I am developing an application with spring 3 struts 2 and hibernate. After login only i have to display the pages
It is working fine. when i testing i found the big mistake
that is i copy the url of the page which needs to display only to logged-in user
and paste it in other browser means it is displaying the page without login.
<%
String userId= (String)session.getAttribute("userId");
System.out.println(userId);
if(userId == null || userId.equals("") ){
response.sendRedirect("login.jsp");
}
%>
I have included this for all jsp. I know this is not a best practice. Is any better option available?
How would i overcome this error?
if(userId == null || userId.equals("") ){
response.sendRedirect("login.jsp");
}
should probably have a return in there to prevent rendering the page content:
if(userId == null || userId.equals("") ){
response.sendRedirect("login.jsp");
return;
}
Nothing in the javadoc suggests that sendRedirect causes abrupt exit or causes the response body to not be shipped to the client.
What is probably happening is that your response contains a redirect header, but also contains the page content which you might not have meant to send.
I am still at education so do know how good is my solution , but i did not crash so hope it is correct
and it is quite similar to #muthu 's code
I had used JPA-eclipselink and Struts2
Action Class
String checkLogin = "SELECT user FROM UserEntity user WHERE user.username = :username AND user.password = :password";
Query checkLoginQuery = em.createQuery(checkLogin);
checkLoginQuery.setParameter("username", loginUsername);
checkLoginQuery.setParameter("password", loginPassword);
userEntity = (UserEntity) checkLoginQuery.getSingleResult();
Map sessionMap = ActionContext.getContext().getSession();
sessionMap.put("userEntity", userEntity);
JSP -> all jsp pages have this(bug:affected if session is not killed when browser is not closed )
<%# taglib prefix="s" uri="/struts-tags" %>
<s:if test="%{#session.userEntity == null}">
<jsp:forward page="login.jsp"/>
</s:if>
Correct me if I am wrong
Quoting this page
Both and RequestDispatcher.forward() are what I refer to as "server-side" redirects
The response.sendRedirect() is what I call a "client-side" redirect.
so a server side forward looks more safe to me , maybe I am wrong (I am sorry if I am miss interpreting it ,not worked in real life projects yet)
Related
i have multiple web pages jsp and i use for the resubmit in refresh response.sendredirect("blabla.jsp") but one page work good , another page wen i press submit it go to a blank page and the row added to database, any solution for this problem ? thank you
`
<% String UC1 = "INIT";
if (request.getParameter("add_spec") != null) {
UC1 = "ADD_SPEC";
}
if (UC1.equals("INIT")) {
List<Speciality> specs = SpecialityController.INSTANCE.findAll();
%>
<%#include file="./WEB-INF/Add_Spec.jspf" %>
<%#include file="./WEB-INF/view_all_specs.jspf" %>
<%}
if (UC1.equals("ADD_SPEC")) {
String spec = request.getParameter("speciality");
SpecialityController.INSTANCE.create(new Speciality(spec));
List<Speciality> specs = SpecialityController.INSTANCE.findAll();
response.sendRedirect("main_admin.jsp");
%>
<%#include file="./WEB-INF/Add_Spec.jspf" %>
<%#include file="./WEB-INF/view_all_specs.jspf" %>
<% }
%>
`
You can use the Post/Redirect/Get pattern.
When a web form is submitted to a server through an HTTP POST request,
a web user that attempts to refresh the server response in certain
user agents can cause the contents of the original POST request to be
resubmitted, possibly causing undesired results, such as a duplicate
web purchase.
To avoid this problem, many web developers use the PRG
pattern - instead of returning a web page directly, the POST operation returns a redirection command.
In other words, when you submit the data, you should redirect to the page on which you can view (get) the data you've just added.
That way, refreshing will not resubmit the data.
Alternatively, you could use a CSRF/XSRF-like token.
Though this example is in PHP, you should understand the gist of it.
Update
Even better, you can check out this example for CSRF https://services.teammentor.net/article/00000000-0000-0000-0000-000000040a2e
I wrote the below code to test the status of msgCode. If the msgCode is not Success it should redirect to error.jsp file. If it is a Success it should stay on the same page . When I ran the code the page always redirects to error.jsp although msgCode is Success. What mistake did I do in my code. Can you please help me if you can. Thank in advance.
<%# page import="com.siebel.SurveyWebService.SurveyTester" %>
<%
SurveyTester tc = new SurveyTester();
tc.getResult();
java.lang.String msgCode = tc.getResult2().getStatusCode();
%>
<%= msgCode%>
<%
if (msgCode.toString() != "Success")
{
response.sendRedirect("error.jsp");
}
%>
First of all, you should use equal method for string comparison. Secondly, even though it's not a problem at the moment but you are creating objects in your jsp and faking the response. tc.getResult2().getStatusCode() is not an actual HTTP response from server.
In my Dynamic Web Application (working in Eclipse, with Tomcat 7 server), my pages have the same header, which includes the username of the currently logged in user.
Rather than having the header appear identically on each page, I extracted and included
<%# include file="../includes/head.jsp" %>
to the top of each .jsp.
But I noticed a problem. In the Servlet files I created I have a variation of (depending on the jsp page):
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
System.out.println("Login doGet");
request.setAttribute("name", "value");
request.getRequestDispatcher("resources/jsp/login.jsp").forward(request, response);
}
However, in the head.jsp file,
${request.getAttribute("name") != null ? "Logged In" : "Not logged in"}
is causing "Not logged in" to appear when I'm expecting it to say "Logged In" (because I did pass an attribute called "name".
Any ideas what is going on?
<%= request.getAttribute("name") == null ? "Logged In" : "Not logged in" %>
Works because you have used the scriptlets to print the request attributes in the traditional way. However it is considered as bad practice . see How to avoid Java code in JSP files?
${request.getAttribute("name") == null ? "Logged In" : "Not logged in"}
Doesnt work because you have incorrect syntax of Expression Language
so either use jstl as #user23123412 suggested or write it as ,
${name == null ? "Logged In" : "Not logged in"}
to evaluate using EL
Hope this helps !!
You should use request.getSession().setAttribute("name", "value");
I got this to work eventually by using this
<%= request.getAttribute("name") == null ? "Logged In" : "Not logged in" %>
instead of the original
${request.getAttribute("name") == null ? "Logged In" : "Not logged in"}
I tried this after I saw that this is another way to write expressions. I have no idea why this way works and the other way doesn't and would love if some could add an explanation.
You could also use JSTL for this manner. Its better way to use jstl rather than scriptlets.
<c:out value="${empty name ? 'Logged In' : 'Not logged in' }" />
I want to get latest data to my home page by calling servlet, means when user click on refresh button home page should fill with most recent data. For that i used
jsp:forward page="tests"/>.
But finally I end up with redirect loop. Soo how can I achieve this?
myservlet is this :
RequestDispatcher view = request.getRequestDispatcher("tt.jsp");
view.forward(request, response);
How I am going to do this with out getting into never ending loop?
I have solved this problem successfully by checking attribute is null.
code:
<%
if((request.getAttribute("vdata") == null) || request.getAttribute("ldata") == null ||
request.getAttribute("mdata") == null){
%>
jsp:forward page="intial_getdata"/>
I currently have the following includes at the top of all of my jsp files:
<%# include file="inc/inc_cookie_login.jsp"%>
<%# include file="inc/inc_protect_page.jsp"%>
<%# include file="inc/inc_log_access.jsp"%>
The jsps have scriptlets that check for cookie and set a user object in the session if cookie exists, prevents access to the jsp unless a session has been set, write to a text file the User IP, name, page accessed, etc.,respectively.
The scriptlet approach above has worked fine but now that I have a better server set up and can utilize a web.xml file, I have been refactoring my app to best practices. The above is screaming FIXME! Should I be investigating listeners, filters, ?, or is my current approach adequate?
=== inc_cookie_login.jsp ====
<%# page import="model.STKUser"%>
<%# page import="model.STKUserCookie"%>
<%# page import="data.STKUserDAO"%>
<%
if ( request.getSession().getAttribute("STKUserSession") == null) {
STKUserCookie userCookie = new STKUserCookie(request);
String userBadge = userCookie.getUserID();
STKUserDAO userDAO = new STKUserDAO();
STKUser user = userDAO.getUser(userBadge);
if (user != null) {
user.setIpAddress(request.getRemoteAddr());
userDAO.updateLoginCount(user);
request.getSession().setMaxInactiveInterval(36000); //set to 10 hours
request.getSession().setAttribute("STKUserSession", user);
}
}
%>
This looks like a good one to be replaced by a filter. Create the filter class and ref it with a pattern in your web.xml. Scriptlets should not be used unless all other options have been reasonably exhausted.