Java EE.
Ok, JSP form handed to servlet username and password. Username and password is vaild.
How i can AUTHenticate the user?
Thanks for help.
Here is the tutorial:
http://download.oracle.com/javaee/6/tutorial/doc/bncas.html
Don't reinvent the wheel - especially not security, as it is hard enough to get it right even when using existing frameworks.
I don't know what exacly problem you have. Try this steps:
Submit your form in HTTP GET to your LoginServlet
Get Login
Get Password
If Login && Password are correct create some UserObject and call httpRequest.getSession() which get user http session. Then put this object to your created session.
To check if user is logged you check if userObject exists in session
If you will have problems try attached your current sources.
Related
I made a hook by implementing login.jsp inside /html/portlet/login folder.
Now I tried to get the login credentials submitted through the default login form. The code which I tried is:-
request.getParameter("login")
but it could not retrieve login credential so I want to ask how to retrieve login credential.
You can get username and password by using following ways:
String username = themeDisplay.getUser().getScreenName();
String password = (String)request.getSession().getAttribute(WebKeys.USER_PASSWORD);
and write the below lines in portal-ext.properties:
session.store.password=true
session.shared.attributes.excludes=
But you need to take the precaution because when you use session.store.password=true then passwords will be stored n clear text and the same will be appear in dumps.
I hope this resolves your issue.
On android client, I create Credentials, then choose account using AccountPicker and set the account name. On GAE, I have User parameter in every endpoint method. (I described it here)
Android Client ID, Web client ID and audiences are configured correctly.
On endpoint, the user is not null and has correct email set. But when I call user.getUserId() I get null. Is this user authenticated or not?... It really makes me nervous not to know that...
What you describe is odd, and I don't know why you get null when you call getUserId(), but never-the-less I would say, Yes, you are authenticated.
If you want to be sure, then you could try using that authentication from a web client - I read that once you have authenticated an Android user you are automatically given minimal account authentication for web too. So create a minimal servlet that includes the following code:
UserService userService = UserServiceFactory.getUserService();
User user = userService.getCurrentUser();
Load the page while signed in with the same account you authenticated from Android and see whether it acts like it already knows you, or whether it prompts the user as it would for a different, un-authenticated user.
This is a bug on google's side.
There seems to be a clunky workaround: save User to datastore and read it back.
I have 2 files named Login.jsp, NewChart.jsp. I am using Login.jsp to enter my password and user name and i am retriving user name and password from the mysql database.
In a browser if i enter the url of the NewChart.jsp, it is displaying the chart.
How to avoid this and i should access chart only through Login.jsp?
Two simple ways I can think of :-
Move the NewChart.jsp file under WEB-INF of your Servlet Container . From the Login.jsp redirect or forward to the NewChart.jsp.
Write a filter and check for some session attribute before the request arrives for the NewChart.jsp. Set the session attribute on Login.
you need to manage session and at the time of login set attribute in session and very first in NewChart,jsp check whether that attibute set in seession if so then go ahead otherwise direct redirect to login.jsp
There a built-in security mechanisms and you should use them, security is complicated and there are many ways to get it wrong.
If you're using Tomcat, you can use a JDBCRealm to secure your application
I'm trying to avoid that when a user has connected to Facebook from my webview, the next time he do it, doesn't need to put the email and password. I'm getting the cookie from the "facebook.com" domain with this sentence:
String cookie = CookieManager.getInstance().getCookie("facebook.com");
and storing it in a SQLite database. When the user try to connect another time to Facebook, I use this sentence after removing all another cookies:
CookieManager.getInstance().setCookie("facebook.com", user_acc.getSessionCookie());
but doesn't work. That cookie I suppose that is not valid because the user has to put his username and his password again and after login, I get a different cookie that the one I had stored.
What I'm doing wrong? Is there another way to accomplish that?
Thank you in advance.
I think you can't do this via cookie because this cookie is valid for only that session and as soon as user logout that cookie expires though you are storing that cookie in your database for facebook that cookie was never created that is why it is asking user name pwd again. I think best way is to click remember password
I think this will solve your problem this is announced today check if this can work http://techcrunch.com/2010/11/03/facebook-single-sign-on/
Well, I've found the solution. If I get all the cookies doesn't work, but if only get the m_user cookie all works fine.
Thank you Parry for your answers.
Regards.
i want to know how to generate a url in a servlet. I have a login servlet, and every time that add a user i want to gen. a url for each user profile.
Can anyone help me please?
The easiest way is to declare a servlet mapping like the following:
<servlet-mapping>
<servlet-name>UsersSelvlet</servlet-name>
<url-pattern>/Users/*</url-pattern>
</servlet-mapping>
Now, whenever you get a request for MyApp/Users/UserId you read the request path, get the userId and check if the user exists. If not you return 'Not found'. Otherwise you return the user's page.
This is a quick and dirty implementation of a RESTful service.
I think the solution of kgiannakakis is very good. I just want to add some details, because reading the comment of Agusti-N I have the suspect that may be he is missing something.
Let's say that you have the UsersServlet described by kgiannakakis, a jsp called showUserProfile.jsp and an userBean that has all the properties of the user's profile needed to be shown in the jsp.
When a new user registers to your application, you need to do nothing more than you already do now. Just register a new user in the db, and forget the login servlet.
Now suppose that I registered to your app with my username alexmeia.
When someone digit the url yourApp/Users/alexmeia the UsersServlet is called. This servlet gets the username alexmeia from the request url, checks in the DB if
this username exists and if exist load all the properties of this user in the userBean.
After that, forward to showUserProfile.jsp, which shows the user profile reading it from the userBean.
Obviously, if the user alexmeia is not in the Db, you can redirect to a generic userNotFound.jsp, or go to home page and show a message and so on...
This works for all the registered users in the same way. You don't need to really create a real new url for every new user.
It sounds like you might want to look into REST technologies. There is a tutorial here you might want to have a look at.
Do you need URL rewriting? Something like this, perhaps, but instead of RMI generate your own user id