logon servlet

[plork123]

Hi all,

I need to write a logon servlet - a user will come along enter user credentials (username,password), and the servlet will authenticate them

If authenticated i want to sore a token (cookie) on the user browser that expires after say 60 minutes.

Also, when authenticated the user is taken to page using a url when they can access our web services. How to a create the url, so that it just can't be type in?

Can anyone provide some sample code, as I'm newto httpcookie, httprequest, HttpServletRequest etc

Thanks for any help offered

 

[sedj]

First write a JSP/HTML page that has a user and password <input> tags, in a <form> which submits to a servlet.

Then write a servlet, which retrieves these values, using the request.getParameter() method in HttpServletRequest.

Then authenticate them using whatever method you use (I guess against a database, or LDAP or something).

Then with the rest of the site you have to check whether the user in that session is logged in or not - on every page you want to "protect". This is usually done using one or more of three methods :

- Store the value of "logged in" in the session (simplest).
- Store the value of "logged in" in a cookie (not advisable in my opinion).
- Store the value of "logged in" in a database (hardest, but most secure, but also slowest, though can persist across clustered servers where sessions may be different).

--------------------------------------------------
Free Database Connection Pooling Software

http://www.primrose.org.uk

 

[plork123]

Hiya

I've started off like this :

Once i've put al the info into the session, i want the session to expire after say 60mins, can you show me how to do this? Am i right in putting loads of inf into the session?

Is this secure? Can I use other security methods so that a hackr can't get in

a user put in their credentials and they get vaildated. Then they can other parts of the site which are going to be web serivces. When i get to the next stage of the ws, i will have to make sure those logged on are vaild, how would i do this - would this be to put the session info in a SOAP envelope?



When you say store in a cookie is this the same as a token?


Sorry for all these questions



public class LoginHandler extends HttpServlet
{
public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException
{
String userName = request.getParameter("userName");
String password = request.getParameter("passsword");

String validateUserName = validateUser(userName, password);

if (validateUserName == null) // user not authorised
{
// do some stuff
}
else
{
// user is valid, so create a session
HttpSession userSession = request.getSession(true);

// put user credentials into session
userSession.setAttribute("userName",name);
userSession.setAttribute("password",password);
userSession.setAttribute"timeNow",time);
}
}
}

 

[sedj]

Session timeout in Tomcat :

<web-app>
  <session-config>
    <session-timeout>60</session-timeout>
  </session-config>

  ...
</web-app>

Yes, session information is fairly secure - its store on the server, so if your server is secure, then "it" is secure.

SOAP envelope ? What ? Why would you want to use SOAP to store session data ? Just store it in a session, or in a database like I suggested before.

--------------------------------------------------
Free Database Connection Pooling Software

http://www.primrose.org.uk

 

[plork123]

I'm misundersting where SOAP fits in then

If i write a logon servlet and generate a token to say user has been authenticated. When they go to the web services page, how do i know they are valid

 

[sedj]

Hang on ... this thread was originally about a login servlet, and now you are talking about SOAP ? Perhaps you had better explain a little more about what you are ACTUALLY trying to achieve here.

--------------------------------------------------
Free Database Connection Pooling Software

http://www.primrose.org.uk

 

[sedj]

Furthermore - your SOAP service should validate a user when the SOAP message is sent - not via some other context's "login servlet".

I really think it is time to go back to the tutorials - you seem to not have the necessary knowledge on the technologies you are using in order to write an efficient or decent system.

--------------------------------------------------
Free Database Connection Pooling Software

http://www.primrose.org.uk

 

[plork123]

What am i trying to achive. I have to write some web services. The user will come along and input some credentials that will be authenticated which will allow them access to our web services. Once the user is authentcated i want to show methods are available using WSDL.

I have said this is all new to me which is why i'm trying to get some help. Can you help? I've read tutorials and documentation, but nothing that shows how a user will get authenticated

Many Thanks

 

[sedj]

SOAP doesn't work like that - either you publish your WSDL, or you don't - you cannot say "whats your name, and if its 'Dan' then OK, here is my WSDL" ... it just doesn't work like that !

If you want to use SOAP, then you must publish your WSDL, and then have a username/password as parameters, and then authenticate.

--------------------------------------------------
Free Database Connection Pooling Software

http://www.primrose.org.uk

 

[plork123]

Can you point me to some examples ? Pleeeeaaaaase

 

[timw]

As I understand it, SOAP is basically a stateless service layer. Each SOAP request must carry the authentication details. Is this right, sedj? I last looked at SOAP about 5 years ago when it was in its embryonic stage.

Tim
---------------------------
"Your morbid fear of losing,
destroys the lives you're using." - Ozzy

 

[sedj]

Yes timw, that is correct - its basically "send request, recieve response" like any protocol built on HTTP.

plork123 ... what examples ? Of how to write a SOAP service ? Try the Apache Axis site.

--------------------------------------------------
Free Database Connection Pooling Software

http://www.primrose.org.uk