Web Hosting Java, JSP, Tomcat 6, J2EE, Servlets, Struts, Jboss

JavaSercer Pages 10.2.6 Logging Out Since the proof (Jsp web hosting)

JavaSercer Pages 10.2.6 Logging Out Since the proof of authentication is kept in the session scope, the user will be automatically logged out when the session times out. But even so, an application that requires authentication should always provide a way for the user to explicitly log out. This way a user can be sure that if he or she leaves the desk, no one else can come by and use the application. The main page in the example application contains a link to the logout page, shown in Example 10.7. Example 10.7. Logout Page (logout.jsp) <%@ page language="java" %> <%@ taglib uri="/orataglib" prefix="ora" %> <%- Terminate the session and redirect to the login page. --%> <% session.invalidate( ); %> This page explicitly terminates the session by calling the invalidate( ) method of the session object in a scriptlet, and then redirects back to the login page. All objects kept in the session are removed and the session is marked as invalid. The next time someone logs in, a new session is created. If you want to test the examples described in this chapter, you first must create at least one user with the application we developed in Chapter 9. To see how the automatic redirect to the originally requested page works, you can open two browser windows and log in from both. They both share the same session, so if you log out using one window and then try to load the “post a new message” page with the other, you will first be redirected to the login page. After you’ve entered your username and password, you’re redirected to the page for posting a message. 10.3 Other Security Concerns In this chapter we have discussed only authentication and access control, but there’s a lot more to web application security. You also need to ensure that no one listening on the network can read the data. In addition, you need to consider ways to verify that the data has not been modified. The common terms for these concepts (also used in the Servlet 2.2 specification) are confidentiality and data privacy for the first, and integrity checking for the second. On an intranet, users can usually be trusted not to use network listeners to get to data they shouldn’t see. But on the Internet, you can make no assumptions. If you provide access to sensitive data, you have to make sure it’s protected appropriately. Network security is a huge subject area, and clearly not within the scope of this java blog. Therefore I will touch on only the most common way to take care of both confidentiality and integrity checking: the Secure Socket Layer (SSL) protocol. SSL is a protocol based on public key cryptography: it relies on a public key and a private key pair. Messages sent by someone, or something (such as a server), are encoded using the private key, and can be decoded by the receiver only by using the corresponding public key. Besides confidentiality and integrity checking, public key cryptography also provides the means for very secure authentication: if a message can be decoded with a certain public key, you know it was encoded with the corresponding private key. The keys are issued, in the form of certificates together with user identity information, by a trusted organization such as VeriSign (http://www.verisign.com). Both the client and the server can have certificates. However, the most common scenario today is that only the server has a certificate, and can thereby positively identify itself to the client. The SSL protocol takes care of this server authentication during the handshaking phase of setting up the connection. If the server certificate doesn’t match the server’s hostname, the user is warned or the connection is refused. If the client also has a certificate, it can be used to authenticate the client to the server in a more secure fashion than basic and digest authentication. page 146

Note: If you are looking for good and affordable webspace to host and run your servlet application check Sandzak servlet hosting services

JavaSercer Pages DELETE FROM EmployeeProjects WHERE UserName = (Sbc web hosting)

JavaSercer Pages <%-- Delete the old project (if any) and insert the new ones --%> DELETE FROM EmployeeProjects WHERE UserName = ? INSERT INTO EmployeeProjects (UserName, ProjectName) VALUES(?, ?) The list of new projects selected by the user is sent to the updateprofile.jsp page in the projects request parameter. The projects bean property can therefore be updated using a action, setting the value to the result of the getParameterValues( ) method. As you may remember from Chapter 6, this method returns a String[] with all values for a parameter, and that’s also the data type defined for the projects property in the bean. One important item to note here. If the user deselects all checkboxes in the main.jsp page (Example 10.4), all projects should be removed from the bean as well. The problem here is that if no checkbox is selected, the projects request parameter is not sent at all. You must therefore use the type of request-time attribute value shown in Example 10.6, as opposed to using the param property, for the action. The action calls a property setter method only if it can find a corresponding parameter in the request. With no checkbox selected, the project’s property setter is not called and the previous value is not cleared. When you use the getParameterValues( ) method as a request-time attribute value, however, it works as it should: if no checkbox is selected the method returns null, clearing the property value; otherwise, it returns a String[] with the currently selected values, setting the property to the current list. The EmployeeProjects table (Table 10.1) contains one row per project for a user, with the username in the UserName column and the project name in the ProjectName column. The easiest way to update the database information is to first delete all existing rows, if any, and then insert rows for the new projects selected by the user. Since this requires execution of multiple SQL statements and all must either succeed or fail, the actions are placed within the body of an action. If the first action is successful but one of the others fails, the database information deleted by the first is restored so the database correctly reflects the state before the change. To delete the rows in the database, use the action with a SQL DELETE statement. A WHERE clause is used so that only the rows for the current user are deleted. Then the action is used to loop through all projects for the validUser bean. The body of the action contains an action that executes an INSERT statement for each project: INSERT INTO EmployeeProjects (UserName, ProjectName) VALUES(?, ?) web hosting jsp services

JavaSercer Pages There (Mysql webhost) are at least two ways

JavaSercer Pages There are at least two ways to deal with this. In Example 10.5, the action is followed by a scriptlet checking that the request for this page is a POST request. If not, it redirects to the main page without processing the request. This is the easiest way to deal with the problem, but it also means that the user will have to retype the message again. The chance that a session times out before a form is submitted is small, so in most cases this is not a big deal. It’s therefore the solution I recommend. If you absolutely must find a way to not lose the POST parameters when a session times out, here is a brief outline of a solution: 1. Modify the action to send a URL in the origURL parameter suitable for use as a forward URL, as opposed to a redirect URL, if the page is invoked with a POST request. A forward URL must be relative to the servlet context path, while a redirect URL should be absolute. 2. Use a scriptlet in the login page to save all POST parameter values as hidden fields in the form, along with a hidden field that tells if the original request was a GET or a POST request. 3. In the authentication page, forward to the originally requested URL if the method was a POST and redirect only if it was a GET. The authentication page is always invoked as a POST request. A forward is just a way to let another page continue to process the same request, so the originally requested page is invoked with a POST request as expected, along with all the originally submitted parameters saved as hidden fields in the login page. Depending on your application, you may also need to save session data as hidden fields in the page that submits the POST request, so that the requested page doesn’t have to rely on session information. But this leads to another problem. What if someone other than the user who filled out the form comes along and submits it? Information will then be updated on the server with information submitted by a user that’s no longer logged in. One way out of this is to save information about the current user as a hidden field in the form that sends the POST request, and let the authentication page compare this information with the new user’s information. If they don’t match, the client can be redirected to the main application page instead of forwarded to the originally requested URL. As you can see, there are a number of things to think about. Whether or not it makes sense to address all the issues depends on the application. My general advice is to keep it simple and stick to the first solution unless your application warrants a more complex approach. 10.2.5 Updating the User Profile The updateprofile.jsp page, used if the user makes new project selections in the main page and clicks Update Profile, is also invoked through the POST method. It follows the same approach as the storemsg.jsp page, and is shown in Example 10.6. But what’s interesting about the updateprofile.jsp page is that it shows how to replace multirow data for a user, and is an instance of when you need to care about transactions. Example 10.6. Updating Multiple Database Rows (updateprofile.jsp) <%@ page language="java" %> <%@ taglib uri="/orataglib" prefix="ora" %> <%-- Verify that the user is logged in --%> <%-- Verify that it's a POST method --%> <% if (!request.getMethod( ).equals("POST")) { %> <% } %> <%-- Make the bean available for scripting elements --%> <%-- Update the project list in the bean --%> <% if (!request.getMethod( ).equals("POST")) { %> <% } %> <%-- Create a new news item bean with the submitted info --%> ‘ maxAge=”2592000″ /> ‘ maxAge=”0″ /> ‘ /> <% } else { %> <% } %> If this parameter has a value, the browser is redirected to the originally requested page; otherwise, it is redirected to the main entry page for the application. page 140
Note: If you are looking for cheapest and affordable webspace to host and run your servlet application check Astra j2ee hosting services

JavaSercer Pages Next, a scriptlet is (Tampa web hosting) used to

JavaSercer Pages Next, a scriptlet is used to ensure that both the username and the password are passed as parameters. The same getParameter( ) method used in Example 10.2 is used here to retrieve the parameter values. If one or both parameters are missing, the action redirects back to the login page again. Here you see how the errorMsg parameter used in the login.page gets its value. If the request contains both parameters, one of the database actions introduced in Chapter 9 is used to see if there’s a user with the specified name and password in the database: SELECT * FROM Employee WHERE UserName = ? AND Password = ? <% if (empInfo.size( ) == 0) { %> If the query doesn’t match a registered user (i.e., empInfo.size( ) returns 0), an action redirects back to the login page with an appropriate error message. Otherwise, the processing continues. 10.2.3.1 Creating the validation object If a user is found, the single row from the query result is extracted and the column values are used to populate the single value properties of an EmployeeBean object. An EmployeeBean has the properties shown in Table 10.2. Table 10.2, Properties for com.ora.jsp.beans.emp.EmployeeBean Property Name Java Type Access Description userName String read/write The employee’s unique username firstName String read/write The employee’s first name lastName String read/write The employee’s last name dept String read/write The employee’s department name empDate String read/write The employee’s employment date in the format yyyy-MM-dd emailAddr String read/write The employee’s email address projects String[] read/write A list of all projects the employee is involved in The bean is named validUser and placed in the session scope using the standard action. All properties are set to the values returned from the database using actions: <% Row oneRow = (Row) empInfo.firstElement( ); %> ‘ /> ‘ /> ‘ /> page 139

Hint: If you are looking for very good and affordable webspace to host and run your j2ee hosting application check Sandzak.com j2ee web hosting services

Windows web hosting - JavaSercer Pages SELECT * FROM EmployeeProjects WHERE UserName

JavaSercer Pages <% } else { %> <%-Create an EmployeeBean and save it in the session scope and redirect to the appropriate page. --%> <% Row oneRow = (Row) empInfo.firstElement( ); %> ‘ /> ‘ /> ‘ /> <%-- Add the projects --%> SELECT * FROM EmployeeProjects WHERE UserName = ? <% String[] projects = new String[empProjects.size( )]; int i = 0; %> <% projects[i++] = row.getString("ProjectName"); %> ‘ maxAge=”2592000″ /> <% } else { %> ‘ maxAge=”0″ /> <% } %> <%-Redirect to the main page or to the original URL, if invoked as a result of an access attempt to a protected page. --%> <% if (request.getParameter("origURL").length( ) != 0) { %>  
You guys and gals are the best bang for the buck, and I've looked around a lot!"

Yours for over 3 years,
~Michael Matthews
top100download.us