AJAX In Action [209]
The users table properties
in SQL Squirrel, the graphical
database explorer
Licensed to jonathan zheng 430 CHAPTER 11 The enhanced Ajax web portal Figure 11.6 The contents of the users table choice. Developing an Ajax-based user administration front-end is possible, but we don’t have the space to explore it here. The last step is to make sure that we assign the permissions to the table. The user accounts that will be accessing the table must have the read and write permission set. Without setting the permissions, we would have trouble using our SQL query since we would get errors. Now that we have our users table, let’s write the code for the login process, starting with the server. 11.3.2 The server-side login code: Java The server-side code for the Ajax portal is simple in nature, but it will have numerous steps by the time we get finished because of all the functionality that the portal contains. Right now, we are concerned with coding the login portion of the Ajax portal. Let’s review the process. When the user logs into the portal, the client-side code sends a request to the server, passing the user’s credentials with the request. The server-side process that intercepts this request will determine whether the credentials that were sent to the server are correct. If they are correct, we start to process the building of the portal windows. If the user’s credentials are incorrect, we pass an error message back to the client page. Because we are developing in Java, we’ll use a servlet filter to secure all our interactions with the server. To those unfamiliar with the term, a filter is simply a bit of logic that can be assigned to one or more resources, which is given the opportunity to modify a request before it reaches its destination servlet. We discussed using filters for security in chapter 7. If you’re using a system that doesn’t support filters, you can simply create a helper object or function that checks to see whether the user is logged in and invoke it manually at the top of each page that you want to protect. Listing 11.2 shows our login filter. Licensed to jonathan zheng The Ajax login 431 Listing 11.2 LoginFilter.java : server-side login code public class LoginFilter implements Filter { public void init(FilterConfig config) throws ServletException { } public void doFilter( ServletRequest request, ServletResponse response, FilterChain filterChain) throws IOException, ServletException { boolean accept=false; HttpSession session=( (HttpServletRequest)request).getSession(); User user=(User) (session.getAttribute("user")); b Check session for User object if (user==null){ accept=login(request); c Authenticate request }else{ accept=true; d Let them in } if (accept){ filterChain.doFilter (request,response); e Proceed }else{ Writer writer=response.getWriter(); writer.write (JSUtil.getLoginError()); f Return error code writer.flush(); writer.close(); } } private boolean login(ServletRequest request){ String user=request .getParameter("username"); g Get credentials String password=request from request .getParameter("password"); User userObj=findUser(user,password); if (userObj!=null){ HttpSession session= ((HttpServletRequest)request).getSession(true); session.setAttribute("user",userObj); h Store in session for future use } return (userObj!=null); } private User findUser(String user, String password) { User userObj=null; Connection conn=DBUtil.getConnection(); Licensed to jonathan zheng 432 CHAPTER 11 The enhanced Ajax web portal try{ String sql="SELECT id FROM users WHERE username='" +user+"' AND password='"+password+"'"; i Build SQL statement Statement stmt=conn.createStatement(); ResultSet rs=stmt.executeQuery(sql); if (rs.next()){ int id=rs.getInt("id"); userObj=new User(id,user); j Create User object } }catch (SQLException sqlex){ } return userObj; } public void destroy() { } } In this case, we will apply a filter