Class LoginServlet
java.lang.Object
jakarta.servlet.GenericServlet
jakarta.servlet.http.HttpServlet
fc.web.servlet.FCBaseServlet
fc.web.servlet.LoginServlet
- All Implemented Interfaces:
jakarta.servlet.Servlet, jakarta.servlet.ServletConfig, Serializable
Logs in/logs out the user. Works in conjunction with
JDBCAuthFilter
and
the login page of the application. (handles the submit from the HTML login
form). Moreover, the application can logout the user by invoking this servlet
with an additional act=logout query string. Uses JDBCSession
to create/delete session id's automatically on successful
logins/logouts.
Requires the following servlet initialization parameters
- welcome_page the webapp relative path to the welcome page to be shown after a successful login.
- login_page the webapp relative path to the login page.
- logout_welcome_page the webapp relative path to the welcome page to be shown after a successful logout. (this parameter is optional and if not specified, the welcome_page will be used).
- retrycount, value is a Integer object representing the number of times login has been unsuccessfuly tried. Note: the login page should read this attribute if present and store it in the form as a hidden parameter. When the login form is submitted, this variable will be sent back to this servlet in the request as a parameter and upon login failure, be appropriately incremented.
SID_COOKIE_NAME
the session ID assigned to the user. After logging in, a session will exist in the database.JDBCSession
can thereafter be used to store any information for that session in the database via the session ID.- user.name, the name of the user that was succefully used to login to the system. (this is useful for displaying the username in the front end page without hitting the database everytime).
onLogin(Connection, String, String, HttpServletRequest, HttpServletResponse)
method is invoked.
This method can be overriden as necessary by subclasses. Similarly, In addition, upon
successful logout, the onLogout(Connection, String, HttpServletRequest, HttpServletResponse)
method is invoked.
The servlet requires the following request parameters from the login form:
- username
- password
- target if present (either as a cookie or in the URL),
the client is redirected to the URL specified by the target
(otherwise the client is redirected to the welcome_page after
login/logout). The
AuthFilter
automatically stores the original target page as a parameter (URLEncoded) so that users are seamlessly redirected to their original target after a successful login or logout.
Requires the following database schema:
A Users table must exist. (note: "user" is a reserved word in many databases, the table must be called Users.Since this class usesThe following columns must exist in the Users table.
The class will use the- user_id the user id
- username the name of the user (corresponds to the username parameter in the login form)
- password the password for the user (corresponds to the password parameter in the login form).
DBOMgr
framework so a UserMgr class corresponding to the aforementioned User table must exist in the classpath of this servlet.
JDBCSession
, the default database
tables required by JDBCSession
also must exist.
For security reasons, for logging in, the username/password form must be submitted via a POST (GET is fine when logging out).
- See Also:
-
Field Summary
FieldsFields inherited from class jakarta.servlet.http.HttpServlet
LEGACY_DO_HEAD
-
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionvoid
doGet
(jakarta.servlet.http.HttpServletRequest req, jakarta.servlet.http.HttpServletResponse res) void
doPost
(jakarta.servlet.http.HttpServletRequest req, jakarta.servlet.http.HttpServletResponse res) encodePassword
(String password) For this method to be available from application code, this servlet should be set to load on startup and code similar to the following example invoked.static jakarta.servlet.http.Cookie
getSIDCookie
(jakarta.servlet.http.HttpServletRequest req) Returns the cookie corresponding to the "sid".void
init
(jakarta.servlet.ServletConfig conf) void
onLogin
(Connection con, String sid, String username, jakarta.servlet.http.HttpServletRequest req, jakarta.servlet.http.HttpServletResponse res) This method is invoked upon successful login.void
onLogout
(Connection con, String sid, jakarta.servlet.http.HttpServletRequest req, jakarta.servlet.http.HttpServletResponse res) This method is invoked upon successful login.validateUser
(Connection con, String username, String password) This method validates the specified username/password.Methods inherited from class FCBaseServlet
destroy, getLog, stats, toString
Methods inherited from class jakarta.servlet.http.HttpServlet
service
Methods inherited from class jakarta.servlet.GenericServlet
getInitParameter, getInitParameterNames, getServletConfig, getServletContext, getServletInfo, getServletName, init, log, log
-
Field Details
-
SID_COOKIE_NAME
-
-
Constructor Details
-
LoginServlet
public LoginServlet()
-
-
Method Details
-
init
- Specified by:
init
in interfacejakarta.servlet.Servlet
- Overrides:
init
in classFCBaseServlet
- Throws:
jakarta.servlet.ServletException
-
getSIDCookie
Returns the cookie corresponding to the "sid". (this cookie has key =SID_COOKIE_NAME
and the value is the SID created/set at login time). Returns null is no sid cookie is found. -
doGet
public void doGet(jakarta.servlet.http.HttpServletRequest req, jakarta.servlet.http.HttpServletResponse res) throws jakarta.servlet.ServletException, IOException - Throws:
jakarta.servlet.ServletException
IOException
-
doPost
public void doPost(jakarta.servlet.http.HttpServletRequest req, jakarta.servlet.http.HttpServletResponse res) throws jakarta.servlet.ServletException, IOException - Throws:
jakarta.servlet.ServletException
IOException
-
validateUser
public String validateUser(Connection con, String username, String password) throws SQLException, IOException This method validates the specified username/password.This class should be subclassed to override this method and validate the supplied username/password against a database in a different fashion if desired. The default implmentation of this method works with the following initialization parameters.
- login_query (required): the query string to validate if this username/passwrod combination exists. This query string should in PreparedStatement format with 2 question marks (the first one will be set with the username and the 2nd with the password).
- password_hash (optional): if present, should contain the name of the java cryto hash function to hash the password before comparing it with the database (this is for cases where the passwords are stored as hashed values in the database). Examples include MD5, SHA-1 etc.
- If authentication failed: null
- If authentication succeeded:
- If the returned string is non-null and non-empty, then it should
contain the userid for the authenticated user and this
userid is stored in the
JDBCSession
. - If the user authenticated succeeds, a non-null string containing a unique username or userid should be returned. (the username/userid should be the Primary key field used in the database to uniquely identify a user).
- If the returned string is non-null and non-empty, then it should
contain the userid for the authenticated user and this
userid is stored in the
- Throws:
SQLException
IOException
-
encodePassword
For this method to be available from application code, this servlet should be set to load on startup and code similar to the following example invoked.LoginServlet ls = (LoginServlet) WebApp.allServletsMap.get("fc.web.servlet.LoginServlet"); if (ls == null) { //can happen if servlet is not loaded yet throw new Exception("Unexpected error: LoginServlet was null"); } return ls.encodePassword(passwd);
- Throws:
IOException
-
onLogin
public void onLogin(Connection con, String sid, String username, jakarta.servlet.http.HttpServletRequest req, jakarta.servlet.http.HttpServletResponse res) throws SQLException, IOException This method is invoked upon successful login. By default, it does nothing but subclasses can override this method as needed.- Parameters:
con
- a connection to the databasesid
- the session id for this userusername
- the username for this user (that was used to login the user via the login query)- Throws:
SQLException
IOException
-
onLogout
public void onLogout(Connection con, String sid, jakarta.servlet.http.HttpServletRequest req, jakarta.servlet.http.HttpServletResponse res) throws SQLException, IOException This method is invoked upon successful login. By default, it does nothing but subclasses can override this method as needed.- Parameters:
con
- a connection to the databasesid
- the session id for this user- Throws:
SQLException
IOException
-