authentication page help

[royramos]

Hi, can anyone help me with this code i'm only new in programming and i'm trying out to create login view where the user id and password is reside in ms sql, can someone help me with this i'm really stuck on this now, it always prompt me that you are not authentic person but the user id and password that i entered is correct

here is the jsp file

Java Code:

<%@ page language="java" %> 
Please enter your Name and Password here: 
<br> 
<br> 
<form name="frm" action="/e-app/Authentication" method="Post" > 
Name:   <input type="text" name="user" value=""/> 
Password:<input type="password" name="pass" value=""/> 
   <input type="submit" value="Check" /> 
</form>

here is the servlet

Java Code:

package pack; 

import java.io.*; 
import java.util.*; 
import java.sql.*; 
import javax.servlet.*; 
import javax.servlet.http.*; 

public class Authentication extends HttpServlet{ 

private ServletConfig config; 

public void init(ServletConfig config) 
throws ServletException{ 
this.config=config; 
} 
public void doPost(HttpServletRequest request, HttpServletResponse response) 
throws ServletException,IOException{ 

PrintWriter out = response.getWriter(); 
String connectionURL = "jdbc:jtds:sqlserver://server/database"; 
Connection connection=null; 
ResultSet rs; 
String userName=new String(""); 
String passwrd=new String(""); 
response.setContentType("text/html"); 
try { 

Class.forName("net.sourceforge.jtds.jdbc.Driver"); 

connection = java.sql.DriverManager.getConnection(connectionURL, "sa", "tjqofl"); 

String sql = "select USER_ID,PASSWORD from PASSWORD_MASTER"; 
Statement s = connection.createStatement(); 
s.executeQuery (sql); 
rs = s.getResultSet(); 
while (rs.next ()){ 
userName=rs.getString("USER_ID"); 
passwrd=rs.getString("PASSWORD"); 
} 
rs.close (); 
s.close (); 
}catch(Exception e){ 
System.out.println("Exception is ;"+e); 
} 
if(userName.equals(request.getParameter("user")) && 
passwrd.equals(request.getParameter("pass"))){ 
out.println("User Authenticated"); 
} 
else{ 
out.println("You are not an authentic person"); 
} 
} 
}

:(:(:confused::confused:

[renamed]

Pls place you code between tags [ code ] and [/ code ] both with no space.. it is easier to read it!

[Tolls]

How many users are there in your password_master table?

You are currently getting all the users and then (essentially) taking the username and password of the last one returned, and then comparing that.

What you should be doing is a proper select statement, using the username and password as conditions, returning just the username. If you get something back then that's a valid name a password, otherwise it isn't.

As an aside, don't just print the exception...print the stack trace (e.printStackTrace()).

[FON]

your scenario in doPost(...) method after page is submitted:

1. Take "user":
String userFromForm = request.getParameter("user")

2. check if this "user" is in your DB:
using PreparedStatement to set input param for WHERE clause:

...

Java Code:

PreparedStatement pstmt = null;
    try {
      
      String query = "select USER_ID,PASSWORD from PASSWORD_MASTER where USER_ID = ?";

      pstmt = connection.prepareStatement(query); 

      // set input parameter
      pstmt.setString(1, userFromForm);
      rs = pstmt.executeQuery();
...   
	if (rs.next ()){
	userName=rs.getString("USER_ID");
	passwrd=rs.getString("PASSWORD");
	} 
		
3. 
/*user found, check password*/
String passFromForm = request.getParameter("pass")	

if (!passwrd.equals(passFromForm)){
	System.out.println(" * * * Wrong Password!!!");
	}
4. /*passwords matched - user exists in DB*/
System.out.println("SUCCESFULL LOGIN !");

		
  }catch(Exception e){
System.out.println("Exception is ;"+e);
} 
	

  finally {
	//close your resources
		rs.close ();
		s.close (); 
	}

i hope this will help :)

[Tolls]

Don't return passwords from the db.
The select should include the password as a condition.

You should never inform someone whether it was the user name or the password that is wrong. That gives too much information away.

[FON]

We could maybe create new Thread on this password issue that is used
during auth procces, and involve all security issues in discussion.

At the end we could all agree and come out with maybe optimal auth. use case scenario that is highly secure and provide both jsp code and servlet code.

Maybe this can become tutorial like
"Form-based login authentication tutorial"
for tutorial part of this forum.

any senior member interested :rolleyes:?

[Tolls]

Well we could, but it would be a bit pointless.

If you're going to provide code at least make sure it covers the basics of good practice in the thing you're supplying.

[royramos]

first of all thanks for all of you replied on my thread.

Sir, i only have 1 entry in password_master table

How many users are there in your password_master table?

You are currently getting all the users and then (essentially) taking the username and password of the last one returned, and then comparing that.

What you should be doing is a proper select statement, using the username and password as conditions, returning just the username. If you get something back then that's a valid name a password, otherwise it isn't.

As an aside, don't just print the exception...print the stack trace (e.printStackTrace()).

[Tolls]

OK.
Change your sql to SELECT * FROM password_master WHERE user_id = ? AND password = ?...using a PreparedStatement. Use System.out.println() to print out the sql text, and the values for user name and password you're using.

Bind in the user name and password and try that. Also run that query (with the correct username and password in) directly in your db, with the values as they appear in the output above.