Login System Skips Servlet Authentication On Changing URL

0
votes

I am starting to explore the world of Servlets and JSP , and successfully created a login system. But its implementation isn't as perfect as I excepted it to be.

Senario:

1> The user enters the Username and Password in the index.jsp.

2> The request is sent to the Servlet (login.login.java)

3> The servlet Connects to the DataBase and checks if the user is valid or not. (using LoginBean.java , LoginDB.java and GetConnection.java i.e a bean class , Database QueryClass and DB connection Class resp)

4> If the user is validated,

5> the User is redirected to home.jsp

else

Error.jsp (This is just a replica of index.jsp with some messages added)

Problems:

1> if I just open index.jsp in my browser and change the URL to home.jsp I am able to bypass the servlet.

2> If I try storing the password in mysql using MD5 i.e PASSWORD('mypass') I am not authenticated.

this is my doPOST Method


  @Override
    protected void doPost(HttpServletRequest request, HttpServletResponse response)
            throws ServletException, IOException {
        String user = request.getParameter("user");
        String pass = request.getParameter("pass");
        LoginBean bean = new LoginBean();
        bean.SetUser(user);
        bean.SetPass(pass);
        bean = LoginDB.check_login(bean);
        if (bean.isValid()) {
            HttpSession session = request.getSession(true);
            session.setAttribute("currentSessionUser", user);
            response.sendRedirect("home.jsp");
        } else {
            response.sendRedirect("Error.jsp");
        }
    }

I tired to Modify my Home.jsp and check for a valid session before loading the page. Using the Following 



<% 
   if(!session.isNew())
   {
      response.sendRedirect("index.jsp");
   }
%>

This Fixes the URL Sniffing but it stops valid users from being to redirected to home.jsp

UPDATE:

As Suggested by JB Nizet I am trying to implement Filters on this. But as I said I am a learner so I am not quite sure as to how to achieve this:

What I have to do in my doFilter Method?

I Converted the ServletRequest Object to HttpRequest Object

using

HttpServletRequest req = (HttpServletRequest) request;

Now using this req Object how do I user have actually clicked on the sumbit button or has be directly changed the URL to bypass the Servlet?

I am sorry , This must be very elementary but I am starching my head on this for hours now. Please help me Out

Regards

Genocide_Hoax

1
jakarta-eeauthenticationservlets
For first question, check session value in JSP, for second what is happening ? more details... - Hardik Mishra
You mean I need to check the session Attribute when my home.jsp is loading and redirect the user to index.jsp if the value is not set. I tired to implement it , but all in vain. Can you help me achieve it? - Genocide_Hoax
And for the second question. I am storing my value in the database using insert into users value('admin' , password('admin'). And I try to login using admin , and admin it sends me to the invalid login page i.e I am not getting Authenticated. Where as If I insert the value using insert into users values('admin' , 'admin') everything works fine. - Genocide_Hoax
and where is the code for that try ? Also, You should edit the question to provide more details. - Hardik Mishra

1 Answers

1
votes

Don't use Session.isNew(). Session handling and authentication are two different things. An unauthenticated user can (and will) have a non new session.

You should user a servlet filter, which will intercept every request sent to your application. This filter should check if the requested URL needs authentication. If so, and if the current user is not authenticated, it should redirect to a login page.

Once authenticated, you should store the user identity in the session. That's what will allow differentiating an authenticated session from an unauthenticed one. And that's also what will allow retrieving the current user in the application.

Of course, make sure not to include the login URL in the set of URLs that require authentication.

A filter is much more secure and clean than checking authentication in each and every page. It makes things centralized, avoid repeating the same code again and again, and has no risk of forgetting to add the required check in some pages.

Also, please respect tha Java naming conventions. Methods start with a lowercase letter in Java.