fc.web.servlet

Class LoginServlet

java.lang.Object

javax.servlet.GenericServlet

javax.servlet.http.HttpServlet

fc.web.servlet.FCBaseServlet

fc.web.servlet.LoginServlet

All Implemented Interfaces:

Serializable, javax.servlet.Servlet, javax.servlet.ServletConfig

public class LoginServlet
extends FCBaseServlet

Logs in/logs out the user. Works in conjunction with JDBCAuthFilter and the login page of the application. (handles the submit from the HTML login form). Moreover, the application can logout the user by invoking this servlet with an additional act=logout query string. Uses JDBCSession to create/delete session id's automatically on successful logins/logouts.

Requires the following servlet initialization parameters

• welcome_page the webapp relative path to the welcome page to be shown after a successful login.
• login_page the webapp relative path to the login page.
• logout_welcome_page the webapp relative path to the welcome page to be shown after a successful logout. (this parameter is optional and if not specified, the welcome_page will be used).

On login failure, the following attributes are set in the request before control is transferred to the login page via a server side redirect.

1. retrycount, value is a Integer object representing the number of times login has been unsuccessfuly tried. Note: the login page should read this attribute if present and store it in the form as a hidden parameter. When the login form is submitted, this variable will be sent back to this servlet in the request as a parameter and upon login failure, be appropriately incremented.

On login success, the following attributes are set as a cookie on the client. This cookie is removed on logout.

1. SID_COOKIE_NAME the session ID assigned to the user. After logging in, a session will exist in the database. JDBCSession can thereafter be used to store any information for that session in the database via the session ID.
2. user.name, the name of the user that was succefully used to login to the system. (this is useful for displaying the username in the front end page without hitting the database everytime).

In addition, upon successful login, the onLogin(java.sql.Connection, java.lang.String, java.lang.String, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse) method is invoked. This method can be overriden as necessary by subclasses. Similarly, In addition, upon successful logout, the onLogout(java.sql.Connection, java.lang.String, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse) method is invoked.

The servlet requires the following request parameters from the login form:

• username
• password

The following request parameters are optional.

• target if present (either as a cookie or in the URL), the client is redirected to the URL specified by the target (otherwise the client is redirected to the welcome_page after login/logout). The AuthFilter automatically stores the original target page as a parameter (URLEncoded) so that users are seamlessly redirected to their original target after a successful login or logout.

Requires the following database schema:

A Users table must exist. (note: "user" is a reserved word in many databases, the table must be called Users.

The following columns must exist in the Users table.
1. user_id the user id
2. username the name of the user (corresponds to the username parameter in the login form)
3. password the password for the user (corresponds to the password parameter in the login form).

The class will use the DBOMgr framework so a UserMgr class corresponding to the aforementioned User table must exist in the classpath of this servlet.

Since this class uses JDBCSession, the default database tables required by JDBCSession also must exist.

For security reasons, for logging in, the username/password form must be submitted via a POST (GET is fine when logging out).

See Also:

Serialized Form

Field Summary

Fields

Modifier and Type	Field and Description
static String	SID_COOKIE_NAME value = "sid"

Constructor Summary

Constructors

Constructor and Description
LoginServlet()

Method Summary

Modifier and Type	Method and Description
void	doGet(javax.servlet.http.HttpServletRequest req, javax.servlet.http.HttpServletResponse res)
void	doPost(javax.servlet.http.HttpServletRequest req, javax.servlet.http.HttpServletResponse res)
String	encodePassword(String password) For this method to be available from application code, this servlet should be set to load on startup and code similar to the following example invoked.
static javax.servlet.http.Cookie	getSIDCookie(javax.servlet.http.HttpServletRequest req) Returns the cookie corresponding to the "sid".
void	init(javax.servlet.ServletConfig conf)
void	onLogin(Connection con, String sid, String username, javax.servlet.http.HttpServletRequest req, javax.servlet.http.HttpServletResponse res) This method is invoked upon successful login.
void	onLogout(Connection con, String sid, javax.servlet.http.HttpServletRequest req, javax.servlet.http.HttpServletResponse res) This method is invoked upon successful login.
String	validateUser(Connection con, String username, String password) This method validates the specified username/password.

Methods inherited from class fc.web.servlet.FCBaseServlet

destroy, getLog, stats, toString

Methods inherited from class javax.servlet.http.HttpServlet

service

Methods inherited from class javax.servlet.GenericServlet

getInitParameter, getInitParameterNames, getServletConfig, getServletContext, getServletInfo, getServletName, init, log, log

Methods inherited from class java.lang.Object

equals, getClass, hashCode, notify, notifyAll, wait, wait, wait

Field Detail

SID_COOKIE_NAME

public static final String SID_COOKIE_NAME

value = "sid"

See Also:

Constant Field Values

Constructor Detail

LoginServlet

public LoginServlet()

Method Detail

init

public void init(javax.servlet.ServletConfig conf)
          throws javax.servlet.ServletException

Specified by:

init in interface javax.servlet.Servlet

Overrides:

init in class FCBaseServlet

Throws:

javax.servlet.ServletException

getSIDCookie

public static javax.servlet.http.Cookie getSIDCookie(javax.servlet.http.HttpServletRequest req)

Returns the cookie corresponding to the "sid". (this cookie has key = SID_COOKIE_NAME and the value is the SID created/set at login time). Returns null is no sid cookie is found.

doGet

public void doGet(javax.servlet.http.HttpServletRequest req,
                  javax.servlet.http.HttpServletResponse res)
           throws javax.servlet.ServletException,
                  IOException

Overrides:

doGet in class javax.servlet.http.HttpServlet

Throws:

javax.servlet.ServletException

IOException

doPost

public void doPost(javax.servlet.http.HttpServletRequest req,
                   javax.servlet.http.HttpServletResponse res)
            throws javax.servlet.ServletException,
                   IOException

Overrides:

doPost in class javax.servlet.http.HttpServlet

Throws:

javax.servlet.ServletException

IOException

validateUser

public String validateUser(Connection con,
                           String username,
                           String password)
                    throws SQLException,
                           IOException

This method validates the specified username/password.

This class should be subclassed to override this method and validate the supplied username/password against a database in a different fashion if desired. The default implmentation of this method works with the following initialization parameters.

• login_query (required): the query string to validate if this username/passwrod combination exists. This query string should in PreparedStatement format with 2 question marks (the first one will be set with the username and the 2nd with the password).
• password_hash (optional): if present, should contain the name of the java cryto hash function to hash the password before comparing it with the database (this is for cases where the passwords are stored as hashed values in the database). Examples include MD5, SHA-1 etc.

This method should return the following values:

• If authentication failed: null
• If authentication succeeded:
  1. If the returned string is non-null and non-empty, then it should contain the userid for the authenticated user and this userid is stored in the JDBCSession.
  2. If the user authenticated succeeds, a non-null string containing a unique username or userid should be returned. (the username/userid should be the Primary key field used in the database to uniquely identify a user).

Throws:

SQLException

IOException

encodePassword

public String encodePassword(String password)
                      throws IOException

For this method to be available from application code, this servlet should be set to load on startup and code similar to the following example invoked.

LoginServlet ls = (LoginServlet) WebApp.allServletsMap.get("fc.web.servlet.LoginServlet"); if (ls == null) { //can happen if servlet is not loaded yet throw new Exception("Unexpected error: LoginServlet was null"); } return ls.encodePassword(passwd);

Throws:

IOException

onLogin

public void onLogin(Connection con,
                    String sid,
                    String username,
                    javax.servlet.http.HttpServletRequest req,
                    javax.servlet.http.HttpServletResponse res)
             throws SQLException,
                    IOException

This method is invoked upon successful login. By default, it does nothing but subclasses can override this method as needed.

Parameters:

con - a connection to the database

username - the username for this user (that was used to login the user via the login query)

sid - the session id for this user

Throws:

SQLException

IOException

onLogout

public void onLogout(Connection con,
                     String sid,
                     javax.servlet.http.HttpServletRequest req,
                     javax.servlet.http.HttpServletResponse res)
              throws SQLException,
                     IOException

This method is invoked upon successful login. By default, it does nothing but subclasses can override this method as needed.

Parameters:

con - a connection to the database

sid - the session id for this user

Throws:

SQLException

IOException