Login Servlet

Hello everyone. I'm very new to this and I'm having some problem with the following code. I have a registration page that's working wonderfully, but this seems to be a bit more complicated. I have a small oracle database where usernames and passwords are stored. I'm simply trying to login and match a user to a password, but I'm having issues. Can anyone help me out by looking at the following code.

package mypack; import java.io.*; import java.util.*; import java.sql.*; import javax.servlet.*; import javax.servlet.http.*; public class login_servlet_1 extends HttpServlet{ private ServletConfig config; public void init(ServletConfig config) throws ServletException{ this.config=config; } public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException,IOException{ PrintWriter out = response.getWriter(); Connection connection=null; ResultSet rs; String userName=new String(""); String passwrd=new String(""); response.setContentType("text/html"); try { // Load the database driver Class.forName("oracle.jdbc.driver.OracleDriver"); // Get a Connection to the database connection = DriverManager.getConnection("jdbc:oracle:thin:@xxx", "xxx", "xxx"); //Add the data into the database String sql = "select username,password from user_table_1"; Statement s = connection.createStatement(); s.executeQuery (sql); rs = s.getResultSet(); while (rs.next ()){ userName=rs.getString("username"); passwrd=rs.getString("password"); } }catch(Exception e){ System.out.println("Exception is ;"+e); } if(userName.equals(request.getParameter("user")) && passwrd.equals(request.getParameter("pass"))){ out.println("User is Valid"); } else{ out.println("You are not a Valid User"); } } } }

My JSP
<%@ page language="java" %> <h2><font color="#0000FF"><b>Validation </b></font> <br> <br> Please enter username and password</h2> <form name="frm" action="login_servlet_1" method="get" > <b> Name: </b>     <input type="text" name="user" value=""/><br> <b> Password:</b><input type="password" name="pass" value=""/>   <p>                     <input type="submit" value="Check" /> </p> </form>

So what's the problem?

P.S. Good move using code tags for your code, but it's still hard to read code without proper indentation.

I've been working on it for a few hours, but I'm not even sure if I'm heading in the right direction. I'm getting syntax errors on my connection strings and my query string. I'm trying to follow the same process I used to create a registration page I made, which the logic that I would get the parameters from the form fields and then pull the username from the DB based on that form field and match to the password. Doesn't seem to be working out, is this heading in the right direction?

As I said, your code is difficult to read. I'd recommend posting it again, without the double spacing and using proper indentation.

I modified my code to work with the JSP, and it just keeps kicking me out saying User Invalid when I know those users/pass are in the DB.

You told you are getting syntax errors, did you overcome that?

matt ara wrote:The logic that I would get the parameters from the form fields and then pull the username from the DB based on that form field and match to the password. Doesn't seem to be working out, is this heading in the right direction?

Yes, you are in the right direction. What have you done to debug this? Are the username/password been passed correctly to servlet, is the SQL query returning correctly.
You can just use SQL query like select * from user_table_1 where username=<username> and password=<password> and see whether it retuns atleast 1 row, if yes, then user authentication is successful, why retrieve all the rows in table and do a compare operation?

matt ara wrote:I modified my code to work with the JSP, and it just keeps kicking me out saying User Invalid when I know those users/pass are in the DB.

What changes you did in JSP? Did you put the business logic/java code inside JSP? If yes, definitely you are heading in wrong direction, revert them back and use servlet and post here any questions/doubts you have...

Sorry I don't understand what you're asking. Your query modified works on the database side, but I'm not sure how you would want me to integrate it into my code to see if I can get a row?

Why on earth are you reading through the entire user table to find a specific user?

This is the SQL query I'm using now....

String sql = "select username from user_table_1 where username = '" + user + "' and password = '" + pass + "'";

Its working for you or are you are facing any problems?

Still having issues, even with the modified SQL. The Servlet runs, but gives me "not a valid user." I'm not sure where my code is wrong, but I believe I am making a connection to my db because I've applied the similar code/logic here from my registration, and users/passes are going from my registration JSP to my database.

Have you inserted logging statements to find out what the variable values are around the failing portion?

Also, this has nothing to do with servlets so it's been moved to the JDBC forum.

And you should be using prepared statements. Your code is just asking for SQL injection attacks!

Have you checked the user and password returned from the jsp?

And change your form to POST for security reasons.

matt ara wrote:
<form name="frm" action="login_servlet_1" method="get" > <b>Name: </b> <input type="text" name="user" value=""/><br> <b> Password:</b><input type="password" name="pass" value=""/> <p> <input type="submit" value="Check" /> </p> </form>

Does your DD has the authentication configuration?

<web-app> <!-- previous dd stuff --> <login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>My JSP Login.jsp</form-login-page> </form-login-config> </login-config> </web-app>

Victor M. Pereira wrote:And change your form to POST for security reasons.

Can you please explain what security reasons you are referring about.. POST is noway more secure than GET.

Prasad Krishnegowda wrote:POST is noway more secure than GET.

It absolutely is. For example, URLs -which include GET parameters- are written to log files. You wouldn't want that to include your login info. Passwords should also only ever be sent via HTTPS, not HTTP.

They are. For example if Amazon did a Get with your password. Wouldn't your son or wife see it on explorer bar. And suddenly your son would appear with a new TV saying he won it in a BINGO.

And for the other part that's the reason of DD. In the DD by setting it you can start using SSL. And configure a lot of other important that have to do with authentication, authorization, confidentiality and data integrity. BTW, the other 3 methods for the <auth-method> tag are: BASIC, DIGEST and CLIENT-CERT.

If you want to learn more about this, I recommend the chapter of security in the Head First Servlets and JSP.

Tim, can you please explain, which log files you were referring too..
Victor, you can also claim that Keyboard is not secure, as somebody can be looking over your shoulder when you type the password.

If GET is not secure, POST is also not secure. No request is secure simply based upon the choice of method. Requests are secure by using SSL.

Prasad Krishnegowda wrote:Tim, can you please explain, which log files you were referring too..

The log files on the server. Apache, Tomcat and all other servers can be configured to log URL parameters if they don't do it out of the box already.

If GET is not secure, POST is also not secure.

Patently wrong - they are treated differently in ways that give rise to different security risks.

No request is secure simply based upon the choice of method.

Nobody said so. But in this context POST is more secure than GET.

Requests are secure by using SSL.

No. There's lots more to security than the choice of which HTTP method to use and the decision to use SSL.

Tim, Thanks for the clarifications..

I'll disagree with Tim on a minor point. POST is no more secure than GET. It just doesn't show params on the URL. That extra level of "security" is a blip and is really no security at all.

The choice of method should be dictated by what the request is doing, not any supposed security concerns.

Using SSL is good, but Tim is correct in that there are other things that need to be done. Protecting against SQL injection is one of them.

Bear Bibeault wrote:POST is no more secure than GET. It just doesn't show params on the URL. That extra level of "security" is a blip and is really no security at all.

Maybe we operate in different environments with different security requirements. The prospect of passwords being captured in log files is an absolute no-go in my world.

Thanks for the help, and I'm not too concerned at all about security, just that it works for now. I have been able to get the login page to work successfully, so thanks all for the help. Not sure if I should post the code, but in the end I found that my SQL query wasn't right and also, the parameters from the JSP forms weren't passing properly to the servlet. After I solved those two problems, things are working now.

Again, thanks for the help.

What you did matta ara in SQl statement and in JSP? can you paste what changes you made?