• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

simple logic to authenticate users

 
Ayub ali khan
Ranch Hand
Posts: 394
2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

Below method is used to authenticate a general user and admin user, else error page.

There is some issue with the login process. This method is not working. If I remove
( if(username.equals("admin")&& password.equals("admin"))
result="admin"
) this condition, code works fine and displays the general user page. However when I include the above code as below to authenticate admin user, it does not work for any user(general or admin). Please point my mistake.

public String login() throws SQLException
{ Connection con;
MyDAO dao=new MyDAO();
Statement st;
ResultSet rs;
String result="success";
try{

con=dao.getConnection();
st=con.createStatement();
rs=st.executeQuery("select username,password from ACC_TB");

//hardcoded admin user name and password.

if(username.equals("admin")&& password.equals("admin"))
result="admin"

while(rs.next()){
String un=rs.getString("USERNAME");
String pwd=rs.getString("PASSWORD");

if ( username.equals(un) && password.equals(pwd))
result="success";

}//end while
if((result!=("success"))||(result!=("admin")))

{
FacesContext context = FacesContext.getCurrentInstance();
FacesMessage message = new FacesMessage("Invalid Username and/or Password");
context.addMessage("loginForm", message);
result="failure";
}

} catch(SQLException e){e.printStackTrace();}

return result;


}

---------------------------------------------------------------------------
Faces-config.xml
----------------------------------------------------------------------------
<faces-config>
<navigation-rule>
<from-view-id>/pages/login.jsp</from-view-id>

<navigation-case>
<from-outcome>admin</from-outcome>
<to-view-id>/pages/greeting.jsp</to-view-id>
</navigation-case>

<navigation-case>
<from-outcome>failure</from-outcome>
<to-view-id>/pages/login.jsp</to-view-id>
</navigation-case>

<navigation-case>
<from-outcome>success</from-outcome>
<to-view-id>/pages/user.jsp</to-view-id>
</navigation-case>

</navigation-rule>
<managed-bean>
<managed-bean-name>LoginBean</managed-bean-name>
<managed-bean-class>jsflogin.LoginBean</managed-bean-class>
<managed-bean-scope>session</managed-bean-scope>
</managed-bean>
</faces-config>

Thanks

Ayub
 
Bauke Scholtz
Ranch Hand
Posts: 2458
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Does the code compile? You're missing a semicolon.

Well, take attention to this piece of code ;) If the first is true, the 2nd will never be evaluated.

 
Ayub ali khan
Ranch Hand
Posts: 394
2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Bauke ,

Sorry I missed the semicolon here. But the actual code compiles. What I am trying to implement is, if admin has loged in direct to admin page, if General user has logged in, direct to general user page. If error show error page.

Can you advise further?

Best Regards Ayub
 
Jignesh Patel
Ranch Hand
Posts: 626
Mac
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator


I mention some small changes to write your code more efficiently.
Moreover, I don't understand how are validation user against user name and password. Are they hardcoded?
[ October 16, 2006: Message edited by: Jignesh Patel ]
 
Tim Holloway
Saloon Keeper
Pie
Posts: 18281
56
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Personally I prefer Container-managed Security. You don't have to debug hardly any security code at all, since it's primarily declarative.

There's nothing in JSF that would affect SQL queries, so the question is probably better suited for the JDBC forum. I'm too lazy to plot out the logic paths, but I will make one suggestion:

"SELECT COUNT(*) FROM USER_PASSWORD WHERE USER_ID = ? AND PASSWORD = ?"

Actually that's several suggestions:

1. I coded this as a prepared statement, which helps protect from SQL injection attacks. There's nothing more embarrasing than having someone take over your server by exploiting the security code. I refuse to admit I know why that's true.

2. By selecting for the count (which should return only 0 or 1), you keep sensitive information from being passed back to the app, where it might be exploited. Since the app already has the original parameter values this might seem useless, but a more common fault is : "Select password from user_password where user = ?" followed by "if (password.equals(resultset.getString(1))", which potentially gets back things that weren't already known.

3. I consider the admin account to be just another entry in my security database. Admin just fulfills more security roles. Hard-coding separate security validation for the admin user is added complexity, which encourages security holes and other failures. Hard-coding the admin password is even worse, since if someone gets the password, the only way to resecure the app is modify its source code and rebuilding/deploying the app.
 
Ayub ali khan
Ranch Hand
Posts: 394
2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Tim & Jignesh,

Thanks for your valuable suggestions. I will review my code as per your suggestions.

I will come back for further enhancements on this.

Thanks & Best regards

Ayub
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic