I made a logout servlet for logout button, when clicking on logout servlet it successfully going to login page as coded. But when clicking on back button, it asks for form resubmission and after confirming it again going to previous user session.
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
// TODO Auto-generated method stub
/* PrintWriter out = response.getWriter(); */
HttpSession session = request.getSession();
response.setHeader("Cache-Control", "no-store, no-cache, must-revalidate, max-age=0, post-check=0, pre-check=0");
response.setHeader("Cache-control", "no-cache");
response.setHeader("Pragma", "no-cache");
response.setHeader("Expire","0");
response.setDateHeader("Expires",-1);
session.invalidate();
String userr = (String)request.getAttribute("k");
if (userr == null)
response.sendRedirect("Login.html");
}
To anyone, who has a similar issue, here is the solution that worked for me.
Create your login.jsp page with the user input form (method should be POST)
<form action="${pageContext.request.contextPath}/userAuth" method="POST">
...
</form>
Create a filter class and map it to login.jsp. Inside the filter class make a check for null, retrieve session and check if it contains an attribute, which will signal that the user has already logged in (I used User object and mapped it as "user")
#WebFilter("/login.jsp")
public class AuthFilter implements Filter {
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
HttpSession session = ((HttpServletRequest) request).getSession();
if (session.getAttribute("user") != null) {
response.setContentType("text/html;charset=UTF-8");
request.getRequestDispatcher("homepage.jsp").forward(request, response);
}
chain.doFilter(request, response);
}
}
Create servlet class and map it to the form action inside login.jsp. Override doPost and doGet methods: former will contain user credentials processing logic, latter will contain log out logic.
#WebServlet("/userAuth")
public class AuthServlet extends HttpServlet {
/**
* Log in
*/
#Override
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
HttpSession session = request.getSession();
String email = request.getParameter("email");
String password = request.getParameter("password");
try {
User user = UserDAO.getUser(email, password);
session.setAttribute("user", user);
response.sendRedirect(request.getContextPath() + "/login.jsp");
} catch (DAOException e) {
e.printStackTrace();
}
}
/**
* Log out
*/
#Override
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
request.getSession().invalidate();
response.setContentType("text/html;charset=UTF-8");
response.sendRedirect("login.jsp");
}
}
Create your homepage.jsp and add the logout button which will send GET to the servlet
Logout
Now the logic behind this is as follows:
The servlet doesn't actually redirect to user homepage. All it does is adding that one attribute, that the filter is looking for, and redirecting request back to login.jsp. And login.jsp always gets intercepted by the filter, who redirects to the homepage if that attribute is present.
This way you will solve the problem of keeping the user logged in until the session is on, as well as the problem of user being able to return or refresh page (which will cause form resubmission) after logging out. No additional headers like "no-cache" are needed.
Related
in my website i have a folder
../private/*
containing 2 pages where i want them to be acessed only by logged in users.
if i open those 2 pages hundred times, i'm correctly redirected to the login page.
once i'm logged in and i open the pages, the filter is called just once per page, the second time i open the page, the filter it's not called anymore.
that's the code:
#WebFilter("/private/*")
public class FilterLoginPages implements Filter {
#Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
HttpSession session = request.getSession(false);
System.out.println("IN THE FILTER");
/* logic of session control */
/* some code, some code */
if(expiringDate != null && expiryDate.after(dateNow)){
System.out.println("user logged in correctly ..");
//open the page
request.getRequestDispatcher(((HttpServletRequest) request).getServletPath()).forward(request, response);
}else{
System.out.println("user not logged in ..");
//No logged-in user found, so redirect to login page.
response.sendRedirect(request.getContextPath() + "/login.html");
}
}
the output is "IN THE FILTER" always when i'm not logged in and i try to open the pages, once i'm logged in i get "IN THE FILTER" once, then nothing for the next openings.
I was trying to create a cookie in one servlet , add it to response() and forwarded it to another servlet using DisaptcherServlet and tried to retrive the cookie using request.getCookies(). But this always coming out to be null.
//Servlet one
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
String userName = request.getParameter("username");
String password = request.getParameter("password");
Cookie cookie = new Cookie("name", "value");
cookie.setMaxAge(30);
response.addCookie(cookie);
if(userName.equals("username") && password.equals("*****")){
RequestDispatcher requestDispatcher = request.getRequestDispatcher("/Welcome");
requestDispatcher.forward(request, response);
}
else{
System.out.println("invalid credentials");
}
}
//welcome servlet
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
Cookie [] cookie = request.getCookies();
if(cookie != null){
System.out.println("sucess");
}
else{
System.out.println("cookieis null");
}
}
When you forward a request you are basically saying "no I don't want to process this request give it to this other resource instead". This means the forwarded request uses the same request and response as the original request.
In your example servlet one sets a cookie on the response, which welcome servlet cannot access because there is no API on the response object to get cookies. If you want this pattern servlet one should set a parameter on the request object which welcome servlet can then get from the request object.
I am developing login servlet app my code is as follows:
Login page for displaying two text box and one login button. Where user enter username and password and submit data.
public class LoginPage extends HttpServlet {
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
response.setContentType("text/html");
PrintWriter out = response.getWriter();
String contextPath = request.getContextPath();
out.println("<form method='post' action='LoginCheck'>");
out.println("Username: <input type='text' name='username'>");
out.println("<br>");
out.println("Password: <input type='password' name='password'>");
out.println("<br>");
out.println("<input type='submit' value='login'>");
out.println("<br>");
out.println("</form>");
}
}
LoginCheck page This page is for checking user's username and password.After checking if username and password is correct then it redirect to welcome page or if it is incorrect then it redirects to Error page And the code for each page is as follows:
public class LoginCheck extends HttpServlet {
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
response.setContentType("text/html");
String username = request.getParameter("username");
String password = request.getParameter("password");
if(username.equals("abs") && password.equals("abs")){
response.sendRedirect("Welcome");
}else{
response.sendRedirect("Error");
}
}
}
Welcome If username and password correct.
public class Welcome extends HttpServlet {
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
PrintWriter out = response.getWriter();
out.println("<h3>Welcome user</h3>");
}
}
Error If username or password is Incorrect.
public class ErrorPage extends HttpServlet {
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
PrintWriter out = response.getWriter();
out.println("<h3>ERROR !!!</h3>");
out.println("<h3>Username or Password you entered is wrong.</h3>");
}
}
OK !!! But after entering username and password to login page it goes to checklogin and when it goes towards welcome page or error page it gives error !!!
HTTP Status 405 - HTTP method GET is not supported by this URL
I am not using GET method anywhere in above code as you can see but why I am getting this type of error ???
The reason why you get HTTP 405 is that HttpServletResponse.sendRedirect is specified like this:
Sends a temporary redirect response to the client using the specified
redirect location URL.
So if you do a response.sendRedirect("Welcome");, you "tell" the client browser to go to the relative URL "Welcome" instead. This by coincidence is mapped to your Welcome-servlet (I presume). HTTP only supports GET redirects, so a GET request is issued by the client browser, but your Welcome-servlet only supports POST.
If you change your Welcome-servlert like this it should work:
public class Welcome extends HttpServlet {
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
PrintWriter out = response.getWriter();
out.println("<h3>Welcome user</h3>");
}
}
Remember to change your ErrorPage-servlet as well.
BUT heed the following!
You should not use a client side redirect but a server side forward like this:
public class LoginCheck extends HttpServlet {
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
response.setContentType("text/html");
String username = request.getParameter("username");
String password = request.getParameter("password");
if(username.equals("abs") && password.equals("abs")){
RequestDispatcher rd = request.getRequestDispatcher("Welcome");
rd.forward(request, response);
}else{
RequestDispatcher rd = request.getRequestDispatcher("Error");
rd.forward(request, response);
}
}
}
Change
protected void doPost(HttpServletRequest request, HttpServletResponse response)
to
protected void doGet(HttpServletRequest request, HttpServletResponse response)
in you Welcome and Error methods.
Thanks Andrew Mairose for pointing that out in comments.
Reference - http://www.wellho.net/resources/ex.php4?item=j601/demolet.java
I'm currently writing a little dynamic web-application in Java.
The application is supposed to be an event-platform where you can create a user-account, log in, and then you can see all open events (in a later iteration, users can create/participate in those events).
Right now, the structure of the web-app could be (simplified) described like this:
Register-Servlet -> Register.jsp
|
V
Login-Servlet -> Login.jsp
|
V
Main-page-Servlet -> Main.jsp
So right now, a user could go to Login.jsp, his login-information would be sent to the Login-Servlet, which would validate it and then send it to the Main-Page-Servlet.
The Main-Page-Servlet then (after validating login again) gets all current events from a database, attaches it to the request, and forwards it to the Main.jsp, which displays it for the user to see.
Now, if a user wants to access the Main.jsp directly (without coming from the Main-Page-Servlet), it obviously can not display the available events. The workaround I'm using currently is doing a null-check to see if the events are there, and if not, redirect to the Main-Page-Servlet.
It bothers me to solve my problem like that, as I don't think that's the best practice and I think it will just create a lot of other problems the bigger my application gets.
My first thought about this was, that it might be useful if I could simply "hide" all .jsp's from the user, so the user would be landing on servlets only and could not access the .jsp's in a different way.
Is there a way to do that? Or, if not, what would be the best practice solution if I would be writing a professional enterprise-level application?
This can be handled in a Filter and there are great explanation and example in StackOverflow Servlet-Filter wiki.
Adapting the code there for your problem (note the addition and usage of the needsAuthentication method):
#WebFilter("/*")
public class LoginFilter implements Filter {
#Override
public void init(FilterConfig config)
throws ServletException {
// If you have any <init-param> in web.xml, then you could get them
// here by config.getInitParameter("name") and assign it as field.
}
#Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
HttpSession session = request.getSession(false);
String requestPath = httpServletRequest.getRequestURI();
if (needsAuthentication(requestPath) ||
session == null ||
session.getAttribute("user") == null) { // change "user" for the session attribute you have defined
response.sendRedirect(request.getContextPath() + "/login"); // No logged-in user found, so redirect to login page.
} else {
chain.doFilter(req, res); // Logged-in user found, so just continue request.
}
}
#Override
public void destroy() {
// If you have assigned any expensive resources as field of
// this Filter class, then you could clean/close them here.
}
//basic validation of pages that do not require authentication
private boolean needsAuthentication(String url) {
String[] validNonAuthenticationUrls =
{ "Login.jsp", "Register.jsp" };
for(String validUrl : validNonAuthenticationUrls) {
if (url.endsWith(validUrl)) {
return false;
}
}
return true;
}
}
I would recommend to move all the pages that require authentication inside a folder like app and then change the web filter to
#WebFilter("/app/*")
In this way, you can remove the needsAuthentication method from the filter.
There're several ways to do it such as servlet filter as above. I saw in some projects they use a simpler mechanism to do it by creating a common action (servlet). So instead of extends HttpServlet, all servlet will be extended the common action. And you can implement a lot of common stuffs such as authentication, validations, permissions...
Here's common action example:
public class CommonServlet extends HttpServlet {
................
................
protected boolean validate(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
response.setContentType("text/html; charset=UTF-8");
request.setCharacterEncoding("UTF-8");
String email = (String) request.getSession().getAttribute("email");
Object salaryGroup = request.getSession().getAttribute("SALARY_GROUP");
if (email == null || email.equals("")) {
request.setAttribute("err", "You have not logged in");
request.getRequestDispatcher("/login.jsp").forward(request, response);
return false;
}
................
................
}
public void setRoleAndValidate(HttpServletRequest request, HttpServletResponse response, String role)
throws ServletException, IOException {
if (!validate(request, response)) {
return;
}
setRoleCode(role);
}
................
................
}
Your action servlet will be as below:
#WebServlet("/employeeManager")
public class EmployeeManager extends CommonServlet {
private static final long serialVersionUID = 1L;
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws
ServletException, IOException {
request.setCharacterEncoding("UTF-8");
setRoleAndValidate(request, response, Permission.EMPLOYEE_LIST.toString());
String action = request.getParameter("action");
.....
Here's the simple implementation
I'm running a web application in JBoss AS 5. I also have a servlet filter which intercepts all the requests to the server. Now, I want to redirect the users to the login page, if the session has expired. I need to do this 'isSessionExpired()' check in the filter and need to redirect the user accordingly. How do I do it? I'm setting my session time limit in web.xml, as below:
<session-config>
<session-timeout>15</session-timeout>
</session-config>
You could use a Filter and do the following test:
HttpSession session = request.getSession(false);// don't create if it doesn't exist
if(session != null && !session.isNew()) {
chain.doFilter(request, response);
} else {
response.sendRedirect("/login.jsp");
}
The above code is untested.
This isn't the most extensive solution however. You should also test that some domain-specific object or flag is available in the session before assuming that because a session isn't new the user must've logged in. Be paranoid!
How to redirect to Login page when Session is expired in Java web application?
This is a wrong question. You should differentiate between the cases "User is not logged in" and "Session is expired". You basically want to redirect to login page when user is not logged in. Not when session is expired. The currently accepted answer only checks HttpSession#isNew(). But this obviously fails when the user has sent more than one request in the same session when the session is implicitly created by the JSP or what not. E.g. when just pressing F5 on the login page.
As said, you should instead be checking if the user is logged in or not. Given the fact that you're asking this kind of question while standard authentication frameworks like j_security_check, Shiro, Spring Security, etc already transparently manage this (and thus there would be no need to ask this kind of question on them), that can only mean that you're using a homegrown authentication approach.
Assuming that you're storing the logged-in user in the session in some login servlet like below:
#WebServlet("/login")
public class LoginServlet extends HttpServlet {
#EJB
private UserService userService;
#Override
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
request.getRequestDispatcher("/WEB-INF/login.jsp").forward(request, response);
}
#Override
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
String username = request.getParameter("username");
String password = request.getParameter("password");
User user = userService.find(username, password);
if (user != null) {
request.getSession().setAttribute("user", user);
response.sendRedirect(request.getContextPath() + "/home");
} else {
request.setAttribute("error", "Unknown login, try again");
doGet(request, response);
}
}
}
Then you can check for that in a login filter like below:
#WebFilter("/*")
public class LoginFilter implements Filter {
#Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws ServletException, IOException {
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
HttpSession session = request.getSession(false);
String loginURI = request.getContextPath() + "/login";
boolean loggedIn = session != null && session.getAttribute("user") != null;
boolean loginRequest = request.getRequestURI().equals(loginURI);
if (loggedIn || loginRequest) {
chain.doFilter(request, response);
} else {
response.sendRedirect(loginURI);
}
}
// ...
}
No need to fiddle around with brittle HttpSession#isNew() checks.
you can also do it with a filter like this:
public class RedirectFilter implements Filter {
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
HttpServletRequest req=(HttpServletRequest)request;
//check if "role" attribute is null
if(req.getSession().getAttribute("role")==null) {
//forward request to login.jsp
req.getRequestDispatcher("/login.jsp").forward(request, response);
} else {
chain.doFilter(request, response);
}
}
}
Check for session is new.
HttpSession session = request.getSession(false);
if (!session.isNew()) {
// Session is valid
}
else {
//Session has expired - redirect to login.jsp
}
Inside the filter inject this JavaScript which will bring the login page like this.
If you don't do this then in your AJAX call you will get login page and the contents of login page will be appended.
Inside your filter or redirect insert this script in response:
String scr = "<script>window.location=\""+request.getContextPath()+"/login.do\"</script>";
response.getWriter().write(scr);
You need to implement the HttpSessionListener interface, server will notify session time outs.
like this;
import javax.servlet.http.HttpSessionEvent;
import javax.servlet.http.HttpSessionListener;
public class ApplicationSessionListener implements HttpSessionListener {
public void sessionCreated(HttpSessionEvent event) {
System.out.println("Session Created");
}
public void sessionDestroyed(HttpSessionEvent event) {
//write your logic
System.out.println("Session Destroyed");
}
}
Check this example for better understanding
http://www.myjavarecipes.com/how-to-catch-session-timeouts/
Until the session timeout we get a normal request, after which we get an Ajax request. We can identify it the following way:
String ajaxRequestHeader = request.getHeader("X-Requested-With");
if ("XMLHttpRequest".equals(ajaxRequestHeader)) {
response.sendRedirect("/login.jsp");
}
i found this posible solution:
public void logout() {
ExternalContext ctx = FacesContext.getCurrentInstance().getExternalContext();
String ctxPath = ((ServletContext) ctx.getContext()).getContextPath();
try {
//Use the context of JSF for invalidate the session,
//without servlet
((HttpSession) ctx.getSession(false)).invalidate();
//redirect with JSF context.
ctx.redirect(ctxPath + "absolute/path/index.jsp");
} catch (IOException ex) {
System.out.println(ex.getMessage());
}
}
When the use logs in, put its username in the session:
`session.setAttribute("USER", username);`
At the beginning of each page you can do this:
<%
String username = (String)session.getAttribute("USER");
if(username==null)
// if session is expired, forward it to login page
%>
<jsp:forward page="Login.jsp" />
<% { } %>