0

My question is simple - how to implement login-logout in servlet jsp?

Following is the use case...

  • I have a users table in DB with email,username and password
  • I have a mapped bean object - User in java having email,username,password properties
  • Simply I want to login by validating email and password BUT
  • Once I login and then logout, when I click on back button, it should not retain the session.
    • It should not give any warning BUT simply should ask for login
    • If I copy-paste restricted resource's link, it should ask for login

What all solutions I've gone through...

  • Some say to implement tomcat security using roles and bla bla... BUt I think I should not set username, passwords in some tomcat config file. Bcz the details are in DB table
  • Some ask to implement no-cache, pragma bla bla... but never work
  • Back button disable is foolish thing

**

What Help I am expecting from you guys ...?

**

  • Is there any third-party API available to do this?
  • How things are implemented in production ready applications ?
  • Should I use JAAS, or any other security process for exactly above mentioned scenario OR WHAT
  • Please give me some hint or solution how I should proceed implementing production ready login-logout in servlet-jsp

I've searched on internet but end up with simple Login examples or tomcat security roles etc. No one gives the actual solution. ANd please don't say that this question is NOT RELATED TO this FORUM.

Thanks

user1257846
  • 41
  • 4
  • What about [Spring Security](http://docs.spring.io/spring-security/site/docs/current/guides/html5/form-javaconfig.html) ? Don't you want to build your app on Spring MVC framework? – Michael Dz May 12 '17 at 07:44
  • you could use a filter to check that you are logged in – Scary Wombat May 12 '17 at 07:44
  • @Scary - Yes I use filters, I maintain session also, I invalidate session on logout too BUT when I click on back button everything gets populated again from cache. – user1257846 May 12 '17 at 07:47
  • see possible duplicate https://stackoverflow.com/questions/4194207/prevent-user-from-seeing-previously-visited-secured-page-after-logout – Scary Wombat May 12 '17 at 07:50
  • Thanks @Scary - Please tell me how role based security fits in this scenario OR that is for some other kind of security. Its confusing me all the time – user1257846 May 12 '17 at 08:29

2 Answers2

1

This happens because browser caches the web pages that are being loaded,you can prevent it by using filters and telling browser not to cache the web pages like below. doFilter method of Filter

public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {

    HttpServletRequest request = (HttpServletRequest) req;
    HttpServletResponse response = (HttpServletResponse) res;

    response.setHeader("Cache-Control", "no-cache, no-store, must-revalidate");
    response.setHeader("Pragma", "no-cache");
    response.setDateHeader("Expires", 0);

    HttpSession session = request.getSession(false);//don't create if session doesn't exist.

    if (session==null || session.getAttribute("username") == null) {
        RequestDispatcher rd=request.getRequestDispatcher("login");//dispatch it to your desired page i.e login page
        rd.forward(request, response);
    } else {
        chain.doFilter(req, res);  
    }
}

You should configure this filter inside web.xml or using Annotations for which url-patterns you want to filter.refer documentation for more details.

raviraja
  • 676
  • 10
  • 27
0

If you're using Tomcat then a good place to start is Tomcat Standard Realm Implementations.

It's important to remember that normal Java EE security authenticates users and authorises them using roles - even if you only have the one.

Once you have done that you can implement Logout by invoking a servlet which calls HttpServletRequest.logout() and then invalidates the HttpSession:

 request.logout();
 request.getSession().invalidate();

and then:

 response.sendRedirect("some protected page");

which should resolve your back button problem and land back on the login page.

Steve C
  • 18,876
  • 5
  • 34
  • 37
  • OOOOKay..! Grt @Steve – user1257846 May 12 '17 at 09:25
  • What I've understood by above is.. all I need to configure this Realm and tomcat would do the rest of important JOB..! Just I need to put things in sessions and invalidate when Logout..! – user1257846 May 12 '17 at 09:26
  • You will find it useful to read §13 of the [Servlet Specification](https://java.net/downloads/servlet-spec/Final/servlet-3_1-final.pdf) too! – Steve C May 12 '17 at 10:03
  • Hi please respond..! Is the above approach good and safe practice to implement in apps where user registers himself and then login to access services of that app? – user1257846 May 12 '17 at 10:12
  • Well - yes. It's essentially as per the servlet specification – Steve C May 12 '17 at 10:40
  • Thanks dear. I am setting up JDBC Realm. I just want to confirm that I don't have to edit tomcat-users.xml in that case because tomcat is gonna find users and roles from specified database. Please correct me if I am wrong.... Thanks – user1257846 May 13 '17 at 02:09
  • Yep! That's correct. It will not be accessing users and roles from text files in the file system – Steve C May 13 '17 at 02:15