Class LoginServlet

java.lang.Object
jakarta.servlet.GenericServlet
jakarta.servlet.http.HttpServlet
fc.web.servlet.FCBaseServlet
fc.web.servlet.LoginServlet
All Implemented Interfaces:
jakarta.servlet.Servlet, jakarta.servlet.ServletConfig, Serializable

public class LoginServlet extends FCBaseServlet
Logs in/logs out the user. Works in conjunction with JDBCAuthFilter and the login page of the application. (handles the submit from the HTML login form). Moreover, the application can logout the user by invoking this servlet with an additional act=logout query string. Uses JDBCSession to create/delete session id's automatically on successful logins/logouts.

Requires the following servlet initialization parameters

  • welcome_page the webapp relative path to the welcome page to be shown after a successful login.
  • login_page the webapp relative path to the login page.
  • logout_welcome_page the webapp relative path to the welcome page to be shown after a successful logout. (this parameter is optional and if not specified, the welcome_page will be used).
On login failure, the following attributes are set in the request before control is transferred to the login page via a server side redirect.
  1. retrycount, value is a Integer object representing the number of times login has been unsuccessfuly tried. Note: the login page should read this attribute if present and store it in the form as a hidden parameter. When the login form is submitted, this variable will be sent back to this servlet in the request as a parameter and upon login failure, be appropriately incremented.
On login success, the following attributes are set as a cookie on the client. This cookie is removed on logout.
  1. SID_COOKIE_NAME the session ID assigned to the user. After logging in, a session will exist in the database. JDBCSession can thereafter be used to store any information for that session in the database via the session ID.
  2. user.name, the name of the user that was succefully used to login to the system. (this is useful for displaying the username in the front end page without hitting the database everytime).
In addition, upon successful login, the onLogin(Connection, String, String, HttpServletRequest, HttpServletResponse) method is invoked. This method can be overriden as necessary by subclasses. Similarly, In addition, upon successful logout, the onLogout(Connection, String, HttpServletRequest, HttpServletResponse) method is invoked.

The servlet requires the following request parameters from the login form:

  • username
  • password
The following request parameters are optional.
  • target if present (either as a cookie or in the URL), the client is redirected to the URL specified by the target (otherwise the client is redirected to the welcome_page after login/logout). The AuthFilter automatically stores the original target page as a parameter (URLEncoded) so that users are seamlessly redirected to their original target after a successful login or logout.

Requires the following database schema:

A Users table must exist. (note: "user" is a reserved word in many databases, the table must be called Users.
    The following columns must exist in the Users table.
  1. user_id the user id
  2. username the name of the user (corresponds to the username parameter in the login form)
  3. password the password for the user (corresponds to the password parameter in the login form).
The class will use the DBOMgr framework so a UserMgr class corresponding to the aforementioned User table must exist in the classpath of this servlet.
Since this class uses JDBCSession, the default database tables required by JDBCSession also must exist.

For security reasons, for logging in, the username/password form must be submitted via a POST (GET is fine when logging out).

See Also:
  • Field Summary

    Fields
    Modifier and Type
    Field
    Description
    static final String
    value = "sid"

    Fields inherited from class jakarta.servlet.http.HttpServlet

    LEGACY_DO_HEAD
  • Constructor Summary

    Constructors
    Constructor
    Description
     
  • Method Summary

    Modifier and Type
    Method
    Description
    void
    doGet(jakarta.servlet.http.HttpServletRequest req, jakarta.servlet.http.HttpServletResponse res)
     
    void
    doPost(jakarta.servlet.http.HttpServletRequest req, jakarta.servlet.http.HttpServletResponse res)
     
    For this method to be available from application code, this servlet should be set to load on startup and code similar to the following example invoked.
    static jakarta.servlet.http.Cookie
    getSIDCookie(jakarta.servlet.http.HttpServletRequest req)
    Returns the cookie corresponding to the "sid".
    void
    init(jakarta.servlet.ServletConfig conf)
     
    void
    onLogin(Connection con, String sid, String username, jakarta.servlet.http.HttpServletRequest req, jakarta.servlet.http.HttpServletResponse res)
    This method is invoked upon successful login.
    void
    onLogout(Connection con, String sid, jakarta.servlet.http.HttpServletRequest req, jakarta.servlet.http.HttpServletResponse res)
    This method is invoked upon successful login.
    validateUser(Connection con, String username, String password)
    This method validates the specified username/password.

    Methods inherited from class FCBaseServlet

    destroy, getLog, stats, toString

    Methods inherited from class jakarta.servlet.http.HttpServlet

    service

    Methods inherited from class jakarta.servlet.GenericServlet

    getInitParameter, getInitParameterNames, getServletConfig, getServletContext, getServletInfo, getServletName, init, log, log

    Methods inherited from class Object

    equals, getClass, hashCode, notify, notifyAll, wait, wait, wait
  • Field Details

  • Constructor Details

  • Method Details

    • init

      public void init(jakarta.servlet.ServletConfig conf) throws jakarta.servlet.ServletException
      Specified by:
      init in interface jakarta.servlet.Servlet
      Overrides:
      init in class FCBaseServlet
      Throws:
      jakarta.servlet.ServletException
    • getSIDCookie

      public static jakarta.servlet.http.Cookie getSIDCookie(jakarta.servlet.http.HttpServletRequest req)
      Returns the cookie corresponding to the "sid". (this cookie has key = SID_COOKIE_NAME and the value is the SID created/set at login time). Returns null is no sid cookie is found.
    • doGet

      public void doGet(jakarta.servlet.http.HttpServletRequest req, jakarta.servlet.http.HttpServletResponse res) throws jakarta.servlet.ServletException, IOException
      Throws:
      jakarta.servlet.ServletException
      IOException
    • doPost

      public void doPost(jakarta.servlet.http.HttpServletRequest req, jakarta.servlet.http.HttpServletResponse res) throws jakarta.servlet.ServletException, IOException
      Throws:
      jakarta.servlet.ServletException
      IOException
    • validateUser

      public String validateUser(Connection con, String username, String password) throws SQLException, IOException
      This method validates the specified username/password.

      This class should be subclassed to override this method and validate the supplied username/password against a database in a different fashion if desired. The default implmentation of this method works with the following initialization parameters.

      • login_query (required): the query string to validate if this username/passwrod combination exists. This query string should in PreparedStatement format with 2 question marks (the first one will be set with the username and the 2nd with the password).
      • password_hash (optional): if present, should contain the name of the java cryto hash function to hash the password before comparing it with the database (this is for cases where the passwords are stored as hashed values in the database). Examples include MD5, SHA-1 etc.
      This method should return the following values:
      • If authentication failed: null
      • If authentication succeeded:
        1. If the returned string is non-null and non-empty, then it should contain the userid for the authenticated user and this userid is stored in the JDBCSession.
        2. If the user authenticated succeeds, a non-null string containing a unique username or userid should be returned. (the username/userid should be the Primary key field used in the database to uniquely identify a user).
      Throws:
      SQLException
      IOException
    • encodePassword

      public String encodePassword(String password) throws IOException
      For this method to be available from application code, this servlet should be set to load on startup and code similar to the following example invoked.
      LoginServlet ls = (LoginServlet) WebApp.allServletsMap.get("fc.web.servlet.LoginServlet"); if (ls == null) { //can happen if servlet is not loaded yet throw new Exception("Unexpected error: LoginServlet was null"); } return ls.encodePassword(passwd);
      Throws:
      IOException
    • onLogin

      public void onLogin(Connection con, String sid, String username, jakarta.servlet.http.HttpServletRequest req, jakarta.servlet.http.HttpServletResponse res) throws SQLException, IOException
      This method is invoked upon successful login. By default, it does nothing but subclasses can override this method as needed.
      Parameters:
      con - a connection to the database
      sid - the session id for this user
      username - the username for this user (that was used to login the user via the login query)
      Throws:
      SQLException
      IOException
    • onLogout

      public void onLogout(Connection con, String sid, jakarta.servlet.http.HttpServletRequest req, jakarta.servlet.http.HttpServletResponse res) throws SQLException, IOException
      This method is invoked upon successful login. By default, it does nothing but subclasses can override this method as needed.
      Parameters:
      con - a connection to the database
      sid - the session id for this user
      Throws:
      SQLException
      IOException