Re: Web App Design Help, Please

Discussion in 'Java' started by Wendy S, Jul 24, 2003.

  1. Wendy S

    Wendy S Guest

    Talking with Tonz - Emery Z. Balint Jr. wrote:
    > But when I make the logout (I invalidate the session), users can still use
    > the back button, refresh, and see the data again. That part is really
    > driving me nuts.


    What does your logout code look like? Invalidating the session should do
    it... if you've stored something in the session saying they're "logged in,"
    that will be gone and your Controller Servlet should send them back to the
    login page.

    Print out the session details all over the place and see if you can tell if
    you're getting a new session, and then inadvertently accepting the user as
    logged in when you shouldn't, or whether you're still working with the old
    session that's supposed to be invalid.

    Without seeing some code, it's pretty hard to pin it down.

    --
    Wendy in Chandler, AZ
     
    Wendy S, Jul 24, 2003
    #1
    1. Advertising

  2. Hello,

    Okay, here is what I've come up with. It works ok for the first time, but
    after logging out, it no longer functions at all. You really don't need much
    to run this, but you can punch in a fake username, password not needed.

    1. If you enter a fake username and hit login for the first time you load
    the app in the browser, that works great.
    2. You can even go between the mod_user.jsp and whatever.jsp pages without a
    hitch.
    3. Now logout.
    4. Either: A: hit the back button on the browser right after logging out and
    hit refresh or B: use the "Login Again?" link.
    5. This works well, it always takes you back to the login screen (thus
    protecting the precious data). But then when you try to login again, it
    won't let you.

    This is where I'm a bit lost. Any further help would be appreciated.

    Emery.

    P.S. Don't worry about the user authentication parts. I'll be doing that
    later and hopefully shouldn't have a problem with that.
    /\^/\^/\
    Sun Certified Java Programmer
    www.websamba.com/javarobotics/
    E-stronomy - Astronomical Resrouces
    www.websamba.com/e-stronomy/

    > What does your logout code look like? Invalidating the session should do
    > it... if you've stored something in the session saying they're "logged

    in,"
    > that will be gone and your Controller Servlet should send them back to the
    > login page.
    >
    > Print out the session details all over the place and see if you can tell

    if
    > you're getting a new session, and then inadvertently accepting the user as
    > logged in when you shouldn't, or whether you're still working with the old
    > session that's supposed to be invalid.
    >
    > Without seeing some code, it's pretty hard to pin it down.
    >
    > --
    > Wendy in Chandler, AZ




    ===================================
    Controller.java
    (in the "src\com\nsae\testdb1\controller" folder)
    ===================================
    package com.nsae.testdb1.controller;

    import javax.servlet.*;
    import javax.servlet.http.*;

    import java.io.*;

    import com.nsae.testdb1.*;

    public class Controller extends HttpServlet {

    protected static final String LOGIN_PAGE = "/login.html";
    protected static final String MOD_USER_PAGE = "/mod_user.jsp";
    protected static final String ADD_USER_PAGE = "/add_user.jsp";
    protected static final String DEL_USER_PAGE = "/del_user.jsp";
    protected static final String UPD_USER_PAGE = "/upd_user.jsp";
    protected static final String WHATEVER_PAGE = "/whatever.jsp";
    protected static final String LOGOUT_PAGE = "/logout.html";

    public void doGet(HttpServletRequest req, HttpServletResponse res) throws
    ServletException, IOException {
    doPost(req, res);
    }

    public void doPost(HttpServletRequest req, HttpServletResponse res) throws
    ServletException, IOException {
    String formAction = req.getParameter("form_action");
    String forwardTo = LOGIN_PAGE;

    if ((formAction==null) || (formAction.equals(""))) {
    HttpSession session = req.getSession(true);

    } else if (formAction.equals("login")) {
    HttpSession session = req.getSession(false);

    if (session!=null && (!session.isNew())) {
    UserCheck uC = new UserCheck(req.getParameter("username"));
    session.setAttribute("userName", uC);
    req.setAttribute("servletPath", getFullServletPath(req));
    session.setMaxInactiveInterval(300);
    forwardTo = MOD_USER_PAGE;
    } else {
    forwardTo = LOGIN_PAGE;
    }

    } else if (formAction.equals("user_mod")) {
    HttpSession session = req.getSession(false);

    if (session!=null && (!session.isNew())) {
    req.setAttribute("servletPath", getFullServletPath(req));
    forwardTo = MOD_USER_PAGE;
    } else {
    forwardTo = LOGIN_PAGE;
    }

    } else if (formAction.equals("whatever")) {
    HttpSession session = req.getSession(false);

    if (session!=null && (!session.isNew())) {
    req.setAttribute("servletPath", getFullServletPath(req));
    forwardTo = WHATEVER_PAGE;
    } else {
    forwardTo = LOGIN_PAGE;
    }

    } else if (formAction.equals("logout")) {
    HttpSession session = req.getSession(false);

    if (session!=null && req.isRequestedSessionIdValid()) {
    session.invalidate();
    forwardTo = LOGOUT_PAGE;
    }
    }

    RequestDispatcher rD = req.getRequestDispatcher(forwardTo);
    rD.forward(req, res);

    }

    protected String getFullServletPath(HttpServletRequest req) {
    String servlet = req.getServletPath();
    String ctxPath = req.getContextPath();
    return (ctxPath + servlet);
    }

    }

    ===================================
    UserCheck.java (will be implemented later)
    (in the "src\com\nsae\testdb1" folder)
    ===================================
    package com.nsae.testdb1;

    public class UserCheck {

    private String userName = "";

    public UserCheck() {
    }

    public UserCheck(String uN) {
    userName = uN;
    }

    public String getUserName() {
    return userName;
    }

    public void setUserName(String uN) {
    userName = uN;
    }

    }

    ===================================
    index.jsp
    (in the "web" folder)
    (this simply forwards the browser to
    the servlet so an initial session can be established)
    ===================================
    <jsp:forward page="testdb1"/>

    ===================================
    login.html
    (in the "web" folder)
    ===================================
    <html>

    <head>
    <title>Login</title>
    </head>

    <body bgcolor="#FFFFFF">
    Please login:

    <p>
    <form action="testdb1" method="post">
    <input type="hidden" name="form_action" value="login">
    <input type="text" name="username" size="20"> - Username<br>
    <input type="text" name="password" size="20"> - Password<br>
    <input type="submit" value="Submit">
    <input type="reset" value="Reset">
    </form>

    </body>

    </html>

    ===================================
    logout.html
    (in the "web" folder)
    ===================================
    <html>

    <head>
    <title>Logout</title>
    </head>

    <body bgcolor="#FFFFFF">
    Thanks for logging out!

    <p>
    <a href="index.jsp">Login Again?</a>

    </body>

    </html>

    ===================================
    mod_user.jsp
    (in the "web" folder)
    ===================================
    <jsp:useBean id="servletPath" class="java.lang.String" scope="request"/>
    <jsp:useBean id="userName" class="com.nsae.testdb1.UserCheck"
    scope="session"/>

    <html>

    <head>
    <title>Modify User</title>
    </head>

    <body bgcolor="#FFFFFF">
    <a href="testdb1?form_action=whatever">Whatever</a> |
    <a href="testdb1?form_action=logout">Logout</a>

    <p>
    Hi <%=userName.getUserName()%>!

    <p>
    Add User:

    <p>
    <form action="testdb1" method="post">
    <input type="hidden" name="form_action" value="add_user">
    <input type="text" name="username" size="20"> - Username<br>
    <input type="text" name="password" size="20"> - Password<br>
    <input type="submit" value="Add">
    <input type="reset" value="Reset">
    </form>

    Modify User Information:

    <p>
    <form action="testdb1" method="post">
    <input type="hidden" name="form_action" value="mod_user">
    <input type="hidden" name="user_id" value="user_id">
    <input type="text" name="username" size="20"> - Username<br>
    <input type="text" name="password" size="20"> - Password<br>
    <input type="submit" value="Update">
    <input type="reset" value="Reset">
    </form>

    <p>
    Delete User:

    <p>
    <form action="testdb1" method="post">
    <input type="hidden" name="form_action" value="del_user">
    <input type="hidden" name="user_id" value="user_id">
    <input type="submit" value="Delete">
    <input type="reset" value="Reset">
    </form>

    </body>

    </html>

    ===================================
    whatever.jsp
    (in the "web" folder)
    ===================================
    <jsp:useBean id="servletPath" class="java.lang.String" scope="request"/>
    <jsp:useBean id="userName" class="com.nsae.testdb1.UserCheck"
    scope="session"/>

    <html>

    <head>
    <title>Just a Session Test</title>
    </head>

    <body bgcolor="#FFFFFF">
    <a href="testdb1?form_action=user_mod">Modify Users?</a> |
    <a href="testdb1?form_action=logout">Logout</a>

    <p>
    Hi <%=userName.getUserName()%>!

    </body>

    </html>

    ===================================
    web.xml
    (in the "web/WEB-INF" folder)
    ===================================
    <?xml version="1.0" encoding="ISO-8859-1" ?>

    <!DOCTYPE web-app
    PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
    "http://java.sun.com/dtd/web-app_2_3.dtd" >

    <web-app>
    <icon>
    </icon>
    <display-name>Test Database Application</display-name>
    <description>
    This is a test of a database editing application.
    </description>

    <servlet>
    <servlet-name>Controller</servlet-name>
    <description>
    Controller Servlet
    </description>
    <servlet-class>
    com.nsae.testdb1.controller.Controller
    </servlet-class>
    </servlet>

    <servlet-mapping>
    <servlet-name>Controller</servlet-name>
    <url-pattern>/testdb1</url-pattern>
    </servlet-mapping>
    </web-app>
     
    Talking with Tonz - Emery Z. Balint Jr., Jul 24, 2003
    #2
    1. Advertising

  3. Hello,

    Thank you for your comments. Interesting but I'm not using Struts, I must've
    done something very similar though to make you think that.

    I guess I understand what you're saying. So basically leave the session
    alone (so don't invalidate), just remove a stored username in the session
    and check for that in my Controller servlet. I will try that and see if it
    works.

    Emery.
    /\^/\^/\
    Sun Certified Java Programmer
    www.websamba.com/javarobotics/
    E-stronomy - Astronomical Resrouces
    www.websamba.com/e-stronomy/


    "Sudsy" <> wrote in message
    news:...
    > Talking with Tonz - Emery Z. Balint Jr. wrote:
    >
    > <snip>
    >
    > > 5. This works well, it always takes you back to the login screen (thus
    > > protecting the precious data). But then when you try to login again, it
    > > won't let you.
    > >
    > > This is where I'm a bit lost. Any further help would be appreciated.

    >
    > I notice that you use session.invalidate(). A word to the wise: NEVER
    > do this when using the Struts framework. There's a lot happening
    > under the covers and you can get yourself into a world of hurt trying
    > to fight with what Struts is doing transparently.
    > I don't know if my method is "standard" or not (I'm sure Wendy will
    > chime in) but I just use an attribute in the session. Here's a snippet
    > from a protected page:
    >
    > if( sess.getAttribute( "USERNAME" ) == null )
    > return( mapping.findForward( "login" ) );
    >
    > Once a user has logged-in successfully, I do this:
    >
    > sess.setAttribute( "USERNAME", some_user_identification );
    >
    > When processing the logout, just do this:
    >
    > set.removeAttribute( "USERNAME" );
    >
    > It works just fine it real applications.
    >
     
    Talking with Tonz - Emery Z. Balint Jr., Jul 24, 2003
    #3
  4. Wendy S

    Jason Guest

    > I notice that you use session.invalidate(). A word to the wise: NEVER
    > do this when using the Struts framework. There's a lot happening
    > under the covers and you can get yourself into a world of hurt trying
    > to fight with what Struts is doing transparently.
    > I don't know if my method is "standard" or not (I'm sure Wendy will
    > chime in) but I just use an attribute in the session. Here's a snippet
    > from a protected page:


    This is the biggest reason why I'm not a Struts fan. I don't like
    having to build around a framework that is doing things without
    letting me know. In the end I end up spending more time dealing with
    the framework's peculiarities than I do building the software that my
    client needs. Not good business or development practice in my book.
    A "framework" should facilitate, not force its requirements on my
    development team.

    Just my 2 krupplenicks worth.
     
    Jason, Jul 29, 2003
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?bml6YW0=?=

    convert java web app 2 .NET web app

    =?Utf-8?B?bml6YW0=?=, Feb 28, 2006, in forum: ASP .Net
    Replies:
    0
    Views:
    406
    =?Utf-8?B?bml6YW0=?=
    Feb 28, 2006
  2. =?Utf-8?B?bml6YW0=?=

    convert java web app 2 .NET web app

    =?Utf-8?B?bml6YW0=?=, Feb 28, 2006, in forum: ASP .Net
    Replies:
    0
    Views:
    420
    =?Utf-8?B?bml6YW0=?=
    Feb 28, 2006
  3. Replies:
    4
    Views:
    552
    Chris Uppal
    May 5, 2005
  4. KK
    Replies:
    2
    Views:
    665
    Big Brian
    Oct 14, 2003
  5. MuZZy
    Replies:
    7
    Views:
    1,801
    Mike Hewson
    Jan 7, 2005
Loading...

Share This Page