• Post Reply Bookmark Topic Watch Topic
  • New Topic

Authentication, again [not solved yet]  RSS feed

 
Erik Pragt
Ranch Hand
Posts: 125
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Dear all,
Currently I'm suffering from a small problem, called Authentication. I'm creating a web application which has an admin module. It works (or is supposed to) as follows:
I have a directory on my webserver, called /admin. This one is supposed to be protected so that authentication is required to access anything inside that directoy. What I did was creating a servlet mapping in web.xml, something like this:

The actionservlet checks if a user who accesses /admin is logged in. If he isn't, the user(/request?) is forwarded to a login page, on the root of the webserver, called /login.jsp. If the username/password entered there are correct, the user is forwarded to the original page he was requesting (e.g. /admin/main.jsp). If the password is incorrect, the user if redirected to an error page. This works, but the problem is, upon the forwarding to the /admin/main.jsp, the actionservlet is invoked again. This means the actionservlet checks again, but this time the user is logged in. So the actionservlet forwards the request to the main.jsp, and again the actionservlet is invoked, causing a ServletException (after 50 times or something).
Can someone please help me with this?
I'm trying to figure it out for quite a while now, but I have no idea what I'm doing wrong.
Thanks in advance!
Greetings, Erik
 
David O'Meara
Rancher
Posts: 13459
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Firstly you should look a form-based authentication. It allows you to define exactly this security in the app server confiuration rather than having to program it into every page.
Can we get a cut-down version of your code?
It should look something like this:

I'm pretty sure the include one won't get caught by the admin servlet again...
Dave
 
David O'Meara
Rancher
Posts: 13459
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
and I meant to add above that the security in this is a little dubious since people may be able to misuse it by putting in illegal jsp names.
if you don't have any checks between getting the requested file name and including the file, it could possibly be used to return pages you don't want to have handed out.
Dave
 
Erik Pragt
Ranch Hand
Posts: 125
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello David,
thanks for your reply. I was my intention to upload all of my relevant code to Javaranch, but unfortunately that isn't possible (btw, it's not a lot at the moment).
I think the most relevant part is this part:

as you can see, I'm already including the page, instead of forwarding or sendRedirecting it (although my guess is that forward SHOULD also work, because it's the same request.) btw, the forward method looks like this:

Although I'm using .include, (or forward, for that matter), it's still giving the problem above. Do you have any suggestions why?
Erik
 
Erik Pragt
Ranch Hand
Posts: 125
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I created a small demo program:

This code only includes a page.
The web.xml (to invoke this code on every /admin request) is as follows:

The output is as follow:
entered Controller
page requested : /admin/
entered Controller
page requested : /admin/
entered Controller
page requested : /admin/
entered Controller
<code snip, etc, etc>
entered Controller
page requested : /admin/
entered Controller
page requested : /admin/
entered Controller
page requested : /admin/
bad programming : javax.servlet.ServletException

So, if a page is request in /admin, the Controller is invoked, and includes a request to the jsp page. But since the jsp is in /admin, the servlet is invoked again. And again, and again, until finally the servlet exception occures.
I hope this gives a little more information.
Thanks, Erik
 
David O'Meara
Rancher
Posts: 13459
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
What server are you using? If it is J2EE complient it should support form-based authentication, in which case all of this trouble just... goes away!
In the code you have so far, does it do the infinite loop if you requets a specific JSP rather than /admin/ ?
eg login, then request /admin/test.jsp
 
yi zhu
Ranch Hand
Posts: 41
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,
Why do you use a servlet to do this stuff?
I think Filter is more appropriate choice. And all your pbs will go away.
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!