aspose file tools*
The moose likes Servlets and the fly likes authentication... one more time... :-) Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Spring in Action this week in the Spring forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "authentication... one more time... :-)" Watch "authentication... one more time... :-)" New topic
Author

authentication... one more time... :-)

Matt Horton
Ranch Hand

Joined: Feb 06, 2002
Posts: 107
I've come across a silly mistake in an application that I'm working on (okay, I've known it was there for some time... but you weigh the time in the day... etc, etc)
I'm using something tantamount to the Front Controller Pattern, wherein I have a controller servlet redirect params from various pages into my application ('my' session that resides in httpsession). The problem comes in the fact that I authenticate in a class within my session object. That is, I instantiate my session object, which will reside on the server for half an hour or so, whether or not the user logs in successfully or not. Furthermore I have a logout method, which, you guessed it, redirects to the default state of 'my' session object, further persisting the httpsession on the server... for the life of the session timeout.
What is THE model process for authentication of a user? I'm rewriting this element from the ground up so I may as well do it correctly. Should I go ahead and pull out my login class into a bean within a jsp that dispatches to my core servlet (the front door of the app). Should my core servlet merely redirect to the login.jsp? Nothing in my app is j2ee compliant, so I'm whetting my appetite here. What should I do?
Also, what are the ideal ways to authenticate? I'm currently selecting from a table to see if a given userid matches up w/ a given password. Is there anything else that I can do to ensure the integrity of the login?
TIA.
Dale DeMott
Ranch Hand

Joined: Nov 02, 2000
Posts: 515
What I have done in my application was create a Login Servlet to do the authentication. This will always control your authentication. Once authenticated, the servlet will put the user's state object into the session. This will keep track of his security and the state that he is in. To get into the application all users will have to pass through the login servlet entry point.
Once the login servlet is done w/authentication, you have other servlets do other processing for other sub pieces of the application. You might have servlets that do processing of inventory, (InventoryServlet) and other servlets keep track of the accounting (AccountingServlet)
*How will the other servlets know if someone hasn't just typed in the servlet name and directly accessed the web page?
Glad you asked. At the begining of all of the other controlling servlets, there is a checkpoint that checks to see if a user is loged in, what secuirty they have and what state the user is in. Remember that object I put into the session. Well, that will keep track of the security for you. If the session times out, the servlet (whatever servlet they may happen to be at during this time) will see this and redirect them back to the login page where they will have to go through the login page and login servlet again. If the user doesn't have access, again, the servlet will redirect you to the login servlet and force you to login.
The key is that every time you go from one jsp page to the next, you go through a servlet. This servlet will do a couple things.
1) Control the security of the site and redirect if needed
2) Once passed security, it will look at what was passed back from the jsp page and redirect this to some part that will do processing.
Hope this helps
Dale
[ February 28, 2002: Message edited by: Dale DeMott ]

By failing to prepare, you are preparing to fail.<br />Benjamin Franklin (1706 - 1790)
Matt Horton
Ranch Hand

Joined: Feb 06, 2002
Posts: 107
Thanks Dale!
Are you doing a requestdispatch to get to your core servlet(s) after configuring your httpsession w/ your logged in flag? Is this the best possible method? Or should I post the content from the login page back to the core servlet? That is, should I only redirect from the core servlet to the login, and have the login post its content back to the core servlet (my front door).
Also, are you doing anything w/ SSL. I think that the last time I played w/ SSL (and I don't even remember what the context was... probably just an example so that I could become an 'expert', lol) was back in 1999/2000 or so. I noticed jrun 3.x has a ssl tester in their jmc, but I'm curious to see if there's a better, more modern proxy for the same function.
Thanks again!
Dale DeMott
Ranch Hand

Joined: Nov 02, 2000
Posts: 515
Are you doing a requestdispatch to get to your core servlet(s) after configuring your httpsession w/ your logged in flag? Is this the best possible method?

There doesn't have to be one core servlet. You can have several core servlets. The idea in controller architecture is to have a controller for major functions. Also these controller servlets will pass control to each other when the time is right. After the user logged in, the LoginServlet would authenticate. Then the LoginServlet would dispatch to a main page where the web site basically started. This is where another controller servlet will take over. You now would have this base page go to any other servlets that do processing.
Example: I'm making up processes and pages as we go.. so bare with me.
LoginPage.JSP
user types in his name and password and hits LOGIN. The action of this page points to the LoginServlet.
LoginServlet takes over..
LoginServlet authenticates...
LoginServlet dispatches to MAIN.JSP
MAIN.JSP
MAIN.JSP displays
The user selects 'Get Inventory' link
Under this link is an action that says go to InventoryServlet and passes in some flag that says the state of the user
InventoryServlet
Inventory Servlet is executed and sees the state of the user and dispatches to INVENTORYSTART.JSP
INVENTORYSTART.JSP
This page is displayed. Now the user wants to show his inventory and clicks 'Show Inventory'. Some flag is set, the action of INVENTORYSERVLET is set and this is resubmitted to the InventoryServlet.
InventoryServlet
The InventoryServlet looks at the input, determines the process that should take place, sends for the processing to happen. Gets the output, puts the data into an object to send back to the page and dispatches to ShowInventory.JSP.
ShowInventory
Show Inventory gets the data displays the data.
----------------------------------------
As you can see.. the InventoryServlet will take care of all of the Inventory needs for the application. You might have an AccountingServlet that will handle the accounting of the site as well.
Remember at the top of the InventoryServlet you check to see if the session is there, and that it is real by checking the user and security.


Also, are you doing anything w/ SSL. I think that the last time I played w/ SSL (and I don't even remember what the context was... probably just an example so that I could become an 'expert', lol) was back in 1999/2000 or so. I noticed jrun 3.x has a ssl tester in their jmc, but I'm curious to see if there's a better, more modern proxy for the same function.

As for SSL, the only reason you'd need SSL would be if you were afraid if someone was tapping in and getting passwords. If this is not behind a firewall, then I would use SSL to secure it. This can be done on another level. First get your app going, then add the SSL. This can be added later. Truth is I haven't worked with SSL with Java. My guess is that this will exist on the web server layer and can ge handled there. I don't think it would be too hard to setup. I used SSL with NT and it was pretty easy.
-Dale
Matt Horton
Ranch Hand

Joined: Feb 06, 2002
Posts: 107
Thanks again Dale.
I went ahead and did it. It works great.
Thanks again!
Maulin Vasavada
Ranch Hand

Joined: Nov 04, 2001
Posts: 1871
how about using Filters if u r using new servlet spec??? tho i'm novice in designing i thought this to be a good option as far as i got that concept.
we will have Login Servlet as Dale suggested but for checking of authentication in each servlet we will have a Filter that greps the authentication info from the session and checks it. the session object can be obtained using the request.getSession() method in the filter.
regards,
maulin.
 
 
subject: authentication... one more time... :-)