Hi Everyone, I have created a complete login screen using jsp and core java class. I'm attaching the same for everyone...it works perfectly fine for me. The following are the platforms on which I worked... netBeans IDE5.0, Oracle 9i(as database), servlets 2.4, jsp 2.0, jdk1.5.0_07(update 7). The flow is as follows, The user clicks on the Submit button(in the index.jsp page) with his username and password as in the oracle database table called LOGIN and the control is passed over to validateuser.jsp which inturn calls a bean which holds the database connectin and checks for the user against the LOGIN table . If the username and password is correct he is directed to welcome.jsp, if not to retry.jsp.... Below is the code for index.jsp ----------------------------------------- username - password -
Below is the validateuser.jsp --------------------------------------- <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> Below is the java class that I call the bean class(Login.java) ----------------------------------------------------------------- Here please note that I have placed this Login.java file into a package called com.mycompany.login....as shown below.... package com.mycompany.login; import java.sql.*; import java.io.*; public class Login { //default constructor public Login(){} //method for the catabase connection public Connection getConnection() throws IOException{ Connection conn = null; try{ Class.forName("oracle.jdbc.driver.OracleDriver"); conn = DriverManager.getConnection( "jdbc:oracle:thin:@localhost:1521:ORCL", "scott", "tiger"); } catch(SQLException e) { System.out.println("SQLException: " + e.getMessage()); while((e = e.getNextException()) != null) System.out.println(e.getMessage()); } catch(ClassNotFoundException e) { System.out.println("ClassNotFoundException: " + e.getMessage()); } return conn; } //method that is called from validateuser.jsp and this checks for the authentic user and public boolean authenticate(String user, String pass) throws SQLException, IOException{ String Username = null, Password = null,; Login dbconn = new Login(); Statement stmt = dbconn.getConnection().createStatement(); String sql = "SELECT USER_NAME, PASS_WORD FROM LOGIN WHERE USER_NAME='" + user + "'" + "AND PASS_WORD='" + pass + "'"; ResultSet rs = stmt.executeQuery(sql); if(rs.next()){ Username = rs.getString("USER_NAME"); Password = rs.getString("PASS_WORD"); } if(Username != null && Password != null && user.equals(Username) && pass.equals(Password)){ return true; } else return false; } } The code for welcome.jsp and retry.jsp is as per your wish....you can create them on your own...The above login worked perfectly fine for me...Any suggestions and improvements on the above code are always welcome at jothishankarkumar@yahoo.com

Hi, I believe that this approach works fine for you, but it's clearly not a pattern to be used by a lot of people. There's not one line of code that I would consider to be reusable. The hard-coded database connection access code only to mention as the worst. There are far better solutions - and even a standard backed one. Supposing you are running in a J2EE application server (including Tomcat), there is a much cleaner and less intrusive (because declarative) approach: JAAS. You simply protect your resources declaratively in web.xml using security constraints. Every request to such a resource would implicitly be checked for an authenticated user having the correct security role to access that resource. If there is no authenticated user, the container automatically redirects you to the defined login page (when using form-based login as defined in the web.xml). After successfully logging in, the user is redirected to the original request uri by the container. Transparent security... There are - as it is with every standard - some constraints. One example is the login form. Your index.jsp would look like the following (notice the action of the form and the names of the input fields):

username - password -

Another constraint is the "login error page". It may be only one which is configured in the web.xml. With using servlet filters you may pass some information about the authentication failure to the JSP, but usually the only thing you want to display is a "Login failed" message. One important point with security is to not let the potential attacker know whether the error was in providing a wrong password only or in providing an unknown user name as well. About the security information: depending on your application server there are several so-called LoginModules helping to authenticate against different user registries (LDAP, file - even a custom database table). Most of them are easily configurable so you don't have to care about HOW to connect to the registry. You don't even have to code one line of Java if you like to change the source for your security information (suppose you want to switch from your custom database to an LDAP directory). Everything is configured via standard means. By the way - if there's no LoginModule fitting your needs, you can simply write your own - but that is very seldomly needed. My advice: use JBoss/Tomcat. It has several LoginModules for different user registries. I did not want to offend you, just to give hints on how to do authentication in a standard and reusable way. I was in a similar situation 2 years ago when I decided to go the JAAS way. This way you have less code which you have to carry around with yourself for different projects. You just have to concentrate on artifacts you have to provide and configure for a special JAAS implementation. One additional benefit with JAAs is that you get authorization as well. Checking user roles and enable/disable functionalities in your application depending on the associated roles is also covered by the spec (e.g. request.isUserInRole("rolename") to provide a programmatic example). Cheers, René

I dont know JAAS but I'm just a beginner with jsp and servlets...I know that the code that I wrote looks more amateaur. I'm eagarly looking to code servlets and jsp in a way where in I can reuse them across. My database class can be reused if in the future I decide to use a swing desktop application but If I use JAAS i will be limited to web tiers...Is that correct??Also please tell me where I can find more infor and lessons on code reusable techniques...

Hi Jothi, JAAS is not limited to the web tier - it just seemlessly integrates into it. On Devx.com there is a - very short (it's called "10 minute solution") - introduction to JAAS in general - without referencing web application code at all: http://www.devx.com/getHelpOn/Article/9915/0 About clean abd reusable OO programming: get the book "Design Patterns - Elements of Reusable Object-Oriented Software" by "The Gang of Four" (Erich Gamma, Richard Helm, Ralph Johnson and John Vlissides). It provides patterns on a high level reusable in most OO designs. So it does not focus on Java but most of the code samples are written in Java. Cheers, René

hi.. Too simple and gud code i tried out, but getting redirected to retry.jsp. When i checked in validateuser.jsp with additional scriptlets <%= request.getParameter("userName") %> i am getting null..it indicates that entered values are lost before they are authenticated Any help would be really appreciated Thanx in advance Anu

It can't happen. I tried the code even today and it's working perfectly fine for me. I think you might not be using get or post in your call. As you told me that you are getting null for userName and passWord that you submit from the first page, I would recommend you to check it beforehand and then try it. Your code seems to work without any exceptions as you get redirected to the retry page. So debug throughly and work on it. Regards, Jothi Shankar Kumar. S

Hi Jothi,

 I ccreated the exact code that u made also i made another if loop incase the login details are incorrect it must say invalid login..but when i input correct login details it says invalid login

Hi Jothi, I am new to Java Prog and i am learning this ! can u please explain.. how should i write a servlet class to execute this prog. because i don't no how to execute the whole prog. So please explain me in detail ! Thanking you. Sudheer Reddy

Please mail me the complete code for this. My mail Id is suchita.miss@gmail.com

Hi suchitha whats ur problem????