts: 5093

That should do the trick nicely.


42
Ray Godfrey
Greenhorn

Joined: Mar 09, 2004
Posts: 2
How does this code work!?
session.setAttribute("username", username);
session.setAttribute("password", password);
Is it setting up a session variable?
Or does the variable exist until the user closes the window?
And is that all the code I need?
And finally how do I access it?
Ray(Slightly happier!)
Nicholas Cheung
Ranch Hand

Joined: Nov 07, 2003
Posts: 4982
I think a better way can be adopted by modifying the SQL a bit:

Does this better?
Nick.


SCJP 1.2, OCP 9i DBA, SCWCD 1.3, SCJP 1.4 (SAI), SCJD 1.4, SCWCD 1.4 (Beta), ICED (IBM 287, IBM 484, IBM 486), SCMAD 1.0 (Beta), SCBCD 1.3, ICSD (IBM 288), ICDBA (IBM 700, IBM 701), SCDJWS, ICSD (IBM 348), OCP 10g DBA (Beta), SCJP 5.0 (Beta), SCJA 1.0 (Beta), MCP(70-270), SCBCD 5.0 (Beta), SCJP 6.0, SCEA for JEE5 (in progress)
Nicholas Cheung
Ranch Hand

Joined: Nov 07, 2003
Posts: 4982
In addition, if you need to execute SQL statement via JSP, it is better to use PreparedStatement, instead of using Statement.
Depending on the usage of Statement, there maybe a security issue for hackers to obtain DB data.
Nick.
Jeroen Wenting
Ranch Hand

Joined: Oct 12, 2000
Posts: 5093
Originally posted by Ray Godfrey:
How does this code work!?
session.setAttribute("username", username);
session.setAttribute("password", password);
Is it setting up a session variable?
Or does the variable exist until the user closes the window?
And is that all the code I need?
And finally how do I access it?
Ray(Slightly happier!)

that's all you need to persist the data across requests. It will exist until the session times out (timeout interval is set in server or webapp configuration files) due to there being no request from the same browser instance for the timeout period or when you call session.invalidate().
You can access them by using session.getAttribute("username") (for example).
The session variable is automatic in JSPs, in a servlet you'd have to use request.getSession() first to retrieve the session from the request.
Jeroen Wenting
Ranch Hand

Joined: Oct 12, 2000
Posts: 5093
Originally posted by Nicholas Cheung:
I think a better way can be adopted by modifying the SQL a bit:

Does this better?
Nick.

Yes, that would be slightly faster and more secure (protecting against the ResultSet being null, which according to the JDBC specs should never happen but I have encountered it in the past is a good idea). Other than that it doesn't affect the problem at hand so I omitted the extra check.
Nicholas Cheung
Ranch Hand

Joined: Nov 07, 2003
Posts: 4982
Hi Ray:

Is it setting up a session variable?

NO. A session variable is already implicitly declared. You are not required to define it, but you can use it. In fact, there are 9 implicit variables that can be used without declaring.
1. request
2. response
3. exception (the attribute errorPage inside page directive must be true)
4. session (the attribute session inside page directive must be true)
5. page
6. pageContext
7. application (the servlet context)
8. config
9. out

Or does the variable exist until the user closes the window?

session variable is destroyed, when the session is invalidated. If the browser simply closed without any signals sent to the server, the session still there, until the timeout period reaches.

And is that all the code I need?

Depends on what you want to store. In fact, you can see that the session can store ANY Java objects, not just strings. Thus, if you want, you can do this:

When you get it back from the session, you can trace who is the current user.

And finally how do I access it?

You can access it by:

Hope this help.
Nick.
Nicholas Cheung
Ranch Hand

Joined: Nov 07, 2003
Posts: 4982

Yes, that would be slightly faster and more secure

yes. This is our practice while connecting to DB via JDBC.
The maniplication of the ResultSet is not really important, the key point in the suggestion is to use PreparedStatement, instead of Statement, for security reason.
Nick.
Jeroen Wenting
Ranch Hand

Joined: Oct 12, 2000
Posts: 5093
Another nice addition I've used for security as well as flexibility is to store all SQL outside the Java/JSP source in a ResourceBundle or XML file and access it from there.
That way even if the JSP gets compromised in some way and the code sent out over the net the actual SQL code is never seen by the client as it's hidden in an area that's not accessible through HTTP requests.
If a cracker compromises the server and gets root access through telnet all bets are off of course but that was the case anyway.
Winston Smith
Ranch Hand

Joined: Jun 06, 2003
Posts: 136
Speaking of security, I would definitely avoid having a password floating around as a session variable. The only time the password should be on the wire is when it is sent from the client to the server for authentication purposes. After successful authentication, you should not need the password anymore. Of course, you'll want to implement SSL during the login to ensure that when the password does go over the wire, it is encrypted.
WS


for (int i = today; i < endOfTime; i++) { code(); }
Jeroen Wenting
Ranch Hand

Joined: Oct 12, 2000
Posts: 5093
The password is never sent over the wire if stored in the session.
That's a common misconception that's patently false.
Only the sessionID is ever sent to the client.
I do agree that the password should be encrypted.
In fact, I'd say the password should be MD5 encrypted before storage, then the entered password encrypted and compared with that.
Of course you'd not need the password after that, but as it was the question...
Nicholas Cheung
Ranch Hand

Joined: Nov 07, 2003
Posts: 4982
In fact, the most easiest way is to store only the userid, and a token indicates that whether the user can login, other than that, unless specified, no additional info should be stored.
Nick.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Login thing