• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

JSF Login issue: automatic login with an user without fill username/password when refresh login page

 
Greenhorn
Posts: 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hello all,

I'm writing a project with login page, the codes:

Login form:


LoginBean.java


LogoutBean.java


faces-config.xml


web.xml



The problem is that user can login without fill username/password, he only do refresh page.
It happens I think when there are many students do login/logout (about 50 or more). And if i restart server, it doens't happen more. But after a time period then the issue happens again.

Hope someone help me this issue?

Regards.
 
Sheriff
Posts: 3063
12
Mac IntelliJ IDE Python VI Editor Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hello Uy, and welcome to Java Ranch! Chào bạn!

It looks to me like you're trying to invent your own custom framework for logins. It would be better to follow the JavaEE Tutorial for form-based logins. That's going to be more secure, and it's also probably easier to integrate your authentication logic into it than it is to create your own process.

For your login, it looks like you consider a login successful if learner is not null. However, the learner is set by LoginUtil, and I don't see the code for that. I don't really understand how a refresh would make any difference, but you can use a debugger to see if the login method is being called again, and for some reason returns a non-null learner value the second time. It does seem to me that if a user simply bookmarked the welcome page and went directly there, he/she would bypass the login process entirely. That's a total failure of security, so I strongly suggest going through the tutorial linked above, and doing logins the way it recommends.

Chúc may mắn!
 
Saloon Keeper
Posts: 27763
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Greg Charles wrote: It does seem to me that if a user simply bookmarked the welcome page and went directly there, he/she would bypass the login process entirely.
Chúc may mắn!



My estimate over the years is that probably 95% of all the "do it yourself" login/security systems written for Java can be cracked in under 2 hours, often by non-technical people, and that this particular weakness is the #1 cause why.

The worst thing in the world that a company can do is tell their application programmer "Write this system. And while you're at it, make it secure". Well, except for when they add "By Thursday" to the requirements.

The SECOND worst thing in the world that a company can do security-wise is have some "genius" dream up a security system and make that the Corporate Standard.

Unless you are a full-time trained security professional, you have no business writing your own security code, especially when security systems already exist that were designed, written, tested and fully documented by full-time security professionals.

Security is not some sort of "All You Have To Do" thing. It's a delicate chain and only a single link needs to break in order to let the barbarian hordes in to plunder. Don't bother to backup databases. Hire cheap labor that doesn't know how to make code crash-resistent. Skimp on infrastructure and documentation.

But if you don't do security right, your critical corporate assets will be spirited away faster than you can say "Ashley Madison".
 
Consider Paul's rocket mass heater.
reply
    Bookmark Topic Watch Topic
  • New Topic