This week's book giveaway is in the Mac OS forum.
We're giving away four copies of a choice of "Take Control of Upgrading to Yosemite" or "Take Control of Automating Your Mac" and have Joe Kissell on-line!
See this thread for details.
The moose likes Servlets and the fly likes Session Tracking and Security Checking Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


JavaRanch » Java Forums » Java » Servlets
Bookmark "Session Tracking and Security Checking" Watch "Session Tracking and Security Checking" New topic
Author

Session Tracking and Security Checking

JiaPei Jen
Ranch Hand

Joined: Nov 19, 2000
Posts: 1309
I am unable to pass a "session" from one page to the next page. For example, I am working on a "personal" project. A customer enters his/her ID number and password, and my SERVLET program "ServletProgramFileName.java" manages to find the customer from the database, create a session for the customer, and register the customer with the session generated:
BookCustomer customer = BookCustomer.findCustomer
(customerID, dataBase);
(This step is successfully done, and I create a session: )
HttpSession session = request.getSession(true);
session.putValue("Customer", customer);
(The customer object has a key name which is Customer.)

Then, in accordance with the customer's request for viewing IT books, the request is forwarded to a JavaServer Page "ITBooksPage.jsp" by the following statement:
if (request.getParameter("itbooks") != null) {
gotoPage("/books/ITBooksPage.jsp", request, response); }
private void gotoPage(String address,
HttpServletRequest request, HttpServletResponse response) {
throws ServletException, IOException {
RequestDispatcher dispatcher =
getServletContext().getRequestDispatcher(address);
dispatcher.forward(request, response);
}
This step is also successfully completed.
However, when I tried to test if the customer came to ITBooksPage.jsp by first entered ID number and obtained a session, my program tells me that this customer came to the website by the correct route (entered correct ID number and password, and requested to view the ITBooksPage) violates the security check.
I use the following statement to perform the security check:
if (Customer == null) { ...... ; }
I wonder the problem is caused by
A. It is not the correct way to check security; or
B. the session is not passed from the
ServletProgramFileName.java to ITBooksPage.jsp
I believe that all the experts at the JavaRanch with e-commerce experience can easily point out my mistakes. Please.
Peter den Haan
author
Ranch Hand

Joined: Apr 20, 2000
Posts: 3252
Are they living in the same web-app (servlet context)?
- Peter
JiaPei Jen
Ranch Hand

Joined: Nov 19, 2000
Posts: 1309
I am trying to answer your question although I do not quite understand the question.
This is an exercise that simulates an e-commerce environment. The design of this bookstore project is:
A customer must first fill out a form that asks user ID and password. The customer is also provided options to view lists of books in different categories. The customer selects a certain category and clicks on the submit button to submit the form. (done successfully)
Behind the scene, my servlet program gets the user ID and password, and tries to find the customer in the database. If the servlet program finds the customer in the database, a session is created for this customer, and the customer gets registerd with the session. The customer is then "directed" to the specific category of books ( the customer has selected ). And the list of books that appears in the browser window is a JSP program (ITBooksPage.jsp). (done successfully)
In the very JSP program, I then added security checking statement to make sure everybody comes to visit ITBooksPage.jsp through the correct route (entered user ID and password), "not" just by typing http://... /../ITBooksPage.jsp
But, after I inserted the security checking one single statement in ITBooksPage.jsp:

if (Customer == null) { ...... ; }
the program can "not" recognize customers coming to visit the site through the correct route (with user ID and password entered and submitted). These customers are treated like they jump directly by typing http://..../.../ITBooksPage.jsp.
It proves one thing: the session created and the customer registered in the servlet are not passed to ITBooksPage.jsp
Did I explain my problem clearly? or I have missed something? Please let me know.
JiaPei Jen
Ranch Hand

Joined: Nov 19, 2000
Posts: 1309
Thank you for your attention. To be more specific about my problem, let me show my code again:
In the Servlet program (which performs behind the scene), the session is created and customer is registered with the session like this:
HttpSession session = request.getSession(true);
session.putValue("customer", customer);
In the JSP program, security checking is like this:
<% session.getValue("customer");
if (customer == null) {
response.sendRedirect("Register.jsp"); }
else { %>
HTML statements to display lots of things.
<% } %>
The error log says: Cannot resolve symbol, probably due to error occurred in:
if (customer == null) { response.sendRedirect("Register.jsp"); }
Would you kindly tell me what I did wrong? Thank you.
Bhupinder Dhillon
Ranch Hand

Joined: Oct 12, 2000
Posts: 124
Originally posted by JiaPei Jen:

In the JSP program, security checking is like this:
<% session.getValue("customer");
if (customer == null) {
response.sendRedirect("Register.jsp"); }
else { %>
HTML statements to display lots of things.
<% } %>

Where do you declare your "customer" variable that you are checking in the if clause?
It should be something like this:
<%
BookCustomer customer = null;
customer = (BookCustomer) session.getValue("customer");
if (customer == null) {
response.sendRedirect("Register.jsp"); }
else { %>
HTML statements to display lots of things.
<% } %>
JiaPei Jen
Ranch Hand

Joined: Nov 19, 2000
Posts: 1309
Thanks a lot, Mr. Dhillon. Things are working now. Thank you for showing me the right code. I was stupid.
 
GeeCON Prague 2014
 
subject: Session Tracking and Security Checking