• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Login Servlet

 
matt ara
Greenhorn
Posts: 7
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello everyone. I'm very new to this and I'm having some problem with the following code. I have a registration page that's working wonderfully, but this seems to be a bit more complicated. I have a small oracle database where usernames and passwords are stored. I'm simply trying to login and match a user to a password, but I'm having issues. Can anyone help me out by looking at the following code.



My JSP
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 65120
91
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
So what's the problem?

P.S. Good move using code tags for your code, but it's still hard to read code without proper indentation.
 
matt ara
Greenhorn
Posts: 7
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I've been working on it for a few hours, but I'm not even sure if I'm heading in the right direction. I'm getting syntax errors on my connection strings and my query string. I'm trying to follow the same process I used to create a registration page I made, which the logic that I would get the parameters from the form fields and then pull the username from the DB based on that form field and match to the password. Doesn't seem to be working out, is this heading in the right direction?
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 65120
91
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
As I said, your code is difficult to read. I'd recommend posting it again, without the double spacing and using proper indentation.
 
matt ara
Greenhorn
Posts: 7
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I modified my code to work with the JSP, and it just keeps kicking me out saying User Invalid when I know those users/pass are in the DB.
 
Prasad Krishnegowda
Ranch Hand
Posts: 670
4
Eclipse IDE Java Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You told you are getting syntax errors, did you overcome that?
matt ara wrote:The logic that I would get the parameters from the form fields and then pull the username from the DB based on that form field and match to the password. Doesn't seem to be working out, is this heading in the right direction?

Yes, you are in the right direction. What have you done to debug this? Are the username/password been passed correctly to servlet, is the SQL query returning correctly.
You can just use SQL query like and see whether it retuns atleast 1 row, if yes, then user authentication is successful, why retrieve all the rows in table and do a compare operation?

matt ara wrote:I modified my code to work with the JSP, and it just keeps kicking me out saying User Invalid when I know those users/pass are in the DB.

What changes you did in JSP? Did you put the business logic/java code inside JSP? If yes, definitely you are heading in wrong direction, revert them back and use servlet and post here any questions/doubts you have...
 
matt ara
Greenhorn
Posts: 7
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Sorry I don't understand what you're asking. Your query modified works on the database side, but I'm not sure how you would want me to integrate it into my code to see if I can get a row?
 
Paul Clapham
Sheriff
Posts: 21322
32
Eclipse IDE Firefox Browser MySQL Database
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Why on earth are you reading through the entire user table to find a specific user?
 
matt ara
Greenhorn
Posts: 7
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
This is the SQL query I'm using now....

 
Prasad Krishnegowda
Ranch Hand
Posts: 670
4
Eclipse IDE Java Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Its working for you or are you are facing any problems?
 
matt ara
Greenhorn
Posts: 7
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Still having issues, even with the modified SQL. The Servlet runs, but gives me "not a valid user." I'm not sure where my code is wrong, but I believe I am making a connection to my db because I've applied the similar code/logic here from my registration, and users/passes are going from my registration JSP to my database.
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 65120
91
IntelliJ IDE Java jQuery Mac Mac OS X
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Have you inserted logging statements to find out what the variable values are around the failing portion?

Also, this has nothing to do with servlets so it's been moved to the JDBC forum.

And you should be using prepared statements. Your code is just asking for SQL injection attacks!
 
Victor M. Pereira
Ranch Hand
Posts: 50
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Have you checked the user and password returned from the jsp?

And change your form to POST for security reasons.

matt ara wrote:



Does your DD has the authentication configuration?

 
Prasad Krishnegowda
Ranch Hand
Posts: 670
4
Eclipse IDE Java Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Victor M. Pereira wrote:And change your form to POST for security reasons.

Can you please explain what security reasons you are referring about.. POST is noway more secure than GET.
 
Tim Moores
Bartender
Posts: 2895
46
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Prasad Krishnegowda wrote:POST is noway more secure than GET.

It absolutely is. For example, URLs -which include GET parameters- are written to log files. You wouldn't want that to include your login info. Passwords should also only ever be sent via HTTPS, not HTTP.
 
Victor M. Pereira
Ranch Hand
Posts: 50
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
They are. For example if Amazon did a Get with your password. Wouldn't your son or wife see it on explorer bar. And suddenly your son would appear with a new TV saying he won it in a BINGO.

And for the other part that's the reason of DD. In the DD by setting it you can start using SSL. And configure a lot of other important that have to do with authentication, authorization, confidentiality and data integrity. BTW, the other 3 methods for the <auth-method> tag are: BASIC, DIGEST and CLIENT-CERT.

If you want to learn more about this, I recommend the chapter of security in the Head First Servlets and JSP.

 
Prasad Krishnegowda
Ranch Hand
Posts: 670
4
Eclipse IDE Java Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Tim, can you please explain, which log files you were referring too..
Victor, you can also claim that Keyboard is not secure, as somebody can be looking over your shoulder when you type the password.

If GET is not secure, POST is also not secure. No request is secure simply based upon the choice of method. Requests are secure by using SSL.
 
Tim Moores
Bartender
Posts: 2895
46
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Prasad Krishnegowda wrote:Tim, can you please explain, which log files you were referring too..

The log files on the server. Apache, Tomcat and all other servers can be configured to log URL parameters if they don't do it out of the box already.

If GET is not secure, POST is also not secure.

Patently wrong - they are treated differently in ways that give rise to different security risks.

No request is secure simply based upon the choice of method.

Nobody said so. But in this context POST is more secure than GET.

Requests are secure by using SSL.

No. There's lots more to security than the choice of which HTTP method to use and the decision to use SSL.
 
Prasad Krishnegowda
Ranch Hand
Posts: 670
4
Eclipse IDE Java Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Tim, Thanks for the clarifications..
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 65120
91
IntelliJ IDE Java jQuery Mac Mac OS X
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I'll disagree with Tim on a minor point. POST is no more secure than GET. It just doesn't show params on the URL. That extra level of "security" is a blip and is really no security at all.

The choice of method should be dictated by what the request is doing, not any supposed security concerns.

Using SSL is good, but Tim is correct in that there are other things that need to be done. Protecting against SQL injection is one of them.
 
Tim Moores
Bartender
Posts: 2895
46
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Bear Bibeault wrote:POST is no more secure than GET. It just doesn't show params on the URL. That extra level of "security" is a blip and is really no security at all.

Maybe we operate in different environments with different security requirements. The prospect of passwords being captured in log files is an absolute no-go in my world.
 
matt ara
Greenhorn
Posts: 7
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks for the help, and I'm not too concerned at all about security, just that it works for now. I have been able to get the login page to work successfully, so thanks all for the help. Not sure if I should post the code, but in the end I found that my SQL query wasn't right and also, the parameters from the JSP forms weren't passing properly to the servlet. After I solved those two problems, things are working now.

Again, thanks for the help.
 
Java Lingappa
Greenhorn
Posts: 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
What you did matta ara in SQl statement and in JSP? can you paste what changes you made?
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic