I have 2 files named Login.jsp, NewChart.jsp. I am using Login.jsp to enter my password and user name and i am retriving user name and password from the mysql database.
In a browser if i enter the url of the NewChart.jsp, it is displaying the chart.
How to avoid this and i should access chart only through Login.jsp?
Two simple ways I can think of :-
Move the NewChart.jsp file under WEB-INF of your Servlet Container . From the Login.jsp redirect or forward to the NewChart.jsp.
Write a filter and check for some session attribute before the request arrives for the NewChart.jsp. Set the session attribute on Login.
you need to manage session and at the time of login set attribute in session and very first in NewChart,jsp check whether that attibute set in seession if so then go ahead otherwise direct redirect to login.jsp
There a built-in security mechanisms and you should use them, security is complicated and there are many ways to get it wrong.
If you're using Tomcat, you can use a JDBCRealm to secure your application
Related
I have this Spring+Thymeleaf project, where user must answer to question and after that he/she can fill out a form.
I want to limit access to this form page (/finish.html), so that you cannot access it directly by typing it to browser and you must have answered correctly to a question.
I have this piece of code,
Long max = difficultyLevels.stream().map(d -> d.getLevel()).max(Long::compareTo).get();
if (levelId > max) {
return "redirect:/finish";
}
where I think I should add something to grant access to /finish.html -page. But how I do it?
A redirect causes a new client request. So if you want to protect the /finish endpoint securely there are a few strategies:
You can place a value on the session that you can check in the /finish controller before you render the page.
You could also use redirect attributes to pass some sort of encrypted token and check that in the finish controller. See What are ways for pass parameters from controller after redirect in spring mvc?.
You could also use a forward instead of a redirect. You can add data to the servlet request as described here: Spring forward with added parameters?. This may not work for you as it won't change the browser url.
I want redirect my application to specific section after save some values in database. Something like response.sendRedirect("my section in html").
How I can do this?
I am using struts2,jsp,hibernate to develop my application . Can any one tell me the best way to maintain session for allowing single login per user. do i have to store all user login session id in context or any other way to that? please explain about this
I've seen this done in one project, using a Servlet Filter and the database. As part of your login process you create an entry in a db table. Call it a "LoginSession" table or whatever you want. Also as part of creating the record in the table, invalidate any previous entries in that table for the same user. Associate the users current session id cookie with that entry. Then in your Servlet Filter, which you'd have filter every request, check the database, to see if this request has a still valid entry in your "LoginSession" table. If so let the request continue. If not, redirect them to the home/login/logout page of your choice.
Java EE.
Ok, JSP form handed to servlet username and password. Username and password is vaild.
How i can AUTHenticate the user?
Thanks for help.
Here is the tutorial:
http://download.oracle.com/javaee/6/tutorial/doc/bncas.html
Don't reinvent the wheel - especially not security, as it is hard enough to get it right even when using existing frameworks.
I don't know what exacly problem you have. Try this steps:
Submit your form in HTTP GET to your LoginServlet
Get Login
Get Password
If Login && Password are correct create some UserObject and call httpRequest.getSession() which get user http session. Then put this object to your created session.
To check if user is logged you check if userObject exists in session
If you will have problems try attached your current sources.
i want to know how to generate a url in a servlet. I have a login servlet, and every time that add a user i want to gen. a url for each user profile.
Can anyone help me please?
The easiest way is to declare a servlet mapping like the following:
<servlet-mapping>
<servlet-name>UsersSelvlet</servlet-name>
<url-pattern>/Users/*</url-pattern>
</servlet-mapping>
Now, whenever you get a request for MyApp/Users/UserId you read the request path, get the userId and check if the user exists. If not you return 'Not found'. Otherwise you return the user's page.
This is a quick and dirty implementation of a RESTful service.
I think the solution of kgiannakakis is very good. I just want to add some details, because reading the comment of Agusti-N I have the suspect that may be he is missing something.
Let's say that you have the UsersServlet described by kgiannakakis, a jsp called showUserProfile.jsp and an userBean that has all the properties of the user's profile needed to be shown in the jsp.
When a new user registers to your application, you need to do nothing more than you already do now. Just register a new user in the db, and forget the login servlet.
Now suppose that I registered to your app with my username alexmeia.
When someone digit the url yourApp/Users/alexmeia the UsersServlet is called. This servlet gets the username alexmeia from the request url, checks in the DB if
this username exists and if exist load all the properties of this user in the userBean.
After that, forward to showUserProfile.jsp, which shows the user profile reading it from the userBean.
Obviously, if the user alexmeia is not in the Db, you can redirect to a generic userNotFound.jsp, or go to home page and show a message and so on...
This works for all the registered users in the same way. You don't need to really create a real new url for every new user.
It sounds like you might want to look into REST technologies. There is a tutorial here you might want to have a look at.
Do you need URL rewriting? Something like this, perhaps, but instead of RMI generate your own user id