Java Web Programming with Eclipse contents
Last modified February 06, 2011 01:52 am

back next

Web Application Security (continued)

The Persistent User Class

Video

Overview

When users login into the application they provide a username and password. The web application will look up the username in the database and check to see if the username exists, and if so, it will check to see if the supplied password matches the one in the database. For this purpose, we create a User class and its corresponding DAO (data access object).

The User Class

Create a class called User that contains member variables to store the id, username and password. The complete code for the class is as follows.

package publisher.data;

public class User {
	private Long id;
	private String username;
	private String password;

	public Long getId() {
		return id;
	}

	public void setId(Long id) {
		this.id = id;
	}

	public String getPassword() {
		return password;
	}

	public void setPassword(String password) {
		this.password = password;
	}

	public String getUsername() {
		return username;
	}

	public void setUsername(String username) {
		this.username = username;
	}
}

The UserDAO Class

Create class UserDAO in the publisher.data package with the following contents.

package publisher.data;

import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.util.LinkedList;
import java.util.List;

public class UserDAO extends DataAccessObject {
   private static UserDAO instance = new UserDAO();

   public static UserDAO getInstance() {
      return instance;
   }

   private User read(ResultSet rs) throws SQLException
   {
      Long id = new Long(rs.getLong("id"));
      String username = rs.getString("username");
      String password = rs.getString("password");
      User user = new User();
      user.setId(id);
      user.setUsername(username);
      user.setPassword(password);
      return user;
   }
 
   public User find(Long id)
   {
      ResultSet rs = null;
      PreparedStatement statement = null;
      Connection connection = null;
      try
      {
         connection = getConnection();
         String sql = "select * from user where id=?";
         statement = connection.prepareStatement(sql);
         statement.setLong(1, id.longValue());
         rs = statement.executeQuery();
         if (!rs.next())
         {
            return null;
         }
         return read(rs);
      }
      catch (SQLException e)
      {
         throw new RuntimeException(e);
      }
      finally
      {
         close(rs, statement, connection);
      }
   }
   
   public User findByUsername(String username)
   {
      ResultSet rs = null;
      PreparedStatement statement = null;
      Connection connection = null;
      try
      {
         connection = getConnection();
         String sql = "select * from user where username=?";
         statement = connection.prepareStatement(sql);
         statement.setString(1, username);
         rs = statement.executeQuery();
         if (!rs.next())
         {
            return null;
         }
         return read(rs);
      }
      catch (SQLException e)
      {
         throw new RuntimeException(e);
      }
      finally
      {
         close(rs, statement, connection);
      }
   }
   
   public List<User> findAll() 
   {
      LinkedList<User> users = new LinkedList<User>();
      ResultSet rs = null;
      PreparedStatement statement = null;
      Connection connection = null;
      try
      {
         connection = getConnection();
         String sql = "select * from user order by id";
         statement = connection.prepareStatement(sql);
         rs = statement.executeQuery();
         while (rs.next())
         {
            User user = read(rs);
            users.add(user);
         }
         return users;
      }
      catch (SQLException e)
      {
         throw new RuntimeException(e);
      }
      finally
      {
         close(rs, statement, connection);
      }
   }

   public void update(User user)
   {
      PreparedStatement statement = null;
      Connection connection = null;
      try
      {
         connection = getConnection();
         String sql = "update user set " + "password=? where id=?";
         statement = connection.prepareStatement(sql);
         statement.setString(1, user.getPassword());
         statement.setLong(2, user.getId().longValue());
         statement.executeUpdate();
      } catch (SQLException e)
      {
         throw new RuntimeException(e);
      } finally
      {
         close(statement, connection);
      }
   }
   
   public void create(User user)
   {
      Long id = getUniqueId();
      user.setId(id);
      PreparedStatement statement = null;
      Connection connection = null;
      try
      {
         connection = getConnection();
         String sql = "insert into user " + "(id, username, password) "

               + "values (?, ?, ?)";
         statement = connection.prepareStatement(sql);
         statement.setLong(1, id.longValue());
         statement.setString(2, user.getUsername());
         statement.setString(3, user.getPassword());
         statement.executeUpdate();
      } catch (SQLException e)
      {
         throw new RuntimeException(e);
      } finally
      {
         close(statement, connection);
      }
   }
   
   public void delete(User user)
   {
      PreparedStatement statement = null;
      Connection connection = null;
      try
      {
         connection = getConnection();
         String sql = "delete from user where id=?";
         statement = connection.prepareStatement(sql);
         Long id = user.getId();
         statement.setLong(1, id.longValue());
         statement.executeUpdate();
      } catch (SQLException e)
      {
         throw new RuntimeException(e);
      } finally
      {
         close(statement, connection);
      }
   }
}

The above implementation of the user DAO enables management of user accounts similar to the management of NewsItems. However, for the purpose of developing login and logout functionality, we only need the method findByUserName.

The User Database

The following SQL command creates a table called user that can hold instances of the user class. You should add this to the cdreatedb.sql script in the publisher project.

create table user
(
   id integer primary key,
   username varchar(255) unique,
   password varchar(255)
);

In order to get some user accounts for testing, add a few insert commands to the insertdb.sql script. The following is an example.

insert into user (id, username, password) values (4, 'admin', 'admin');

Modify the cleandb.sql script as well to delete the user table. Run the database scripts to rebuild the publisher database with user account information. Make sure that the ant build scripts run without error. Also, use the mysql command line client to verify that the database is recreated correctly.

back next

Copyright 2007-2009 David Turner and Jinseok Chae. All rights reserved.