e.g. Form-Based Log-in

Every protected resource should implement this:

import java.io.*;
import java.util.*;
import javax.servlet.*;
import javax.servlet.http.*;
public class ProtectedResource extends HttpServlet {
  public void doGet(HttpServletRequest req, HttpServletResponse res)
                               throws ServletException, IOException {
    res.setContentType("text/plain");
    PrintWriter out = res.getWriter();
    // Get the session
    HttpSession session = req.getSession(true);
    // Does the session indicate this user already logged in?
    Object done = session.getValue("logon.isDone"); // marker object
    if (done == null) {
      // No logon.isDone means he hasn't logged in.
      // Save the request URL as the true target and redirect to the login page.
      session.putValue("login.target",
                        HttpUtils.getRequestURL(req).toString());
      res.sendRedirect(req.getScheme() + "://" +
                        req.getServerName() + ":" + req.getServerPort() +
                        "/login.html");
      return;
    }
    // If we get here, the user has logged in and can see the goods
    out.println("Credential Content displays here.");
  }
}

Log-in Page
<HTML>
<TITLE>Login</TITLE>
<BODY>
<FORM ACTION=/servlet/LoginHandler METHOD=POST>
<P>Name:
<INPUT TYPE=text NAME="name" VALUE="" SIZE=15>
<P>Password:
<INPUT TYPE=password NAME="passwd" VALUE="" SIZE=15>
<INPUT TYPE=submit VALUE="OK">
</BODY>
</HTML>

LoginHandler (accessible from Log-in page setting name and passwd parameters)
import java.io.*;
import java.util.*;
import javax.servlet.*;
import javax.servlet.http.*;
public class LoginHandler extends HttpServlet {
  public void doPost(HttpServletRequest req, HttpServletResponse res)
                                throws ServletException, IOException {
    res.setContentType("text/html");
    PrintWriter out = res.getWriter();
    // Get the user's name and password
    String name = req.getParameter("name");
    String passwd = req.getParameter("passwd");
    // Check the name and password for validity
    if (!allowUser(name, passwd)) {
      out.println("<HTML><HEAD><TITLE>Access Denied</TITLE></HEAD>");
      out.println("<BODY>Your login and password are invalid.<BR>");
      out.println("You may want to <A HREF=\"/login.html\">try again</A>");
      out.println("</BODY></HTML>");
    }
    else {
      // Valid login. Make a note in the session object.
      HttpSession session = req.getSession(true);
      session.putValue("logon.isDone", name); // just a marker object
      // Try redirecting the client to the page he first tried to access
      try {
        String target = (String) session.getValue("login.target");
        if (target != null)
          res.sendRedirect(target);
        return;
      }
      catch (Exception ignored) { }
      // Couldn't redirect to the target. Redirect to the site's home page.
      res.sendRedirect(req.getScheme() + "://" +
                       req.getServerName() + ":" + req.getServerPort());
    }
  }
  protected boolean allowUser(String user, String passwd) {
    return true; // trust everyone
  }
}

How it works: any page first checks for the authentication and authorization of the user. If not proper, a redirect to the log-in page will occur and target after a successful log-in will be set to current page in a session object. Log-in page asks the user for username and password and sends these two to log-in handler. After a successful check of log-in in loginHandler, user will be redirected to the target of log-in already set in the session.



Comments