// File: ProtectedPage.java // Updated for new acad by Dr. Spiegel; last update Nov 10 2021 import java.net.URL; import java.io.*; import javax.servlet.*; import javax.servlet.http.*; import java.util.*; // Gone! import sun.misc.BASE64Decoder; import java.util.Base64; /** Example of password-protected pages handled directly * by servlets. *

* Taken from Core Servlets and JavaServer Pages * from Prentice Hall and Sun Microsystems Press, * http://www.coreservlets.com/. * © 2000 Marty Hall; may be freely used or adapted. */ public class ProtectedPage extends HttpServlet { private Properties passwords; private String passwordFile; public static final String DOCTYPE = ""; /** Read the password file from the location specified * by the passwordFile initialization parameter. */ public void init(ServletConfig config) throws ServletException { super.init(config); try { // config.getInitParameter is specified within the servlet's // spec in the web.xml file passwordFile = config.getInitParameter("passwordFile"); URL PassFileURL = new URL(passwordFile); passwords = new Properties(); passwords.load(PassFileURL.openStream()); // Use next line if passwordFile is on local machine // passwords.load(new FileInputStream(passwordFile)); } catch(IOException ioe) { } catch(Exception excpt) { } } public static String headWithTitle(String title) { return(DOCTYPE + "\n" + "\n" + "" + title + "\n"); } public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { // We need the session to keep track of user's attempts HttpSession session = request.getSession(true); session.setMaxInactiveInterval(5); // invalidate so we can test again int askCount=0; Integer Ask=(Integer)session.getAttribute("askCount"); if (Ask==null) session.putValue("askCount",0); response.setContentType("text/html"); PrintWriter out = response.getWriter(); // Uncomment next line to see name-value pairs // passwords.list(out); String authorization = request.getHeader("Authorization"); if (authorization == null || Ask==null) { askCount=(Integer)session.getAttribute("askCount"); session.putValue("askCount",askCount+1); askForPassword(response); } else { String userInfo = authorization.substring(6).trim(); byte[] decodedBytes = Base64.getDecoder().decode(userInfo); String nameAndPassword = new String(decodedBytes); int index = nameAndPassword.indexOf(":"); String user = nameAndPassword.substring(0, index); String password = nameAndPassword.substring(index+1); try { String realPassword = passwords.getProperty(user); if ((realPassword != null) && (realPassword.equals(password))) { String title = "Welcome to the Protected Page"; out.println(headWithTitle(title) + "\n" + "

" + title + "

\n" + "Congratulations. You have accessed a\n" + "highly proprietary company document.\n" + "Shred or eat all hardcopies before\n" + "going to bed tonight.\n" + ""); } else if(askCount<3) { askCount=(Integer)session.getAttribute("askCount"); session.putValue("askCount",askCount+1); if (askCount<3) askForPassword(response); else failMessage(response,out); } else out.println("Correct password not entered in 3 tries. Goodbye"); } catch (Exception e){ askCount=(Integer)session.getAttribute("askCount"); session.putValue("askCount",askCount+1); if (askCount<3) askForPassword(response); else failMessage(response,out); } } } // If no Authorization header was supplied in the request. private void askForPassword(HttpServletResponse response) { response.setStatus(response.SC_UNAUTHORIZED); // Ie 401 response.setHeader("WWW-Authenticate", "BASIC realm=\"privileged-few\""); } private void failMessage(HttpServletResponse response,PrintWriter out) { response.setStatus(response.SC_OK); // So we can write a message out.println("Sorry, 3 strikes and you are out"); } /** Handle GET and POST identically. */ public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { doGet(request, response); } }