Menu
The following is the piece of Java code by using filters that shows the error page at every time if the username and password is also correct. Please help me, I don't have much knowledge on this concept.
String sql="select * from reg where username='"+user+"' and pass='"+pwd+"'";
rs=st.executeQuery(sql);
if(rs.next())
{
chain.doFilter(request,response);
}
else
sc.getRequestDispatcher("/error.html").forward(request,response);
720
We can perform authentication in filter. Here, we are going to check to password given by the user in filter class, if given password is admin, it will forward the request to the WelcomeAdmin servlet otherwise it will display error message.
Authentication filters let you set an authentication scheme for individual controllers or actions. That way, your app can support different authentication mechanisms for different HTTP resources.
The doFilter method of the Filter is called by the container each time a request/response pair is passed through the chain due to a client request for a resource at the end of the chain. The FilterChain passed in to this method allows the Filter to pass on the request and response to the next entity in the chain.
String sql="select * from reg where username='"+user+"' and pass='"+pwd+"'";
This is an extremely bad practice. This approach requires that both username and password being passed around plain vanilla through requests. Moreover, you've there a SQL injection attack hole.
Make use of sessions, in JSP/Servlet there you have the HttpSession for. There is really also no need to hit the DB again and again on every request using a Filter. That's unnecessarily expensive. Just put User in session using a Servlet and use the Filter to check its presence on every request.
Start with a /login.jsp:
<form action="login" method="post">
<input type="text" name="username">
<input type="password" name="password">
<input type="submit"> ${error}
</form>
Then, create a LoginServlet which is mapped on url-pattern of /login and has the doPost() implemented as follows:
String username = request.getParameter("username");
String password = request.getParameter("password");
User user = userDAO.find(username, password);
if (user != null) {
request.getSession().setAttribute("user", user); // Put user in session.
response.sendRedirect("/secured/home.jsp"); // Go to some start page.
} else {
request.setAttribute("error", "Unknown login, try again"); // Set error msg for ${error}
request.getRequestDispatcher("/login.jsp").forward(request, response); // Go back to login page.
}
Then, create a LoginFilter which is mapped on url-pattern of /secured/* (you can choose your own however, e.g. /protected/*, /restricted/*, /users/*, etc, but this must at least cover all secured pages, you also need to put the JSP's in the appropriate folder in WebContent) and has the doFilter() implemented as follows:
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
HttpSession session = request.getSession(false);
String loginURI = request.getContextPath() + "/login.jsp";
boolean loggedIn = session != null && session.getAttribute("user") != null;
boolean loginRequest = request.getRequestURI().equals(loginURI);
if (loggedIn || loginRequest) {
chain.doFilter(request, response); // User is logged in, just continue request.
} else {
response.sendRedirect(loginURI); // Not logged in, show login page.
}
That should be it. Hope this helps.
To get the idea how an UserDAO would look like, you may find this article useful. It also covers how to use PreparedStatement to save your webapp from SQL injection attacks.
151
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
