John Schretz

Ranch Hand
+ Follow
since Sep 10, 2008
Merit badge: grant badges
For More
Cows and Likes
Cows
Total received
In last 30 days
0
Forums and Threads

Recent posts by John Schretz

Sarra Sakka wrote:Without a filter, how can i create a session when i loged in and how can i invalidate it when i loged out ?
thank you for you effort



If you are trying to prevent pages from being viewed when there is not a valid user, the filter is your best bet. May as well figure out what is wrong with it instead of scrapping it and moving on.
When you try and view the home page is there an error?

Maybe post all your revised code and xml so we can see the whole picture.
10 years ago

Sarra Sakka wrote:

John Schretz wrote:
So in places where you would forward or redirect you would use url pattern you mapped in for that servlet

i.e.

view plainprint?
Note: Text content in the code blocks is automatically word-wrapped
getRequestDispatcher("test/home").forward(req, res);


when i log in the home page didn't display



Did you create a home servlet and map the url to /test/home?
10 years ago
looks like you are mixing between jsp pages and servlets. All of your entry points should be a servlet, the jsp is your "view". So all the jsp pages should have an associated servlet. i.e. if you have a home.jsp file then you should have a Home Servlet.
and at minimum it will call the servlet and the servlet will server the jsp page

Example:



So in places where you would forward or redirect you would use url pattern you mapped in for that servlet

i.e.



So fixing that up and following that pattern will get you in better shape in general.
Then for every servlet you create that you want behind that filter should all have the url pattern <url-pattern>/test/**YOUR SERVLET HERE**</url-pattern>
because that is what you defined the filter for.

***The only servlet that does NOT have that pattern is the login servlet because it needs to be OUTSIDE of /test/*
So an example would be:



10 years ago
Based on your filter mapping your url's should look like

www.mysite.com/authentication.jsp (LOGIN)

www.mysite.com/test/home.jsp (home page)

notice that the home page url mapping goes through test as you had mapped that in your filter




can you post you entire web.xml
10 years ago

Sarra Sakka wrote:

John Schretz wrote:
if you put a breakpoint in the filter when you refresh the page at that point does it hit the breakpoint?


No, when i refresh the page it doesn't hit the breakpoint, that's mean there's a problem in the filter?



sounds like the filter url mappings are incorrect. The request is not passing through the filter. Do you ever hit a breakpoint in the filter? Like when you login?
10 years ago

Sarra Sakka wrote:

John Schretz wrote:
after you click back and it displays the home page, what happens if you then refresh the page? Does it go to the login page then?


No, it don't go to the login page and remains in the same page home.jsp



if you put a breakpoint in the filter when you refresh the page at that point does it hit the breakpoint?
10 years ago

Sarra Sakka wrote:The same problem
when i click a back button it display a home.jsp



after you click back and it displays the home page, what happens if you then refresh the page? Does it go to the login page then?
10 years ago
Try this, set the filter up exactly like so and instead of doing a redirect we do a page forward.

10 years ago

Sarra Sakka wrote:thank you for your reply,

John Schretz wrote: You only need the filter for checking the valid user.


do you mean only like this :



Yes, all you need to do is ask the filter if the user is valid. If yes chain.doFilter, if no redirect to the login page. Very simple.
10 years ago

Sarra Sakka wrote:

John Schretz wrote:In addition there is some bad logic and coding practice in your authentication servlet. I can go mre complex but here is you servlet refactored, please see comments:


I change my authentication servlet like as you say, also my Logout servlet, but always the same problem occurred ?
here's the filter :



Why is the logout servlet a filter? I posted what the logout servlet should look like, its just a simple servlet, not a filter. You only need the filter for checking the valid user.
Here is the logout servlet again:

10 years ago
In addition there is some bad logic and coding practice in your authentication servlet. I can go mre complex but here is you servlet refactored, please see comments:

10 years ago

Sarra Sakka wrote:Always the button back display the home page
here's the filter :

what's the problem according to you ?
I'm stuck




You don't want to set the no-cache in the filter itself, you want to set it in the logout servlet. This way when you invalidate the session and expire the page, when you hit the back button it will send in another request which will passthrough your filter and the filter will validate the user and user == null at this point. Then It redirects to the login page because the user is null. You should never see the home page if you are in this state after logout.

Your logout servlet should look like:

There is also no need to check if the user is null at this point as you are invalidating the entire session at this point



Also you should probably redirect to another servlet instead of directly to a jsp page and in the servlet you would just page forward to the jsp.
10 years ago

Ill try to explain the url mapping a bit better.

I have 2 servlet url patterns defined in addition to my filter url pattern. You want to make sure your entry point is OUTSIDE of your filter, this way if the is no valid user the pages behind the filter will not be displayed.



Servlet outside of filter (my login page)


Servlet inside my filter ( url pattern matches the filters url pattern)


You also may be seeing a stale page so when you logout you also want to clear the page cache, so technically when you hit back after logout it should direct you to the login page.

Example:



In place of my commandContext you would use HttpServletRequest request

so request.getResponse().setHeader(); ect.
10 years ago
I would need more information. With your current code what exactly is NOT working? You seem to have the format correct.

First thing i see is that your filter is filtering every request by defining the following url pattern:



you would need at least 2 url patterns defined:

http://www.mysite.com/administration/login // this url should not pass through the filter code, anybody should be able to view this page

http://www.mysite.com/administration/controlpanel/dashboard //this url is behind the filter (you would define a pattern as so)


This way anybody that tries to view pages behind /administration/controlpanel/* has to pass through your filter and in there you evaluate if the user is authenticated or not or if the user even exists.
10 years ago

Sarra Sakka wrote:If i use setAttribute in my login servlet, what shoul i put in my logout servlet




Your entry point needs to be outside of your filter. (meaning not in the confines of the filter)

Here is a simple login filter I use to check if the user is logged in and in the session within the defined url pattern. (using the tomcat container)

This will give you the basic path and flow of how to implement it, however there are other frameworks and logic within that code that you would have to implement yourself for your specific application.

Filter descriptor



Servlet Filter


Credential check



My login entry is http://www.mysite.com/administration/login, when i login on that page it submits to the CheckUserCredentialsCommand which is just a simple servlet. That servlet then tries to do a page redirect to one of the pages that is behind the filter. In the filter it checks the user, if the user is null it forwards back to the login page, if there is a valid user it goes through the filter chain which was your redirect from the CheckUserCredentialsCommand and now your url looks like http://www.mysite.com/administration/controlpanel/dashboard, dashboard page being behind the filter, if there was no user you would never be able to get to that page.

Your logout would then just be another servlet that invalidates the session and redirects the user back to the login page.
10 years ago