通过使用Java中的过滤器来验证用户名和密码(与数据库联系) [英] Authenticating the username, password by using filters in Java (contacting with database)
问题描述
以下是使用过滤器的Java代码段,如果用户名和密码也正确,则每次显示错误页面.请帮助我,我对此概念了解甚少.
The following is the piece of Java code by using filters that shows the error page at every time if the username and password is also correct. Please help me, I don't have much knowledge on this concept.
String sql="select * from reg where username='"+user+"' and pass='"+pwd+"'";
rs=st.executeQuery(sql);
if(rs.next())
{
chain.doFilter(request,response);
}
else
sc.getRequestDispatcher("/error.html").forward(request,response);
推荐答案
字符串sql ="select * from reg,其中username ='" + user +'和pass ='" + pwd +'";
String sql="select * from reg where username='"+user+"' and pass='"+pwd+"'";
这是非常糟糕的做法.这种方法要求用户名和密码都通过请求传递给普通用户.此外,您还有一个SQL注入攻击孔.
This is an extremely bad practice. This approach requires that both username and password being passed around plain vanilla through requests. Moreover, you've there a SQL injection attack hole.
利用会话,在JSP/Servlet中,您可以使用 HttpSession .确实也没有必要使用Filter在每个请求上一次又一次地击中数据库.那是不必要的昂贵.只需使用Servlet将User放入会话中,并使用Filter来检查每个请求中它的存在.
Make use of sessions, in JSP/Servlet there you have the HttpSession for. There is really also no need to hit the DB again and again on every request using a Filter. That's unnecessarily expensive. Just put User in session using a Servlet and use the Filter to check its presence on every request.
以/login.jsp开头:
<form action="login" method="post">
<input type="text" name="username">
<input type="password" name="password">
<input type="submit"> ${error}
</form>
然后,创建一个LoginServlet,该LoginServlet映射到/login的url-pattern上,并实现了doPost(),如下所示:
Then, create a LoginServlet which is mapped on url-pattern of /login and has the doPost() implemented as follows:
String username = request.getParameter("username");
String password = request.getParameter("password");
User user = userDAO.find(username, password);
if (user != null) {
request.getSession().setAttribute("user", user); // Put user in session.
response.sendRedirect("/secured/home.jsp"); // Go to some start page.
} else {
request.setAttribute("error", "Unknown login, try again"); // Set error msg for ${error}
request.getRequestDispatcher("/login.jsp").forward(request, response); // Go back to login page.
}
然后,创建一个LoginFilter,该LoginFilter映射到/secured/*的url-pattern(但是,您可以选择自己的,例如/protected/*,/restricted/*,/users/*等),但这必须至少涵盖所有受保护的页面,您还需要将JSP放在WebContent的相应文件夹中),并实现doFilter(),如下所示:
Then, create a LoginFilter which is mapped on url-pattern of /secured/* (you can choose your own however, e.g. /protected/*, /restricted/*, /users/*, etc, but this must at least cover all secured pages, you also need to put the JSP's in the appropriate folder in WebContent) and has the doFilter() implemented as follows:
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
HttpSession session = request.getSession(false);
String loginURI = request.getContextPath() + "/login.jsp";
boolean loggedIn = session != null && session.getAttribute("user") != null;
boolean loginRequest = request.getRequestURI().equals(loginURI);
if (loggedIn || loginRequest) {
chain.doFilter(request, response); // User is logged in, just continue request.
} else {
response.sendRedirect(loginURI); // Not logged in, show login page.
}
应该的.希望这可以帮助.
That should be it. Hope this helps.
要了解UserDAO的外观,您可以找到 PreparedStatement 保存您的Web应用程序免受SQL注入攻击.
To get the idea how an UserDAO would look like, you may find this article useful. It also covers how to use PreparedStatement to save your webapp from SQL injection attacks.
- How to redirect to Login page when Session is expired in Java web application?
- Authentication filter and servlet for login
- How to handle authentication/authorization with users in a database?
这篇关于通过使用Java中的过滤器来验证用户名和密码(与数据库联系)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
