I have written 2 filters 1 for a normal user and 1 for a admin yet you have to be admin to login. Here is the source for both of my filters:
public class newFilter implements Filter {
String UUIDInDB;
String UUIDInCookie;
public void init(FilterConfig filterConfig) throws ServletException {
//To change body of implemented methods use File | Settings | File Templates.
}
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
HttpServletRequest req = (HttpServletRequest) servletRequest;
HttpServletResponse res = (HttpServletResponse) servletResponse;
Cookie[] cookies = req.getCookies();
UUIDInCookie = getCookieValue(cookies,"pubweb", "noCookie");
if(UUIDInCookie.equals("noCookie")){
Cookie cookie = new Cookie("pubweb","noCookie");
cookie.setMaxAge(1);
res.addCookie(cookie);
res.sendRedirect("../Login.jsp");
return ;
}
checkDatabase();
if(UUIDInCookie.equals(UUIDInDB)){
filterChain.doFilter(servletRequest, servletResponse);
System.out.println("Is allowed thorugh");
} else if(UUIDInCookie.equals("noCookie")){
res.sendRedirect("../Login.jsp");
System.out.println("Isn't allowed thorugh");
} else {
res.sendRedirect("../Login.jsp");
System.out.println("Isn't allowed thorugh");
}
}
public void destroy() {
//To change body of implemented methods use File | Settings | File Templates.
}
public void checkDatabase(){
try {
Class.forName("com.mysql.jdbc.Driver");
} catch (ClassNotFoundException e) {
e.printStackTrace(); //To change body of catch statement use File | Settings | File Templates.
}
/*
The next lines allow you to change the username and password for the password.
*/
String username = "username";
String password = "password";
/*
The following line is the url. This can be changed to bring in to line with the database.
*/
String dbURL = "jdbc:mysql://localhost/hpsgdb?user="
+ username + "&password=" + password;
/*
This line connects to the database to the information presented earlier.
*/
java.sql.Connection myConnection = null;
try {
myConnection = DriverManager.getConnection(dbURL);
System.out.println("Connected to Database.");
} catch (SQLException e) {
e.printStackTrace(); //To change body of catch statement use File | Settings | File Templates.
}
/*
The next line creates a query on the database. The query is that you want exacuted is on the next line.
*/
Statement stat = null;
try {
stat = (Statement) myConnection.createStatement();
} catch (SQLException e) {
e.printStackTrace(); //To change body of catch statement use File | Settings | File Templates.
} catch (NullPointerException e){
e.printStackTrace();
}
try {
ResultSet rs;
rs = stat.executeQuery("SELECT * from uuid where uuid='" + UUIDInCookie + "';");
System.out.println("Executed Query.");
int count = 0;
while(rs.next())
UUIDInDB = rs.getString("uuid") ;
System.out.println(UUIDInDB);
rs.close();
myConnection.close();
} catch (SQLException e) {
e.printStackTrace(); //To change body of catch statement use File | Settings | File Templates.
} catch (NullPointerException e){
e.printStackTrace();
}
}
public static String getCookieValue(Cookie[] cookies,
String cookieName,
String defaultValue) throws IOException {
int length = cookies.length;
System.out.println(length);
try{
for(int i=0; i<length; i++) {
Cookie cookie = cookies[i];
if (cookieName.equals(cookie.getName())) {
System.out.println(cookies.length);
return(cookie.getValue());
} else {
return defaultValue;
}
} } catch (NullPointerException e){
e.printStackTrace();
HttpServletResponse res = null;
res.sendRedirect("../Login.jsp");
}
return(defaultValue);
}
}
Other Filter:
public class adminFilter implements Filter {
String UUIDInDB;
String UUIDInCookie;
int role;
public void destroy() {
}
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain chain) throws ServletException, IOException {
HttpServletRequest req = (HttpServletRequest) servletRequest;
HttpServletResponse res = (HttpServletResponse) servletResponse;
Cookie[] cookies = req.getCookies();
UUIDInCookie = getCookieValue(cookies,"pubweb", "noCookie");
// role = Integer.parseInt(getCookieValue(cookies,"pubwebRole", "2"));
if(UUIDInCookie.equals("noCookie")){
Cookie cookie = new Cookie("pubweb","noCookie");
cookie.setMaxAge(1);
res.addCookie(cookie);
res.sendRedirect("../Login.jsp");
return ;
}
checkDatabase();
if(UUIDInCookie.equals(UUIDInDB) && role == 1){
chain.doFilter(servletRequest, servletResponse);
} else if(UUIDInCookie.equals("noCookie")){
res.sendRedirect("../Login.jsp");
} else if (role == 2){
res.sendRedirect("/");
} else {
res.sendRedirect("../Login.jsp");
}
}
public void init(FilterConfig config) throws ServletException {
}
public void checkDatabase(){
try {
Class.forName("com.mysql.jdbc.Driver");
} catch (ClassNotFoundException e) {
e.printStackTrace(); //To change body of catch statement use File | Settings | File Templates.
}
/*
The next lines allow you to change the username and password for the password.
*/
String username = "username";
String password = "password";
/*
The following line is the url. This can be changed to bring in to line with the database.
*/
String dbURL = "jdbc:mysql://localhost/hpsgdb?user="
+ username + "&password=" + password;
/*
This line connects to the database to the information presented earlier.
*/
java.sql.Connection myConnection = null;
try {
myConnection = DriverManager.getConnection(dbURL);
System.out.println("Connected to Database.");
} catch (SQLException e) {
e.printStackTrace(); //To change body of catch statement use File | Settings | File Templates.
}
/*
The next line creates a query on the database. The query is that you want exacuted is on the next line.
*/
Statement stat = null;
try {
stat = (Statement) myConnection.createStatement();
} catch (SQLException e) {
e.printStackTrace(); //To change body of catch statement use File | Settings | File Templates.
} catch (NullPointerException e){
e.printStackTrace();
}
try {
ResultSet rs;
rs = stat.executeQuery("SELECT * from uuid where uuid='" + UUIDInCookie + "';");
System.out.println("Executed Query.");
int count = 0;
while(rs.next()) {
UUIDInDB = rs.getString("uuid") ;
role = rs.getInt("role");
}
System.out.println(UUIDInDB);
System.out.println("Role =" + role);
rs.close();
myConnection.close();
} catch (SQLException e) {
e.printStackTrace();
} catch (NullPointerException e){
e.printStackTrace();
}
}
public static String getCookieValue(Cookie[] cookies,
String cookieName,
String defaultValue) throws IOException {
int length = cookies.length;
System.out.println(length);
try{
for(int i=0; i<length; i++) {
Cookie cookie = cookies[i];
if (cookieName.equals(cookie.getName())) {
System.out.println(cookies.length);
return(cookie.getValue());
} else {
return defaultValue;
}
} } catch (NullPointerException e){
e.printStackTrace();
HttpServletResponse res = null;
res.sendRedirect("../Login.jsp");
}
return(defaultValue);
}
}
Here is my web xml file:
<filter>
<filter-name>SecurityFilter</filter-name>
<filter-class>filters.newFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>SecurityFilter</filter-name>
<url-pattern>/add/addAuthor.jsp</url-pattern>
<url-pattern>/add/addAuthor</url-pattern>
<url-pattern>/add/addConference.jsp</url-pattern>
<url-pattern>/add/addConference</url-pattern>
<url-pattern>/add/addJournal.jsp</url-pattern>
<url-pattern>/add/addJournal</url-pattern>
<url-pattern>/add/addWorkshop.jsp</url-pattern>
<url-pattern>/add/addWorkshop</url-pattern>
<url-pattern>/add/index.jsp</url-pattern>
</filter-mapping>
<filter>
<filter-name>AdminFilter</filter-name>
<filter-class>filters.adminFilter</filter-class>
</filter>
<!-- <filter-mapping>
<filter-name>AdminFilter</filter-name>
<url-pattern>/add/addAuthor.jsp</url-pattern>
<url-pattern>/add/addAuthor</url-pattern>
<url-pattern>/add/addConference.jsp</url-pattern>
<url-pattern>/add/addConference</url-pattern>
<url-pattern>/add/addJournal.jsp</url-pattern>
<url-pattern>/add/addJournal</url-pattern>
<url-pattern>/add/addWorkshop.jsp</url-pattern>
<url-pattern>/add/addWorkshop</url-pattern>
<url-pattern>/add/index.jsp</url-pattern>
<url-pattern>/add/addConfJour.jsp</url-pattern>
<url-pattern>/add/addConfJourn</url-pattern>
<url-pattern>/add/addUser.jsp</url-pattern>
<url-pattern>/add/addUser</url-pattern>
<url-pattern>/add/addTag.jsp</url-pattern>
<url-pattern>/add/addTag</url-pattern>
<url-pattern>/add/indexAdmin.jsp</url-pattern>
</filter-mapping>-->
<filter-mapping>
<filter-name>AdminFilter</filter-name>
<url-pattern>/add/*</url-pattern>
</filter-mapping>
Are you sure that you really want to be implementing all your own access security? The servlet spec supports protected resources whereby you can essentially do what you are doing. You may still want to write a filter to pop a user object into the session.
Take a look at this link http://www.informit.com/articles/article.aspx?p=24253 on protecting access to web resources using container authentication.
Also glancing at your code there are a couple of things which don’t smell too good
finallyblock for closing the resourceServletExceptionand throw them outNullPointerExceptions these should not be caught and are generally caused by schoolboy coding bugs.