I have a simple login page (login.jsp) and I'm checking it against a database to verify user credentials. This is just for testing, not for making an actual site.
In the verification servlet where the values are checked against the DB values, if there is not a match I do a
response.getRedirect("login.jsp?loginfailed=true");
This, obviously, sends me to
localhost:8080/blahblahblahblah/login.jsp?loginfailed=true
which is what I want. But then, in the jsp file, I do
<%
if(request.getParameter("loginfailed") == "true")
{
out.println("login failed");
}
%>
I'm well aware that I should replace this with JSTL, it's just easier for me to use scriptlets at first for control flow and I change them out once the logic works.
I just don't know why it is not working right now. What am I doing wrong?
Basically when credentials DO match DB values, it redirects to a success page. But if they don't, it redirects back to login.jsp with a URL param, and I want to print some text that says the login failed so the user doesn't have to look at the url to see that.
your redirection should be in this way.
response.sendRedirect(request.getContextPath()+"/login.jsp?loginfailed=true");
Related
I have a JSP page to search customers. This page calls the controller, which execute a method to return a list of customers and after forward to the origin URL;
I used to forward : request.getRequestDispatcher(urlOrigin).forward(request, response);
(note 1: request.getHeader("Referer") was used to get complete origin URL )
(note 2: There a method to split the complete origin URL and get name page )
Since it, I have the following url in the browsear :
(http://domain/ProjetoT/mvc)
Its the url of my controller
If I search a customer again won't work, because the controller url will be recognized as origin url.
I Tried use : response.Sendredirect(urlOrigin);
But I lost my object and the list of customers didn't rendered.
Anyone can help me please?
Thanks!
Instead of intially accessing the JSP page directly in the browser, you could access it through the same controller used to process the search. To do that you would have to program your controller to detect if you are in initial display mode or if you are in "submit" mode. This is typically done by checking the presence of a parameter that is sent in the submit.
So in initial display mode, your controller would just forward to the JSP without any further processing, while in submit mode it would do what it is currently doing. This way you would be using the same URL for both the initial display and the submit and the problem you described should go away (that is, if I understand your question correctly).
After the user has logged in I want to make a redirect if /login is accessed again, so that the user cannot access the login form if he/she is already authenticated.
I am using Jetty 8 and I found in the FormAuthenticator.java:168 method validateRequest that if the user accesses the login or error page, the user is never authenticated, eventhough that might be the case
if (isLoginOrErrorPage(URIUtil.addPaths(request.getServletPath(),request.getPathInfo())))
return Authentication.NOT_CHECKED;
How can I fix this?
This problem was fixed on 2012-08-07. I think Jetty does not work here as intended. For that reason I filed a bug regarding the redirection behavior. Have a look at the latest Jetty 8, it should work now for you, respectively have a look at the fix.
I struggled with the problem that you described for a while...
I tried to use the API of the session, the request and the response to do a redirect when the user is already logged in, but the authentication data for the user is apparently not available from the login page when using Jetty.
I'm totally new to JSP and Jetty (I'm using it for a class assignment), but I made a solution that worked fairly well, even thought it's not the ideal solution.
First, I made a small bypass by adding a variable in my login page to see if the page had already been loaded, by using the following JSP:
<%
if(session.getAttribute("loginLoadedOnce") == "true")
{
response.sendRedirect("/redirect.jsp");
}
else
{
session.setAttribute("loginLoadedOnce", "true");
}
%>
That way, if the attribute is set incorrectly it will let the user try to login. Otherwise, it will redirect to the redirect page. The redirect page will have the user data available and it will be able to see if a user has certain roles.
The JSP code for the redirect page was like this:
<%
if(request.isUserInRole("admin"))
{
String url = response.encodeRedirectURL("admin/AdminPage.jsp");
response.sendRedirect(url);
}
else if(request.isUserInRole("accounting"))
{
String url = response.encodeRedirectURL("/accounting/Mainpage.jsp");
response.sendRedirect(url);
}
else
{
// Here the user has no role that we are aware of.
session.setAttribute("loginLoadedOnce", "false"); // stop redirect loop.
response.sendRedirect("/login.jsp");
}
%>
Here we check the roles of the user and we redirect to the correct page for the role.
As it is right now, the user will have to logout before he can go back to the login page. Every tentative to go back to the login page will end up redirecting, even using the "Back" button of the browser.
Hoping this will help somebody.
I want to login into a website. I need to identify the url to login. The view source shows post method as follows.
<form id="signIn" onsubmit="return false;" action="/f1/logon" method="post">
I see that there is no javascript that validates the url.
When i use the below url directly on a browser,
https://www.abc.com/f1/logon
I get a blank page. When I use below,
https://www.abc.com/logon
I dont see the repsonse of the loggedin page. It shows the response of the signin page though. How do i identify the correct url to autologin. downloaded soem toold like fiddler but no help. any inputs?
Invoking a URL in a browser sends a GET request. This form, however, is configured to send a POST request (look at the method attribute), so it makes sense that you are not seeing anything in your browser.
It's strange that the onsubmit attribute returns false. This prevents the form from being submitted at all. Take a look at the "login" button. There may be some Javascript code there which does the form submission.
Fidller is a good tool, you can start capture job and then you perform a login. Find which request contain your login and password.
I want to forward from one page to another but with the same I want url to be changed. Suppose user is here http://mywebsite/register and when he completes his registration process then I want this in his address bar http://mywebsite/home
Is it possible without using sendRedirect , I mean by the way server side forwarding only? or any other way around to this problem?
You could just let the HTML form submit to that URL directly.
<form action="http://mywebsite/home">
But this makes no sense. You'll also run into problems when redisplaying the same form with validation messages in case of validation failure. You'd need to redirect back to the original page if you intend to keep the original URL and you'd need to fiddle with storing messages in the session scope instead of the request scope because a redirect basically creates a brand new request. You'll without a redirect also run in "double submit" problem whenever the enduser presses F5 after submitting the form.
Just let the servlet redirect the successful POST request to the desired URL. That's the canonical approach. Even more, this is a recommend "design pattern": the POST-Redirect-GET pattern.
AFAIK there's no way around a redirect since the browser has to update the url at some point. And if you'd update the url after the forwarded to page has been loaded it would issue a refresh and the page would be loaded again (which might result in an endless loop).
Why don't you want to use a redirect in that case?
I'm trying to figure out how cookies can be used to prevent a hacker from typing in a URL to an internal part of a java web application that shouldn't be accessible unless the user is logged in.
For example, I'd like to prevent a hacker from typing in http://domain.com/myapp/listtable.jsp and be able to view the table without logging in.
I have a servlet which stores a list of all cookies it has handed out to clients. I'm struggling to understand what the JSP/JSTL code would look like to examine the cookies in the request and compare it to what the server has stored.
Something like:
<c:forEach items="${cookie}" var="currentCookie">
<!-- Compare each incoming cookie with the cookies kept in the servlet,
if there's not a match then redirect to the login page. Otherwise,
show the contents of the page below -->
</c:forEach>
<html>
--- main page HTML here
Can anyone give me some advice on how to do this?
This should be the Job of Filter not of view
Configure a Filter to check for your protected resources
Check if user's session has some value that logically makes him logged in.
if not redirect user to login view
See Also
universal-login-authorization-in-jsp
why-business-logic-should-be-moved-out-of-jsp
I would personally add my JSP or any presentation content (that you deem protected) under the WEB-INF folder and map it accordingly to your controller. That way, the servlet container will hide it from external viewing.
Even it's not the correct way to do it... in fact you can do something like that.
Try this:
<c:forEach items="${cookie}" var="currentCookie">
<!-- Compare each incoming cookie with the cookies kept in the servlet,
if there's not a match then redirect to the login page. Otherwise,
show the contents of the page below -->
${currentCookie.value.name} - ${currentCookie.value.value}<br/>
<c:if test="${currentCookie.value.name=='JSESSIONID'}">
Your Session is ${currentCookie.value.value}
</c:if>
</c:forEach>