• Post Reply Bookmark Topic Watch Topic
  • New Topic

login problem, not seem to work for first login request  RSS feed

 
waqas imtiaz
Ranch Hand
Posts: 55
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi I have problem that states as follows:

After confirmation to the login details I added new cookie having logging information and then dispatched this request to controller servlet where this cookie is checked if it is present then user is forwarded to a particular page.
Otherwise is redirected to the sign in page.

Now the problem is when we add cookies then it is added into "response" object and when we get cookies we get them from "request" object. So for the first time redirection to controller servlet "response" object would not have this cookie as it is not available in "request" object. But will be available for later requests.

My question is what is the way to get this cookie in the first request. Or is there any way to send refresh like response to the browser so that this cookie is added??
Please help me out of this.
Thanks
 
Tim Holloway
Bartender
Posts: 18531
61
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Well, it sounds like you're developing your own login security system, and that means I have to issue my usual disclaimer that user-designed security systems are 99.9997% not secure. I always recommend basing security on the J2EE standard framerwork, since it was designed by security experts and has years of proven use (plus professional documentation). User systems are often just afterthoughts and can generally be broken in less than 15 minutes by non-technical people, no matter how "clever" the designer was.

Cookies are not generated by the client. They are generated at the server, sent to the client, then sent back to the server as part of a subsequent client request. They are, in fact, basically just "Post-it Notes" to allow the server to remember stuff about the client without actually storing data on the on the server or relying on unreliable context such as the client's IP address. So what you are hoping for is impossible.

Plus, anything security-related that the client received can be hacked on the client. The J2EE standard framework recognizes this, so one of the things it does is not store actual security data in cookies, only a hash string that identifies the client. Using various mechanisms it makes it virtually impossible for any other client to fake this string value and the string itself has no external meaning, so there's nothing an intruder can deduce from the value itself.
 
waqas imtiaz
Ranch Hand
Posts: 55
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Look I am just a student and I have this project where need to make an online chess game. I want logged in user to join the game room automatically and non-logged in users should be restricted to enter this room. Please help me how do I do this?
 
Tim Holloway
Bartender
Posts: 18531
61
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Use the container security framework to secure the URL that runs the game. That way only logged-in users can access it and accessing it will unconditionally force the user to log in, since the server will not allow the request to proceed until that happens.

Maintain the game(s) in an application-scope object (so that multiple users can share it - session scope is single-user access).

The HttpServletRequest object coming into the servlet has a "getRemoteUser" method that identifies the user's login ID. This can be used to track who's doing what and as a key into a database for persistent data such as high score history.
 
waqas imtiaz
Ranch Hand
Posts: 55
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
how to use container security framework to secure the url?
 
Tim Holloway
Bartender
Posts: 18531
61
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
waqas imtiaz wrote:how to use container security framework to secure the url?


1. Find a good book on J2EE. If it's a good book, it will have information on the necessary configuration information that you need to add to web.xml

2. Read the instructions for the webserver on how to configure a security provider, commonly known as a Realm. In many systems, the Realms are plug-replaceable modules so that you can select a module that conforms to where you wish to store your list of userids, passwords and assigned security roles. That can be anything from a simple file (for example tomcat-users.xml) to a JDBC database, to LDAP/Active Directory on up.
 
It is sorta covered in the JavaRanch Style Guide.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!