We help IT Professionals succeed at work.

Servlet Login session time and authentication using Filter

zolf
zolf asked
on
Hello there,

I have this Servlet class which I am using for login,can somebody have a look at my code and give their recommendation if I have implemented it properly or I have missed some important thing in it.

cheers
Zolf
LoginServlet-.java
Comment
Watch Question

CERTIFIED EXPERT

Commented:
Couple of things look a bit odd to me:

1)
String desc = ls.get("description").toString();
String desc1 = HashUtils.sha(ls.get("name").toString());

if (n.equals(ls.get("name")) && p.equals(ls.get("password")) && desc.equals(desc1))

Not sure what you're hoping to achieve with the desc.equals(desc1) check?
You seem to be comparing the sha(name) to the description stored in the database.
If these don't match it seems the names won't match.

2) By the end of the servlet where you say:

// Credential are correct!!
            if (authenticUser)
...

You've identified that this request came from somebody who has a valid session.
However, that user is NOT necessarily the same as the user name that was passed in here:
String n = request.getParameter("user_name");

(I sign in as username "abc", get a valid session and then send in a request as user "xyz" with my now valid session and the login servlet says this is valid).

You should probably check that the user name sent matches the current session.

Doug

Author

Commented:
Thanks for your comments.

Regarding point 2, can you please write the code for me as to how to validate the session for that user.

Also in this code, in the if/else loop where i check newLoginRequest, do I need to have the redirect code in its else loop also or not needed!!
if (authenticUser)
		{
			System.out.println("Credential are correct!!!!!!!!!!!!");
			if (newLoginRequest)
			{
				session.setAttribute("sessionId", request.getSession().getId());
				response.sendRedirect(ConfigUtils.getInstance().getLandingPageURL());
			}
			else
			{
				System.out.println("NEW Login Request is FALSEEEE!!!!!!!!!!!!");
			}
		}
		else
		{
			request.getSession().invalidate();
			response.sendRedirect(ConfigUtils.getInstance().getLoginURL());
		}

Open in new window

CERTIFIED EXPERT
Commented:
When you store the session id:
session.setAttribute("sessionId", request.getSession().getId());

You could also store the user name:
session.setAttribute("username", n);

and then change this test:

if (session != null && session.getAttribute("sessionId") != null)

to also compare session.getAttribute("username").equals(n)

Also as to when and where you need to redirect, that's a larger design question - depends on how this servlet fits into the whole system.

Doug

Author

Commented:
thanks a lot for your feedbacks. Do you know any site where it has tutorial code for session and authentication.
CERTIFIED EXPERT

Commented:
I don't know of that specifically but you might find this helpful to read:
http://docs.oracle.com/javaee/6/tutorial/doc/gkbaa.html

Doug

Author

Commented:
cheers!!

Explore More ContentExplore courses, solutions, and other research materials related to this topic.