Authenticating the username, password by using filters in Java (contacting with database)

by

String sql=”select * from reg where username=””+user+”” and pass=””+pwd+”””;

This is an extremely bad practice. This approach requires that both username and password being passed around plain vanilla through requests. Moreover, you’ve there a SQL injection attack hole.

Make use of sessions, in JSP/Servlet there you have the HttpSession for. There is really also no need to hit the DB again and again on every request using a Filter. That’s unnecessarily expensive. Just put User in session using a Servlet and use the Filter to check its presence on every request.

Start with a /login.jsp:

<form action="login" method="post">
    <input type="text" name="username">
    <input type="password" name="password">
    <input type="submit"> ${error}
</form>

Then, create a LoginServlet which is mapped on url-pattern of /login and has the doPost() implemented as follows:

String username = request.getParameter("username");
String password = request.getParameter("password");
User user = userDAO.find(username, password);

if (user != null) {
    request.getSession().setAttribute("user", user); // Put user in session.
    response.sendRedirect("/secured/home.jsp"); // Go to some start page.
} else {
    request.setAttribute("error", "Unknown login, try again"); // Set error msg for ${error}
    request.getRequestDispatcher("/login.jsp").forward(request, response); // Go back to login page.
}

Then, create a LoginFilter which is mapped on url-pattern of /secured/* (you can choose your own however, e.g. /protected/*, /restricted/*, /users/*, etc, but this must at least cover all secured pages, you also need to put the JSP’s in the appropriate folder in WebContent) and has the doFilter() implemented as follows:

HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
HttpSession session = request.getSession(false);
String loginURI = request.getContextPath() + "/login.jsp";

boolean loggedIn = session != null && session.getAttribute("user") != null;
boolean loginRequest = request.getRequestURI().equals(loginURI);

if (loggedIn || loginRequest) {
    chain.doFilter(request, response); // User is logged in, just continue request.
} else {
    response.sendRedirect(loginURI); // Not logged in, show login page.
}

That should be it. Hope this helps.

To get the idea how an UserDAO would look like, you may find this article useful. It also covers how to use PreparedStatement to save your webapp from SQL injection attacks.

See also:

More Related Contents:

  1. Prevent user from seeing previously visited secured page after logout
  2. How to install JSTL? The absolute uri: http://java.sun.com/jstl/core cannot be resolved
  3. Java / Jakarta EE web development, where do I start and what skills do I need? [closed]
  4. RequestDispatcher.forward() vs HttpServletResponse.sendRedirect()
  5. Populating cascading dropdown lists in JSP/Servlet
  6. Hidden features of JSP/Servlet [closed]
  7. How to differ sessions in browser-tabs?
  8. How to use relative paths without including the context root name?
  9. Authentication filter and servlet for login
  10. Passing an object from JSP page back to Servlet
  11. How do I call a specific Java method on a click/submit event of a specific button in JSP?
  12. Collect and save submitted values of multiple dynamic HTML inputs back in servlet
  13. How to transfer data from JSP to servlet when submitting HTML form
  14. How to pass Unicode characters as JSP/Servlet request.getParameter?
  15. Difference between JSP forward and redirect [duplicate]
  16. Pass variables from servlet to jsp
  17. java.lang.LinkageError: javax.servlet.jsp.JspApplicationContext.getExpressionFactory
  18. Filling HTML dropdown list in JSP with values fetched from database in Servlet
  19. How to call servlet through a JSP page
  20. How to configure welcome file list in web.xml
  21. Differences between cookies and sessions?
  22. How to send redirect to JSP page in Servlet
  23. Java Front Controller [duplicate]
  24. File upload with ServletFileUpload’s parseRequest? [duplicate]
  25. Servlet filter runs in infinite redirect loop when user is not logged in
  26. Get request URL in JSP which is forwarded by Servlet
  27. Create an excel file for users to download using Apache POI
  28. Servlet send response to JSP
  29. Unicode characters in servlet application are shown as question marks
  30. How does server prioritize which type of web.xml error page to use?

Leave a Comment