Results 1 to 9 of 9
  1. #1
    royramos is offline Member
    Join Date
    Nov 2009
    Posts
    2
    Rep Power
    0

    Default authentication page help

    Hi, can anyone help me with this code i'm only new in programming and i'm trying out to create login view where the user id and password is reside in ms sql, can someone help me with this i'm really stuck on this now, it always prompt me that you are not authentic person but the user id and password that i entered is correct

    here is the jsp file

    Java Code:
    <%@ page language="java" %> 
    Please enter your Name and Password here: 
    <br> 
    <br> 
    <form name="frm" action="/e-app/Authentication" method="Post" > 
    Name:   <input type="text" name="user" value=""/> 
    Password:<input type="password" name="pass" value=""/> 
       <input type="submit" value="Check" /> 
    </form>
    here is the servlet

    Java Code:
    package pack; 
    
    import java.io.*; 
    import java.util.*; 
    import java.sql.*; 
    import javax.servlet.*; 
    import javax.servlet.http.*; 
    
    public class Authentication extends HttpServlet{ 
    
    private ServletConfig config; 
    
    public void init(ServletConfig config) 
    throws ServletException{ 
    this.config=config; 
    } 
    public void doPost(HttpServletRequest request, HttpServletResponse response) 
    throws ServletException,IOException{ 
    
    PrintWriter out = response.getWriter(); 
    String connectionURL = "jdbc:jtds:sqlserver://server/database"; 
    Connection connection=null; 
    ResultSet rs; 
    String userName=new String(""); 
    String passwrd=new String(""); 
    response.setContentType("text/html"); 
    try { 
    
    Class.forName("net.sourceforge.jtds.jdbc.Driver"); 
    
    connection = java.sql.DriverManager.getConnection(connectionURL, "sa", "tjqofl"); 
    
    String sql = "select USER_ID,PASSWORD from PASSWORD_MASTER"; 
    Statement s = connection.createStatement(); 
    s.executeQuery (sql); 
    rs = s.getResultSet(); 
    while (rs.next ()){ 
    userName=rs.getString("USER_ID"); 
    passwrd=rs.getString("PASSWORD"); 
    } 
    rs.close (); 
    s.close (); 
    }catch(Exception e){ 
    System.out.println("Exception is ;"+e); 
    } 
    if(userName.equals(request.getParameter("user")) && 
    passwrd.equals(request.getParameter("pass"))){ 
    out.println("User Authenticated"); 
    } 
    else{ 
    out.println("You are not an authentic person"); 
    } 
    } 
    }
    :(:(:confused::confused:
    Last edited by royramos; 12-18-2009 at 12:43 AM.

  2. #2
    renamed is offline Member
    Join Date
    Dec 2009
    Location
    Rio de Janeiro
    Posts
    38
    Rep Power
    0

    Default

    Pls place you code between tags [ code ] and [/ code ] both with no space.. it is easier to read it!
    Please don't laugh at my English... I'm trying my best! :)

  3. #3
    Tolls is offline Moderator
    Join Date
    Apr 2009
    Posts
    12,091
    Rep Power
    20

    Default

    How many users are there in your password_master table?

    You are currently getting all the users and then (essentially) taking the username and password of the last one returned, and then comparing that.

    What you should be doing is a proper select statement, using the username and password as conditions, returning just the username. If you get something back then that's a valid name a password, otherwise it isn't.

    As an aside, don't just print the exception...print the stack trace (e.printStackTrace()).

  4. #4
    FON
    FON is offline Senior Member
    Join Date
    Dec 2009
    Location
    Belgrade, Serbia
    Posts
    368
    Rep Power
    5

    Default

    your scenario in doPost(...) method after page is submitted:

    1. Take "user":
    String userFromForm = request.getParameter("user")

    2. check if this "user" is in your DB:
    using PreparedStatement to set input param for WHERE clause:

    ...

    Java Code:
    PreparedStatement pstmt = null;
        try {
          
          String query = "select USER_ID,PASSWORD from PASSWORD_MASTER where USER_ID = ?";
    
          pstmt = connection.prepareStatement(query); 
    
          // set input parameter
          pstmt.setString(1, userFromForm);
          rs = pstmt.executeQuery();
    ...   
    	if (rs.next ()){
    	userName=rs.getString("USER_ID");
    	passwrd=rs.getString("PASSWORD");
    	} 
    		
    3. 
    /*user found, check password*/
    String passFromForm = request.getParameter("pass")	
    
    if (!passwrd.equals(passFromForm)){
    	System.out.println(" * * * Wrong Password!!!");
    	}
    4. /*passwords matched - user exists in DB*/
    System.out.println("SUCCESFULL LOGIN !");
    
    		
      }catch(Exception e){
    System.out.println("Exception is ;"+e);
    } 
    	
    
      finally {
    	//close your resources
    		rs.close ();
    		s.close (); 
    	}
    i hope this will help :)

  5. #5
    Tolls is offline Moderator
    Join Date
    Apr 2009
    Posts
    12,091
    Rep Power
    20

    Default

    Don't return passwords from the db.
    The select should include the password as a condition.

    You should never inform someone whether it was the user name or the password that is wrong. That gives too much information away.

  6. #6
    FON
    FON is offline Senior Member
    Join Date
    Dec 2009
    Location
    Belgrade, Serbia
    Posts
    368
    Rep Power
    5

    Default

    We could maybe create new Thread on this password issue that is used
    during auth procces, and involve all security issues in discussion.

    At the end we could all agree and come out with maybe optimal auth. use case scenario that is highly secure and provide both jsp code and servlet code.

    Maybe this can become tutorial like
    "Form-based login authentication tutorial"
    for tutorial part of this forum.

    any senior member interested :rolleyes:?

  7. #7
    Tolls is offline Moderator
    Join Date
    Apr 2009
    Posts
    12,091
    Rep Power
    20

    Default

    Well we could, but it would be a bit pointless.

    If you're going to provide code at least make sure it covers the basics of good practice in the thing you're supplying.

  8. #8
    royramos is offline Member
    Join Date
    Nov 2009
    Posts
    2
    Rep Power
    0

    Default

    first of all thanks for all of you replied on my thread.

    Sir, i only have 1 entry in password_master table

    Quote Originally Posted by Tolls View Post
    How many users are there in your password_master table?

    You are currently getting all the users and then (essentially) taking the username and password of the last one returned, and then comparing that.

    What you should be doing is a proper select statement, using the username and password as conditions, returning just the username. If you get something back then that's a valid name a password, otherwise it isn't.

    As an aside, don't just print the exception...print the stack trace (e.printStackTrace()).

  9. #9
    Tolls is offline Moderator
    Join Date
    Apr 2009
    Posts
    12,091
    Rep Power
    20

    Default

    OK.
    Change your sql to SELECT * FROM password_master WHERE user_id = ? AND password = ?...using a PreparedStatement. Use System.out.println() to print out the sql text, and the values for user name and password you're using.

    Bind in the user name and password and try that. Also run that query (with the correct username and password in) directly in your db, with the values as they appear in the output above.

Similar Threads

  1. Go back to previous page using session in JSP page
    By gopikarikati009 in forum JavaServer Pages (JSP) and JSTL
    Replies: 2
    Last Post: 06-23-2011, 10:30 AM
  2. NTLM Authentication; cannot call aspx page from java
    By getstarted in forum Advanced Java
    Replies: 0
    Last Post: 04-14-2009, 06:39 PM
  3. IIS Authentication
    By akkarin in forum Java Applets
    Replies: 0
    Last Post: 03-30-2009, 11:35 AM
  4. setting the view to a jsp page from a self refeshing page
    By deepal_205 in forum JavaServer Pages (JSP) and JSTL
    Replies: 3
    Last Post: 08-15-2008, 04:41 PM
  5. warning that page has expired and i need to refresh the page again
    By 82rathi.angara in forum JavaServer Pages (JSP) and JSTL
    Replies: 5
    Last Post: 07-15-2008, 01:48 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •