Servlets & JSPs basics: Use one or two servlets to design a website login?

Question

I'm learning about servlets and JSPs and have what is probably a very basic question. I understand a servlet has URL mappings so that when a URL is requested, the associated servlet takes the request, processes it and possibly forwards to a JSP.

Now I want to do a Login page. When I request the URL ending with ".../Login" I want to display a form with username and password fields and a Login button. When the button is clicked, I want a success or failure page to be displayed.

My question is do I need 2 URLs for this operation, one of which would be ".../Login" and the other ".../Login/Result" for instance, and when the button is clicked, a post request would be sent to the second one? In that case I would need two servlets. The first one would simply forward to the JSP which contains the form, and that form would have:

<form action="/Result" method="post">

and the second one would receive the request containing the form data and do the actual login logic and forward to a success or fail view (JSP).

Is that the way to do it or is there a simpler way to do a login, using one servlet? Is there a way for a single servlet to display an initial view containing a form then when that form is submitted, display a subsequent view (success/failure)?

Answer 1

As a general rule, you will want to use multiple URLs.

This is because you'll want to follow the basic idiom of POST, REDIRECT, GET for the majority of your transactions. This helps reinforce the "stateless" nature of web applications.

So, for your example, you could do something like this:

GET /Login (mapped to LoginServlet) -> dispatcher.forward("/login.jsp") which displays the login form.

The form will then:

POST /Login with the user credentials. Note that the URL is the same but the request is different, a POST instead of a GET.

At this point, if the login succeeds, then the LoginServlet will send a HttpServletResponse.sendRedirect to, say, "/Welcome" (which is your WelcomeServlet).

If the login FAILS, then you need to REDIRECT to a login failure. This can be as simple as your LoginServlet with a "failed" parameter.

So, .sendRedirect("/Login?failed"). When you LoginServlet sees the "failed" parameter, it .forwards to "/loginFailed.jsp".

Why do you do this?

Simply, think of what happens should the user do a refresh button on their browser. If you just POST and then forward to the JSP, when you refresh, the browser will POST again (or ask if you want to submit the form again, which is annoying).

By sending the redirect, which causes a new GET, the URL changes, and it just reloads the last page they saw.

Finally, you don't want to GET JSPs directly, but route them through your servlet layer. The servlets are the actions in the system, the JSPs are just the views. Send the requests to the servlets, let them figure out what the views are.

Once you've done this a couple times, you'll want to potentially look in to "action frameworks" which makes this type of web programming easier.

Answer 2

This is opinion based. What I would do is,

• Have a folder named login and have an index.jsp page inside it, containing the login form design (.../login/index.jsp). So I can call .../login/ as it is not necessary to mention index.jsp in the url.

• Then I'll have a servlet to pass the information for verification. I would prefer the URL of the servlet to be .../login/controller.

• form tag of the /login/index.jsp would look like this.

  <form action="controller" method="POST">
  

---

But, you can do this even with a single jsp page. At the beginning of the page you can check whether the login information is being passed.

<%
    String username = request.getParameter("username"),
              password = request.getParameter("password");

    if(username != null && password != null){

          //validation part

          response.sendRedirect("profile.jsp"); //if login successful
          return; //make sure you add this after redirecting.
    }
%>

<!-- html part of the login page continues -->

<form action="" method="POST">

---

Side note: If you want to remove the .jsp part from your URL when sending a request to a jsp page. You can add an URL mapping for a jsp page in your deployment descriptor(web.xml).

<servlet>
    <servlet-name>Login</servlet-name>
    <jsp-file>login.jsp</jsp-file>
</servlet>

<servlet-mapping>
    <servlet-name>Login</servlet-name>
    <url-pattern>/login</url-pattern>
</servlet-mapping>

Read Url Mapping For Jsp for more info.

Answer 3

I understand a servlet has URL mappings so that when a URL is requested, the associated servlet takes the request, processes it and possibly forwards to a JSP.

Correct but remember that only the doGet method is accessible directly. (i.e. you can run the doGet method of a servlet by typing it into the browser)

When I request the URL ending with ".../Login" I want to display a form with username and password fields and a Login button.

You can use the doGet method of the Login servlet to forward to the jsp:

protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
    RequestDispatcher rd = request.getRequestDispatcher("login.jsp");
    rd.forward(request, response);
}

So you can now either access the login page form either directly /login.jsp or via the doGet method of our Login Servlet /Login

For example you could have a link somewhere like this:

<a href="/Login">Login</a>

My question is do I need 2 URLs for this operation, one of which would be ".../Login" and the other ".../Login/Result" for instance, and when the button is clicked, a post request would be sent to the second one? In that case I would need two servlets. The first one would simply forward to the JSP which contains the form, and that form would have:

No, that would be over complicating it and would make your application harder to manage. You can use the same Login Servlet to both redirect the user to the login page (doGet) and handle the results (doPost).

When the button is clicked, I want a success or failure page to be displayed.

Instead of having a failure jsp, why not just keep it on the login page? If a user types in their password incorrectly by mistake more than once, it would be annoying for them to keep having to go back to the login page no? What most websites do is that they will show the error message on the login page itself, so they can easily just type their details in again without having to click back. And you don't need a dedicated success jsp, the success page would just be the dashboard/homepage/welcomepage.

Here's a nice example of the above:

protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {

//get the parameters submitted by the form
String user_name = request.getParameter("username");
String user_pass = request.getParameter("password");

String url = ""; //Create a string literal that we will modify based on if the details are correct or not. 
UserDao udao = new UserDao(); //class containing all the database methods pertaining to the user table.
if(udao.isValid(user_name, user_pass)){ //UserDao has a method called isValid which returns a boolean. 

    //details are valid so forward to success page
    url = "welcome.jsp"; //set the url welcome.jsp because the details are correct. 

    //here you set your session variables and do whatever else you want to do
    HttpSession session = (request.getSession());
    session.setAttribute("username", user_name); // i can access this variable now in any jsp with: ${username}


}else{

    //details are not valid so lets forward them back to the login page with an error message
    String error = "Username or password is incorrect!";
    request.setAttribute("error", error); 
    url = "login.jsp"; //set the url login.jsp because the details are incorrect.

}

RequestDispatcher rd = request.getRequestDispatcher(url); //the url we set based on if details are correct or not
rd.forward(request, response);

}

Your jsp might look something like this:

<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<jsp:include flush="true" page="includes/header.jsp"></jsp:include>


<form action="../Login" method="post">

<input type="text" name="username">
<input type="password" name="password">

<input type="submit" value="Submit">

</form>

<!-- you can handle the error here also -->
<h1>${error}</h1>



<jsp:include flush="true" page="includes/footer.jsp"></jsp:include>

The isValid method inside the UserDao class would look something like this:

public boolean isValid(String username, String userpass){          
     boolean status = false;  
    PreparedStatement pst = null;  
    ResultSet rs = null;  
    try(Connection conn= DBConnection.getConnection()){
            pst = conn.prepareStatement("select * from user where username=? and userpass=?;");  
            pst.setString(1, username);  
            pst.setString(2, userpass);  
            rs = pst.executeQuery(); 
        status = rs.next();  
    } catch (SQLException e) {
        e.printStackTrace();
    }
    return status;  
}

Hope that helps understand it better, if you have any questions feel free to ask.

Note: one of the answers uses scriptlets in their jsp (those <% %> things) . This is highly discouraged! If you want to start on a good path do not use scriptlets! More info on why here:

How to avoid Java code in JSP files?