java - 如果密码输入了三次错误,如何检查 JSP Servlet?
问题描述
在我作为用户的登录表单中,我必须提供以下凭据:
- 客户 ID,
- 用户 ID,
- 密码,
这是与 Oracle 数据库建立连接的 servlet 代码:
package com.mmdmanager;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import java.io.IOException;
import java.io.PrintWriter;
import java.sql.*;
@WebServlet("/MaterialCreator")
public class MaterialCreator extends HttpServlet {
long createdSessionTime;
int enterWrongPassAttempts = 0;
Connection connection;
Statement statementCreation;
ResultSet receivedPersonalData;
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
doGet(request, response);
String company_id = request.getParameter("client");
String user_id = request.getParameter("userID");
String acc_password = request.getParameter("userPassword");
user_id = user_id.toUpperCase();
try {
Class.forName("oracle.jdbc.driver.OracleDriver");
connection = DriverManager.getConnection("jdbc:oracle:thin:@localhost:1521:orcl", "mmdmanager", "NHY67ujm");
statementCreation = connection.createStatement();
receivedPersonalData = statementCreation.executeQuery("SELECT * FROM USERS WHERE COMPANY_ID='" + Integer.valueOf(company_id) + "' " + "AND USER_ID='" + user_id + "' AND IS_ADMIN = 'N'");
if ((receivedPersonalData.next() == true) && (receivedPersonalData.getString(8).equals(acc_password) == true)) {
HttpSession httpSession = request.getSession();
httpSession.setAttribute("user_id", user_id);
httpSession.setAttribute("createdSessionTime", createdSessionTime);
createdSessionTime = httpSession.getCreationTime();
response.sendRedirect("MaterialCreator.jsp?name="+user_id.toLowerCase()+"?t="+createdSessionTime+"");
System.out.println(receivedPersonalData.getString(8) + " | " + acc_password);
}
else if ((receivedPersonalData.next() == true) && (receivedPersonalData.getString(8).equals(acc_password) == false)) {
enterWrongPassAttempts += 1;
if (enterWrongPassAttempts == 3) {
response.sendRedirect("None");
}
System.out.println(receivedPersonalData.getString(8) + " | " + acc_password);
}
else {
response.sendRedirect("http://localhost:8090/Login/index.jsp");
System.out.println(receivedPersonalData.next());
}
}
catch (ClassNotFoundException ex) {
ex.printStackTrace();
}
catch (SQLException ex) {
ex.printStackTrace();
}
}
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
}
}
我希望 servlet 检查是否正确提供了公司 ID和用户 ID,但是 if 语句:
else if ((receivedPersonalData.next() == true) && (receivedPersonalData.getString(8).equals(acc_password) == false))
其他数据正确时不检测密码错误,直接跳到最后一个条件:
else {
response.sendRedirect("http://localhost:8090/Login/index.jsp");
System.out.println(receivedPersonalData.next());
}
如果您有任何已经使用过的解决方案,请与我分享。:)
解决方案
无需过多地评论密码验证的可怕之处(如果这对于任何远程重要的事情,您应该进一步调查),您可以简单地获取enterWrongPassAttempts
并将值存储在 Session 中。
request.getSession().setAttribute("NUMBER_ATTEMPTS", enterWrongPassAttempts);
然后,您可以获取它:
Integer enterWrongPassAttempts = null;
enterWrongPassAttempts = request.getSession().getAttribute("NUMBER_ATTEMPTS");
if (enterWrongPassAttempts == null) {
enterWrongPassAttempts = 0;
}
使用会话将跨请求保留值。
推荐阅读
- javascript - 使用此 JavaScript 将本地时间转换为另一个时区
- google-cloud-storage - 如何调试远程缓存写入失败?
- sql - 比较同一表内连续行的差异
- machine-learning - 为什么我们应该在机器学习中使用 Lasso 而不是线性回归进行特征选择?
- java - Runtime.getRuntime().exec 命令失败,所有根活动的退出状态为 127
- spring-boot - springboot中使用@KafkaListener时,如何设置idleBetweenPolls
- python - 在python中格式化字典结构
- mysql - 嵌套连接的更新不适用于订单
- sorting - 有没有办法计算排序算法的进度?
- git - 是否有任何 git 托管允许跨存储库进行 PR?