Secure login mechanism using servlets

By : Michał
Source: Stackoverflow.com
Question!

I am trying to implement login mechanism for web application using servlets in java. Generally authentication and authorization is done by web service, I just have to detect that user is not logged in, collect nick and password and send it via web service. Then I receive the token and the user can work with the web application. For now, I have a filter chain which detects if there exists proper cookie with token, if not, the login servlet is invoked, the user types nick and password to the html form, clicks submit, data is passed to servlet via POST request, data is send to webservice, the token is registered and the user can work with the page. The application works with HTTPS protocol. If the user put wrong password, login page should be displayed again with proper message. It also may happen that the password is out of date and than instead of message button that redirects to page with password change should be displayed. I can recognize if the password is wrong or out of date by the code returned by web service.

My question is, how the whole process should be done to fulfill general good rules of login mechanisms and how to do it in good manner/convension? I read about configuring login-config in web.xml file, but I think that the I can not do what I described above using web.xml. Also, is it secure to user simple servlet and jsp form with POST action? Please, give me some advice how should I implement that kind of login mechanism. I do not want to use spring or any other frameworks.

By : Michał


Answers

TL;DR: Focus on your own area of expertise and don't try to reinvent the wheel.

Are you an IT security expert? Or do you at least have one in your team? If not, then - unless this is a school project aiming to learn technologies and principles - do not implement security stuff on your own! There is a lot of libraries and security frameworks, such as Apache Shiro, JBoss Keycloak, or the Spring Security mentioned in comments - choose the one best fitting your needs, and use it. They are designed and implemented and reviewed by people with a lot of experience in IT security, and unless you are a freaking genius, you can't do a better job.



Shouldn't this be sufficient? Just notice this will remove .denominator, and replace the inner text with desired value.

$('.medium-item-price').text('$1')

$('.medium-item-price').text('$1');
<script src="https://ajax.googleapis.com/ajax/libs/jquery/2.0.3/jquery.min.js"></script>
<div class="medium-item-price"><span class="denominator">$</span>699.99</div>

By : Adam Azad


You can do it like following.

$('.medium-item-price').contents().last()[0].textContent='100';
<script src="https://ajax.googleapis.com/ajax/libs/jquery/2.1.1/jquery.min.js"></script>
<div class="medium-item-price">
  <span class="denominator">$</span>
  699.99
</div>

By : Azim


This video can help you solving your question :)
By: admin