Hello,

I am implementing a simple login example and having some difficulty redirecting to the success page if the username and password match with those in my database.
When I press submit I get a blank page. Would appreciate any thoughts.

My code:

LoginPage.jsp

<html> <head> <meta http-equiv="Content-Type" content="text/html; charset=windows-1256"> <title>Login Page</title> </head> <body> <form action="LoginServlet"> Please enter your username <input type="text" name="un"/><br> Please enter your password <input type="text" name="pw"/> <input type="submit" value="submit"> </form> </body> </html>

LoginServlet.java

package ExamplePackage; import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; import ExamplePackage.*; /** * Servlet implementation class LoginServlet */ public class LoginServlet extends HttpServlet { @Override public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, java.io.IOException { try { UserBean user = new UserBean(); user.setUserName(request.getParameter("un")); user.setPassword(request.getParameter("pw")); user = UserDao.login(user); if (user.isValid()) { HttpSession session = request.getSession(true); session.setAttribute("currentSessionUser",user); response.sendRedirect("userLogged.jsp"); //logged-in page } else response.sendRedirect("invalidLogin.jsp"); //error page } catch (Throwable theException) { System.out.println(theException); } } }

UserLogged.jsp

<%@ page language="java" contentType="text/html; charset=windows-1256" pageEncoding="windows-1256" import="ExamplePackage.UserBean.java" %> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=windows-1256"> <title> User Logged Successfully </title> </head> <body> <center> <% UserBean currentUser = (UserBean) (session.getAttribute("currentSessionUser"));%> Welcome <%= currentUser.getFirstName() + " " + currentUser.getLastName() %> </center> </body> </html>

web.xml

<?xml version="1.0" encoding="UTF-8"?> <web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"> <servlet> <servlet-name>LoginServlet</servlet-name> <servlet-class>ExamplePackage.LoginServlet</servlet-class> </servlet> <servlet-mapping> <servlet-name>LoginServlet</servlet-name> <url-pattern>/LoginServlet</url-pattern> </servlet-mapping> <session-config> <session-timeout> 30 </session-timeout> </session-config> <welcome-file-list> <welcome-file>LoginPage.jsp</welcome-file> </welcome-file-list> </web-app>

UserDao.java
package ExamplePackage; import java.text.*; import java.util.*; import java.sql.*; public class UserDao { static Connection currentCon = null; static ResultSet rs = null; public static UserBean login(UserBean bean) { //preparing some objects for connection Statement stmt = null; String username = bean.getUsername(); String password = bean.getPassword(); String searchQuery = "select * from users where username='" + username + "' AND password='" + password + "'"; // "System.out.println" prints in the console; Normally used to trace the process System.out.println("Your user name is " + username); System.out.println("Your password is " + password); System.out.println("Query: "+searchQuery); try { //connect to DB currentCon = ConnectionManager.getConnection(); stmt=currentCon.createStatement(); rs = stmt.executeQuery(searchQuery); boolean more = rs.next(); // if user does not exist set the isValid variable to false if (!more) { System.out.println("Sorry, you are not a registered user! Please sign up first"); bean.setValid(false); } //if user exists set the isValid variable to true else if (more) { String firstName = rs.getString("FirstName"); String lastName = rs.getString("LastName"); System.out.println("Welcome " + firstName); bean.setUserName(firstName); bean.setValid(true); } } catch (Exception ex) { System.out.println("Log In failed: An Exception has occurred! " + ex); } //some exception handling finally { if (rs != null) { try { rs.close(); } catch (Exception e) {} rs = null; } if (stmt != null) { try { stmt.close(); } catch (Exception e) {} stmt = null; } if (currentCon != null) { try { currentCon.close(); } catch (Exception e) { } currentCon = null; } } return bean; } }


UserBean.java and ConnectionManager.java are also in the ExamplePackage

Thanks in advance! James

What appears in the URL bar of the browser? What does a View Source show? Any errors in the logs?

Bear Bibeault wrote:What appears in the URL bar of the browser? What does a View Source show? Any errors in the logs?

I simply forgot to include an import

Thank you for the help.

In the page directive, remove the ".java".

Here are some comments on your code:

1. In UserLogged.jsp, in the page directive, you don't need the "language" attribute. The only possible value for this is "java", so it's redundant to include it. This was included to allow for languages other than Java to be used in JSP files, but so far only Java is supported.

2. You should avoid using scriptlets in JSP files. In UserLogged, you should use the useBean and getProperty standard actions instead:
<jsp:useBean id="currentSessionUser" scope="session" class="ExamplePackage.UserBean" /> <center> Welcome <jsp:getProperty name="currentSessionUser" property="firstName" /> <jsp:getProperty name="currentSessionUser" property="lastName" /> </center>
3. In UserDao.java, you should use PreparedStatement instead of Statement to execute the database query. This helps prevent SQL Injection attacks, which your code is vulnerable to. What do you think would happen if the user's password had a single quote in it?

Michael Angstadt wrote:you should use the useBean and getProperty standard actions instead:

Better yet, use the EL. The getProperty action is clunky and outdated for emitted dynamic values.

But absolutely: scriptlets have been discredited for over 8 years now. There is no excuse or reason for placing then into newly written JSP pages.

Thanks for the comments. This is my first attempt at a web application so it is all new to me but trying to learn as much as possible. I have a few further questions if you wouldn't mind.

I have my page layout sorted with header and footer jspfs for each and am able to log a user if I insert them into my database so I want to implement a create user function next.

1) From some research one of the ways to implement this would be to create a controller servlet which handles requests from the client. Would I have two methods in this servlet doGet(...) and doPost(...) which handle incoming requests according to the userPath (i.e. - request.getServletPath();) and then call methods based on what the request is and then redirect the user to the correct page? Is this an acceptable way to do it? Any other comments on this would also be welcome baring in mind I would like to avoid frameworks for the moment.

2) With the create user method itself what would be the best way of implementing it...(may be a question for another part of the forum)

public void insertNewUser(String firstname, String lastname, String username, String password) { try { stmt = conn.prepareStatement...insert into etc st.setString(1, firstname); etc

that would be in my UserDao...if someone could clarify the process from the client request to create a user it would help me out as im getting a little confused as to how the information is passed end to end mainly the Beans part.

Please bear with me I have been learning Java for less than a year and did no programming prior to that. Having said that this forum is one of the best resources I have come across.

Thanks again.

James Haville wrote:2) With the create user method itself what would be the best way of implementing it

You have a good start. For the SQL that you pass into prepareStatement(), use question marks to denote where a parameter should go. If a parameter is a string, you don't need to put single quotes around the question mark, JDBC handles this for you. For example:
PreparedStatement stmt = conn.prepareStatement("INSERT INTO table (firstname, lastname) VALUES (?, ?)"); stmt.setString(1, firstname); stmt.setString(2, lastname);

James Haville wrote:if someone could clarify the process from the client request to create a user it would help me out as im getting a little confused as to how the information is passed end to end mainly the Beans part.

You would just create a HTML form with the proper fields (first name, etc), then pull those parameters out in your servlet and pass them in your UserDao.

you response to error.jsp?