File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes Servlets and the fly likes User authentication from database Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "User authentication from database" Watch "User authentication from database" New topic

User authentication from database

Mark Wa
Ranch Hand

Joined: May 29, 2009
Posts: 122
Hi. I am a newbie to JEE.

I want to authenticate users from a list of users in a database, using a custom build form to log-in. I know there are things that can be configured in the web.xml but any tutorials I found dont explian about using a database for the list of users. I also want to restrict the servlets and jsps I have already created to only authenticated users.

Also there are 2 kinds of users that will have access to different pages.

Any help would be appreciated. Thanks in advance.
Nishan Patel
Ranch Hand

Joined: Sep 07, 2008
Posts: 689

Hi Mark,

you are talking about authentication using web.xml is FORM base authentication. But better use of Login page and ask user to enter user name and password.

Now after getting user name and password make select query which contains your name and password. select that user and just set session.

Using this process you can authenticate user at your application.

Thanks, Nishan Patel
SCJP 1.5, SCWCD 1.5, OCPJWSD Java Developer,My Blog
Mark Wa
Ranch Hand

Joined: May 29, 2009
Posts: 122
I currently have a login page that validates the credentials against the database. It then forwards the user onto a page according to their acces level or back to the login page with a message if the credntials dont match.

My problem now is how to make all the other pages besides the login page accessible only to the appropriate user(s).

I could put a huge if statement around the entire page to check what the user's access level is which is contained within the session and to display the page according to that, but that just seems like an awful solution.
Bosun Bello
Ranch Hand

Joined: Nov 06, 2000
Posts: 1510
Assuming you are forwarding to the other pages via a controller or such, you can just check their access level before dispatching to any of the pages, and if they do not have the appropriate access level, forward them to a page with an appropriate message.

So much trouble in the world -- Bob Marley
Mark Wa
Ranch Hand

Joined: May 29, 2009
Posts: 122
Yes. Thats what im doing at the moment. The problem I have is this is not secure enough as a user could just type the url of a paticular page. The system needs to be fairly secure as it could contain confidential information and will be available on the internet.
Bear Bibeault
Author and ninkuma

Joined: Jan 10, 2002
Posts: 63865

One word: Filters.

[Asking smart questions] [About Bear] [Books by Bear]
Jonathon Stride
Ranch Hand

Joined: Aug 06, 2009
Posts: 34
if you are using tomcat then whatever is present in WEB_INF and META_INF folders cant directly be accessed by the user , even if they type the URL , thats a simple way to do what you ask

2 interviews failed cause of not having SCJP ( and counting...)
not anymore !

SCJP 6 (70%)

now ready to count other reasons :P...
Satya Maheshwari
Ranch Hand

Joined: Jan 01, 2007
Posts: 368
Bear Bibeault wrote:One word: Filters.

Filters is the right solution for your requirement.

Thanks and Regards
Mark Wa
Ranch Hand

Joined: May 29, 2009
Posts: 122
Thanks all. I will look into filters

Jonathon, what I meant by that was accessing jsp pages without authenticating. Not the web-inf stuff

I consider this question solved.
I agree. Here's the link:
subject: User authentication from database
It's not a secret anymore!