• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Login sessions

 
Kazi Siddiqui
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks to JavaRanch, NetBeans and a borrowed copy of Head First Servlets & JSP, I've constructed my first working web application. So far, it's just a collection of forms, servlets and JSPs that insert and retrieve data from a PostgreSQL database, but at least it's doing everything it's supposed to.

I was wondering if there's a tutorial on how to make the website available to only those people who have the correct password. I know about sessions, etc but I'm getting confused trying to do it from scratch.
 
Ankit Garg
Sheriff
Posts: 9519
22
Android Google Web Toolkit Hibernate IntelliJ IDE Java Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Well you can use filter based authentication or http basic authentication to achieve your goal...
 
Kazi Siddiqui
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Really? You mean there's no need to manually fetch user information from the database, or store the login state in cookies? No wait, I see it does use session attributes. Never mind.

Thanks!
 
Campbell Ritchie
Sheriff
Posts: 48652
56
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
This sort of question is usually discussed on another forum. Moving.
 
Kazi Siddiqui
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Okay, I tried my best to get http basic authentication right. It's showing the dialog box at the right time, but it's not letting me into protected pages no matter what username and password I enter. I tried changing it to form-based authentication. It's showing the login form, but giving the same problem: sending me to the error page even if the given password is correct. I then discovered a chapter of Head First devoted to security, which made me change the "name" attributes in tomcat-users.xml into "username" attributes, but that doesn't seem to have made any difference. What could be causing this? Do you think switching to filter-based authorization might help? I'm out of ideas except for that one. The thing is, I'm not even sure Tomcat is reading it's config files properly, since this version came bundled with NetBeans. I tried following this procedure, but nothing changed: http://www.onjava.com/pub/a/onjava/2002/06/12/form.html (I've changed it back now)

tomcat-users.xml:


web.xml: (partial)


PS. Could one of you geniuses please take pity on me and tell me the correct format, so I don't have to keep restarting Tomcat (which means turning NetBeans off and on in this slow machine) until I hit the correct permutation?
 
Seetharaman Venkatasamy
Ranch Hand
Posts: 5575
Eclipse IDE Java Windows XP
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Kazi Siddiqui wrote: servlets and JSPs that insert and retrieve data from a PostgreSQL database


then why cant you check the username and password with Database . personally,i prefere this approach.It is a standard way

Hope this helps
 
Kazi Siddiqui
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
seetharaman venkatasamy wrote:then why cant you check the username and password with Database . personally,i prefere this approach.It is a standard way

Hope this helps

I guess it looks like a lot of work now that I know there's an easier way. Besides, why won't this method work when I know it's supposed to? I just finished configuring everything like the guide said. Configuring the xmls, adding j_* into the form, etc. I feel bad removing all that again for no good reason. (that I understand anyway) Or is this sort of thing common with this method? Come on, there has to be some minor thing I've forgotten. Any suggestions? Please?

PS. I think I made exactly 3 changes to the project: 1) configured web.xml as above 2) configured tomcat-users.xml as above 3) added j_username, etc. to the login form. Is there anything else I should've done?



PPS. Okay, if I had to do the authentication part manually using servlets and JDBC, what would be the easiest way to keep unauthenticated people out of protected pages? Servlet Filters? Putting a little JSP on every page?
 
Mohamed Inayath
Ranch Hand
Posts: 124
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Use filter for Authentication.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic