Skip to content

web security hw #663

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
RostyslavOnysh wants to merge 13 commits into
base: master
Choose a base branch
from
Open

web security hw #663

Show file tree
Hide file tree
Changes from 9 commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
3fad3f9
In the drivers table, I added login and password. There was an error …
RostyslavOnysh Jul 14, 2023
b4eaf2b
added a filter here. Everything else is marked with an annotation
RostyslavOnysh Jul 14, 2023
b2074e7
added login and password here
RostyslavOnysh Jul 14, 2023
bc0172c
Without any significant changes
RostyslavOnysh Jul 14, 2023
16bdcd2
added login and password here
RostyslavOnysh Jul 14, 2023
9f36df9
custom exception
RostyslavOnysh Jul 14, 2023
10d7ed9
controller classes
RostyslavOnysh Jul 14, 2023
9ab82b2
interfaces and their implementations
RostyslavOnysh Jul 14, 2023
e00cd4f
filter class and database connection
RostyslavOnysh Jul 14, 2023
27bbd19
Update src/main/java/taxi/controller/LoginController.java
RostyslavOnysh Jul 14, 2023
74af436
The changes have been made according to the comments
RostyslavOnysh Jul 16, 2023
88e3b1a
Merge branch 'secutiryWebBranch' of github.com:RostyslavOnysh/jv-web-…
RostyslavOnysh Jul 16, 2023
1d65812
fix checkstyle
RostyslavOnysh Jul 16, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
43 changes: 43 additions & 0 deletions src/main/java/taxi/controller/LoginController.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
package taxi.controller;

import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import taxi.exception.AuthenticationException;
import taxi.lib.Injector;
import taxi.model.Driver;
import taxi.service.AuthenticationService;

@WebServlet(urlPatterns = "/login")
public class LoginController extends HttpServlet {
private static final Injector injector = Injector.getInstance("taxi");
private AuthenticationService authenticationService =
(AuthenticationService) injector.getInstance(AuthenticationService.class);

@Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp)
throws ServletException, IOException {
req.getRequestDispatcher("/WEB-INF/views/login.jsp").forward(req, resp);

}

@Override
protected void doPost(HttpServletRequest req, HttpServletResponse resp)
throws ServletException, IOException {
String login = req.getParameter("login");
String password = req.getParameter("password");
try {
Driver driver = authenticationService.login(login,password);
HttpSession session = req.getSession();
session.setAttribute("driver_id", driver.getId());
resp.sendRedirect("/index");
Copy link
Copy Markdown

@olekskov olekskov Jul 14, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Checklist item:
If you use sendRedirect() method in your controllers, please pass request.getContextPath() + "/your-endpoint" as a parameter. Currently, the context path is empty, but if it is not, your code still should work.

Please recheck all occurrences

} catch (AuthenticationException e) {
req.setAttribute("errorMsg",e.getMessage());
Comment thread
RostyslavOnysh marked this conversation as resolved.
Outdated
req.getRequestDispatcher("/WEB-INF/views/login.jsp").forward(req,resp);
}
}
}
18 changes: 18 additions & 0 deletions src/main/java/taxi/controller/LogoutController.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
package taxi.controller;

import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

@WebServlet(urlPatterns = "/logout")
public class LogoutController extends HttpServlet {
@Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp)
throws ServletException, IOException {
req.getSession().invalidate();
req.getRequestDispatcher("/WEB-INF/views/login.jsp").forward(req,resp);
Copy link
Copy Markdown

@olekskov olekskov Jul 14, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

After invalidating the session, you should redirect the user to the login page instead of forwarding. Forwarding keeps the original request URL in the browser address bar, which could lead to unexpected behavior if the user refreshes the page.

}
}
2 changes: 2 additions & 0 deletions src/main/java/taxi/controller/car/GetAllCarsController.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,13 +3,15 @@
import java.io.IOException;
import java.util.List;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import taxi.lib.Injector;
import taxi.model.Car;
import taxi.service.CarService;

@WebServlet(urlPatterns = "/drivers/cars")
public class GetAllCarsController extends HttpServlet {
private static final Injector injector = Injector.getInstance("taxi");
private final CarService carService = (CarService) injector.getInstance(CarService.class);
Expand Down
27 changes: 27 additions & 0 deletions src/main/java/taxi/controller/car/GetMyCurrentCarController.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
package taxi.controller.car;

import java.io.IOException;
import java.util.List;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import taxi.lib.Injector;
import taxi.model.Car;
import taxi.service.CarService;

public class GetMyCurrentCarController extends HttpServlet {
private static Injector injector = Injector.getInstance("taxi");
private final CarService carService = (CarService) injector.getInstance(CarService.class);

@Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp)
throws ServletException, IOException {
HttpSession session = req.getSession();
Long id = (Long) session.getAttribute("driver_id");
List<Car> cars = carService.getAllByDriver(id);
req.setAttribute("cars",cars);
req.getRequestDispatcher("/WEB-INF/views/cars/all.jsp").forward(req,resp);
}
}
4 changes: 3 additions & 1 deletion src/main/java/taxi/controller/driver/AddDriverController.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,9 @@ public void doGet(HttpServletRequest req, HttpServletResponse resp)
public void doPost(HttpServletRequest req, HttpServletResponse resp) throws IOException {
String name = req.getParameter("name");
String licenseNumber = req.getParameter("license_number");
Driver driver = new Driver(name, licenseNumber);
String login = req.getParameter("login");
String password = req.getParameter("password");
Driver driver = new Driver(name, licenseNumber, login, password);
driverService.create(driver);
resp.sendRedirect(req.getContextPath() + "/drivers/add");
}
Expand Down
6 changes: 5 additions & 1 deletion src/main/java/taxi/dao/CarDaoImpl.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -188,7 +188,7 @@ private void deleteAllDrivers(Car car) {
}

private List<Driver> getAllDriversByCarId(Long carId) {
String query = "SELECT id, name, license_number "
String query = "SELECT id, name, license_number, login "
+ "FROM cars_drivers cd "
+ "JOIN drivers d ON cd.driver_id = d.id "
+ "WHERE car_id = ? AND is_deleted = false";
Expand All @@ -211,9 +211,13 @@ private Driver parseDriverFromResultSet(ResultSet resultSet) throws SQLException
Long driverId = resultSet.getObject("id", Long.class);
String name = resultSet.getString("name");
String licenseNumber = resultSet.getString("license_number");
String login = resultSet.getString("login");
String password = resultSet.getString("password");
Copy link
Copy Markdown

@olekskov olekskov Jul 14, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You are trying to get the 'password' field from the result set, but 'password' field is not included in SQL query. You need to add 'password' in your SQL query.

Driver driver = new Driver();
driver.setId(driverId);
driver.setName(name);
driver.setLogin(login);
driver.setPassword(password);
driver.setLicenseNumber(licenseNumber);
return driver;
}
Expand Down
2 changes: 2 additions & 0 deletions src/main/java/taxi/dao/DriverDao.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
package taxi.dao;

import java.util.Optional;
import taxi.model.Driver;

public interface DriverDao extends GenericDao<Driver> {
Optional<Driver> findByLogin(String login);
}
35 changes: 31 additions & 4 deletions src/main/java/taxi/dao/DriverDaoImpl.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,13 +17,15 @@
public class DriverDaoImpl implements DriverDao {
@Override
public Driver create(Driver driver) {
String query = "INSERT INTO drivers (name, license_number) "
+ "VALUES (?, ?)";
String query = "INSERT INTO drivers (name, license_number, login, password) "
+ "VALUES (?, ?, ?, ?)";
try (Connection connection = ConnectionUtil.getConnection();
PreparedStatement statement = connection.prepareStatement(query,
Statement.RETURN_GENERATED_KEYS)) {
statement.setString(1, driver.getName());
statement.setString(2, driver.getLicenseNumber());
statement.setString(3, driver.getLogin());
statement.setString(4, driver.getPassword());
statement.executeUpdate();
ResultSet resultSet = statement.getGeneratedKeys();
if (resultSet.next()) {
Expand Down Expand Up @@ -71,14 +73,17 @@ public List<Driver> getAll() {
@Override
public Driver update(Driver driver) {
String query = "UPDATE drivers "
+ "SET name = ?, license_number = ? "
+ "SET name = ?, license_number = ?, "
+ "login = ?, password = ?"
+ "WHERE id = ? AND is_deleted = FALSE";
try (Connection connection = ConnectionUtil.getConnection();
PreparedStatement statement
= connection.prepareStatement(query)) {
statement.setString(1, driver.getName());
statement.setString(2, driver.getLicenseNumber());
statement.setLong(3, driver.getId());
statement.setString(3, driver.getLogin());
statement.setString(4, driver.getPassword());
statement.setLong(5, driver.getId());
statement.executeUpdate();
return driver;
} catch (SQLException e) {
Expand All @@ -98,14 +103,36 @@ public boolean delete(Long id) {
}
}

@Override
public Optional<Driver> findByLogin(String login) {
String query = "SELECT * FROM drivers WHERE login = ? AND is_deleted = FALSE";
try (Connection connection = ConnectionUtil.getConnection();
PreparedStatement statement = connection.prepareStatement(query)) {
statement.setString(1, login);
ResultSet resultSet = statement.executeQuery();
Driver driver = null;
if (resultSet.next()) {
driver = parseDriverFromResultSet(resultSet);
}
return Optional.ofNullable(driver);
} catch (SQLException e) {
throw new DataProcessingException("can`t get driver by login" + login, e);
}
}

private Driver parseDriverFromResultSet(ResultSet resultSet) throws SQLException {
Long id = resultSet.getObject("id", Long.class);
String name = resultSet.getString("name");
String licenseNumber = resultSet.getString("license_number");
String login = resultSet.getString("login");
String password = resultSet.getString("password");
Driver driver = new Driver();
driver.setId(id);
driver.setName(name);
driver.setLicenseNumber(licenseNumber);
driver.setLogin(login);
driver.setPassword(password);
return driver;

}
}
7 changes: 7 additions & 0 deletions src/main/java/taxi/exception/AuthenticationException.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
package taxi.exception;

public class AuthenticationException extends Exception {
public AuthenticationException(String message) {
super(message);
}
}
47 changes: 47 additions & 0 deletions src/main/java/taxi/filters/AuthenticationFilter.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
package taxi.filters;

import java.io.IOException;
import java.util.HashSet;
import java.util.Set;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;

public class AuthenticationFilter implements Filter {

private Set<String> allowedUrls = new HashSet<>();

@Override
public void init(FilterConfig filterConfig) throws ServletException {
allowedUrls.add("/login");
allowedUrls.add("/drivers/add");
}

@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse,
FilterChain filterChain)
throws IOException, ServletException {
HttpServletRequest req = (HttpServletRequest) servletRequest;
HttpServletResponse resp = (HttpServletResponse) servletResponse;
HttpSession session = req.getSession();

Long driverId = (Long) session.getAttribute("driver_id");

if (driverId == null && allowedUrls.contains(req.getServletPath())) {
filterChain.doFilter(req, resp);
return;
}

if (driverId == null) {
resp.sendRedirect("/login");
return;
}
filterChain.doFilter(req,resp);
}
}
51 changes: 47 additions & 4 deletions src/main/java/taxi/model/Driver.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,8 @@ public class Driver {
private Long id;
private String name;
private String licenseNumber;
private String login;
private String password;

public Driver() {
}
Expand All @@ -15,6 +17,19 @@ public Driver(String name, String licenseNumber) {
this.licenseNumber = licenseNumber;
}

public Driver(Long id, String login, String password) {
this.id = id;
this.login = login;
this.password = password;
}

public Driver(String name, String licenseNumber, String login, String password) {
this.name = name;
this.licenseNumber = licenseNumber;
this.login = login;
this.password = password;
}

public Long getId() {
return id;
}
Expand All @@ -39,6 +54,22 @@ public void setLicenseNumber(String licenseNumber) {
this.licenseNumber = licenseNumber;
}

public String getLogin() {
return login;
}

public void setLogin(String login) {
this.login = login;
}

public String getPassword() {
return password;
}

public void setPassword(String password) {
this.password = password;
}

@Override
public boolean equals(Object o) {
if (this == o) {
Expand All @@ -48,13 +79,25 @@ public boolean equals(Object o) {
return false;
}
Driver driver = (Driver) o;
return Objects.equals(id, driver.id)
&& Objects.equals(name, driver.name)
&& Objects.equals(licenseNumber, driver.licenseNumber);
return Objects.equals(id, driver.id) && Objects.equals(name, driver.name)
&& Objects.equals(licenseNumber, driver.licenseNumber)
&& Objects.equals(login, driver.login)
&& Objects.equals(password, driver.password);
}

@Override
public int hashCode() {
return Objects.hash(id, name, licenseNumber);
return Objects.hash(id, name, licenseNumber, login, password);
Copy link
Copy Markdown

@olekskov olekskov Jul 14, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do not include password into equals/hashCode methods. Further password will not be stored as plain text, it will be hashed and this may cause unpredictable behaviour

}

@Override
public String toString() {
return "Driver{"
+ "id=" + id
+ ", name='" + name + '\''
+ ", licenseNumber='" + licenseNumber + '\''
+ ", login='" + login + '\''
+ ", password='" + password + '\''
Copy link
Copy Markdown

@olekskov olekskov Jul 14, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Never include sensitive data like user's password in the toString() method. This can lead to unintended exposure of sensitive data.

+ '}';
}
}
8 changes: 8 additions & 0 deletions src/main/java/taxi/service/AuthenticationService.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
package taxi.service;

import taxi.exception.AuthenticationException;
import taxi.model.Driver;

public interface AuthenticationService {
Driver login(String login, String password) throws AuthenticationException;
}
23 changes: 23 additions & 0 deletions src/main/java/taxi/service/AuthenticationServiceImpl.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
package taxi.service;

import java.util.Optional;
import taxi.exception.AuthenticationException;
import taxi.lib.Inject;
import taxi.lib.Service;
import taxi.model.Driver;

@Service
public class AuthenticationServiceImpl implements AuthenticationService {

@Inject
private DriverService driverService;

@Override
public Driver login(String login, String password) throws AuthenticationException {
Optional<Driver> driver = Optional.ofNullable(driverService.findByLogin(login));
Copy link
Copy Markdown

@olekskov olekskov Jul 14, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The 'Optional.ofNullable' call is unnecessary here because the 'driverService.findByLogin(login)' method should already return an Optional. Instead of using 'Optional.ofNullable', you should expect 'driverService.findByLogin(login)' to return an Optional.

if (driver.isPresent() && driver.get().getPassword().equals(password)) {
return driver.get();
}
throw new AuthenticationException("login or password was incorrect");
}
}
Loading