aspose file tools*
The moose likes JDBC and the fly likes Login Servlet Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Databases » JDBC
Bookmark "Login Servlet" Watch "Login Servlet" New topic
Author

Login Servlet

matt ara
Greenhorn

Joined: Mar 03, 2012
Posts: 7
Hello everyone. I'm very new to this and I'm having some problem with the following code. I have a registration page that's working wonderfully, but this seems to be a bit more complicated. I have a small oracle database where usernames and passwords are stored. I'm simply trying to login and match a user to a password, but I'm having issues. Can anyone help me out by looking at the following code.



My JSP
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61766
    
  67

So what's the problem?

P.S. Good move using code tags for your code, but it's still hard to read code without proper indentation.


[Asking smart questions] [Bear's FrontMan] [About Bear] [Books by Bear]
matt ara
Greenhorn

Joined: Mar 03, 2012
Posts: 7
I've been working on it for a few hours, but I'm not even sure if I'm heading in the right direction. I'm getting syntax errors on my connection strings and my query string. I'm trying to follow the same process I used to create a registration page I made, which the logic that I would get the parameters from the form fields and then pull the username from the DB based on that form field and match to the password. Doesn't seem to be working out, is this heading in the right direction?
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61766
    
  67

As I said, your code is difficult to read. I'd recommend posting it again, without the double spacing and using proper indentation.
matt ara
Greenhorn

Joined: Mar 03, 2012
Posts: 7
I modified my code to work with the JSP, and it just keeps kicking me out saying User Invalid when I know those users/pass are in the DB.
Prasad Krishnegowda
Ranch Hand

Joined: Apr 25, 2010
Posts: 587
    
    3

You told you are getting syntax errors, did you overcome that?
matt ara wrote:The logic that I would get the parameters from the form fields and then pull the username from the DB based on that form field and match to the password. Doesn't seem to be working out, is this heading in the right direction?

Yes, you are in the right direction. What have you done to debug this? Are the username/password been passed correctly to servlet, is the SQL query returning correctly.
You can just use SQL query like and see whether it retuns atleast 1 row, if yes, then user authentication is successful, why retrieve all the rows in table and do a compare operation?

matt ara wrote:I modified my code to work with the JSP, and it just keeps kicking me out saying User Invalid when I know those users/pass are in the DB.

What changes you did in JSP? Did you put the business logic/java code inside JSP? If yes, definitely you are heading in wrong direction, revert them back and use servlet and post here any questions/doubts you have...
matt ara
Greenhorn

Joined: Mar 03, 2012
Posts: 7
Sorry I don't understand what you're asking. Your query modified works on the database side, but I'm not sure how you would want me to integrate it into my code to see if I can get a row?
Paul Clapham
Bartender

Joined: Oct 14, 2005
Posts: 18987
    
    8

Why on earth are you reading through the entire user table to find a specific user?
matt ara
Greenhorn

Joined: Mar 03, 2012
Posts: 7
This is the SQL query I'm using now....

Prasad Krishnegowda
Ranch Hand

Joined: Apr 25, 2010
Posts: 587
    
    3

Its working for you or are you are facing any problems?
matt ara
Greenhorn

Joined: Mar 03, 2012
Posts: 7
Still having issues, even with the modified SQL. The Servlet runs, but gives me "not a valid user." I'm not sure where my code is wrong, but I believe I am making a connection to my db because I've applied the similar code/logic here from my registration, and users/passes are going from my registration JSP to my database.
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61766
    
  67

Have you inserted logging statements to find out what the variable values are around the failing portion?

Also, this has nothing to do with servlets so it's been moved to the JDBC forum.

And you should be using prepared statements. Your code is just asking for SQL injection attacks!
Victor M. Pereira
Ranch Hand

Joined: Mar 02, 2012
Posts: 50
Have you checked the user and password returned from the jsp?

And change your form to POST for security reasons.

matt ara wrote:



Does your DD has the authentication configuration?



regards,
Victor M. Pereira
Prasad Krishnegowda
Ranch Hand

Joined: Apr 25, 2010
Posts: 587
    
    3

Victor M. Pereira wrote:And change your form to POST for security reasons.

Can you please explain what security reasons you are referring about.. POST is noway more secure than GET.
Tim Moores
Rancher

Joined: Sep 21, 2011
Posts: 2408
Prasad Krishnegowda wrote:POST is noway more secure than GET.

It absolutely is. For example, URLs -which include GET parameters- are written to log files. You wouldn't want that to include your login info. Passwords should also only ever be sent via HTTPS, not HTTP.
Victor M. Pereira
Ranch Hand

Joined: Mar 02, 2012
Posts: 50
They are. For example if Amazon did a Get with your password. Wouldn't your son or wife see it on explorer bar. And suddenly your son would appear with a new TV saying he won it in a BINGO.

And for the other part that's the reason of DD. In the DD by setting it you can start using SSL. And configure a lot of other important that have to do with authentication, authorization, confidentiality and data integrity. BTW, the other 3 methods for the <auth-method> tag are: BASIC, DIGEST and CLIENT-CERT.

If you want to learn more about this, I recommend the chapter of security in the Head First Servlets and JSP.

Prasad Krishnegowda
Ranch Hand

Joined: Apr 25, 2010
Posts: 587
    
    3

Tim, can you please explain, which log files you were referring too..
Victor, you can also claim that Keyboard is not secure, as somebody can be looking over your shoulder when you type the password.

If GET is not secure, POST is also not secure. No request is secure simply based upon the choice of method. Requests are secure by using SSL.
Tim Moores
Rancher

Joined: Sep 21, 2011
Posts: 2408
Prasad Krishnegowda wrote:Tim, can you please explain, which log files you were referring too..

The log files on the server. Apache, Tomcat and all other servers can be configured to log URL parameters if they don't do it out of the box already.

If GET is not secure, POST is also not secure.

Patently wrong - they are treated differently in ways that give rise to different security risks.

No request is secure simply based upon the choice of method.

Nobody said so. But in this context POST is more secure than GET.

Requests are secure by using SSL.

No. There's lots more to security than the choice of which HTTP method to use and the decision to use SSL.
Prasad Krishnegowda
Ranch Hand

Joined: Apr 25, 2010
Posts: 587
    
    3

Tim, Thanks for the clarifications..
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61766
    
  67

I'll disagree with Tim on a minor point. POST is no more secure than GET. It just doesn't show params on the URL. That extra level of "security" is a blip and is really no security at all.

The choice of method should be dictated by what the request is doing, not any supposed security concerns.

Using SSL is good, but Tim is correct in that there are other things that need to be done. Protecting against SQL injection is one of them.
Tim Moores
Rancher

Joined: Sep 21, 2011
Posts: 2408
Bear Bibeault wrote:POST is no more secure than GET. It just doesn't show params on the URL. That extra level of "security" is a blip and is really no security at all.

Maybe we operate in different environments with different security requirements. The prospect of passwords being captured in log files is an absolute no-go in my world.
matt ara
Greenhorn

Joined: Mar 03, 2012
Posts: 7
Thanks for the help, and I'm not too concerned at all about security, just that it works for now. I have been able to get the login page to work successfully, so thanks all for the help. Not sure if I should post the code, but in the end I found that my SQL query wasn't right and also, the parameters from the JSP forms weren't passing properly to the servlet. After I solved those two problems, things are working now.

Again, thanks for the help.
Java Lingappa
Greenhorn

Joined: Mar 12, 2012
Posts: 1
What you did matta ara in SQl statement and in JSP? can you paste what changes you made?
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Login Servlet