Win a copy of Programmer's Guide to Java SE 8 Oracle Certified Associate (OCA) this week in the OCAJP forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Login process

 
aitex abex
Greenhorn
Posts: 20
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I m currently working on a module in which we have to restrict user to change password when the password has expired.

I have done all the things.... suppose the password expired and user type his user name and password, the first page will open where the user must have to change password.. There is no any provision to go on another page without changing password Only user can log out from here.

But the problem is that the user can go from this page (where the user must have to change password) by writing the url address on the URL Address Bar without changing password.

What is the solution?
Please reply soon if possible.
Bye.
 
Justin Yao
Greenhorn
Posts: 19
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello,
I don't know whether your page is JSP or not.
If it is JSP, you can wirte a FLAG in session, for expample:
request.getSession().setAttribute("expired","true");
as soon as the user has changed his(or her) expired password,
you can change the FLAG.
You should check the flag in every page, if the password is not expired,
go to the page the user requested, or else go to the page where the user have to change his(or her) password.

Regards
 
Ilja Preuss
author
Sheriff
Posts: 14112
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Can the user also access those pages by typing the URL into the browser without being logged in?
 
Justin Yao
Greenhorn
Posts: 19
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,
I don't think user can access the page by typing a URL into browser without being logged in.
Evey function of the system should check whether a user has logged in. We can set the user infomation into the session, then check whether the infomation is there!

Regards
 
Jeroen T Wenting
Ranch Hand
Posts: 1847
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If you want to make sure the user can't type in the URL to get to a protected page, put them all inside the WEB-INF directory somewhere and use a controller servlet to forward requests to them.
That way the client never gets a URL to the pages, in fact there is no such URL.
And the controller can reject any request that doesn't have the right credentials.
 
Ulf Dittmer
Rancher
Posts: 42968
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Jeroen is right on the money. Users should not access JSPs directly. Read this article by JavaRanchs Bear Bibeault on how to design a web app that avoids this.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic