// // This program is distributed in the hope that it will be useful, // but WITHOUT ANY WARRANTY; without even the implied warranty of // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the // GNU General Public License for more details.
// // To obtain a copy of the GNU General Public License write to the Free // Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
package rob.servlets.addressbook ;
import java.io.* ;
import java.util.* ;
// This is the database class library
import java.sql.* ;
import javax.servlet.* ;
import javax.servlet.http.* ;
// This is supplied with the postgresql java class libraries.
// It duplicates the functionality of the unix crypt fuinction.
// I've used it here for encrypting passwords.
import org.postgresql.util.UnixCrypt ;
/**
* AddressBookServlet just tests out the capabilities of the servlet
* engine and the JDBC interface. It implements a simple address book that allows
* you to add, edit, delete and search for entries.
* * The SQL to create the necessary tables is at the end of the file.
*
* Created: Wed Aug 16 14:36:00 2000
*
* @author Robert Judd
* @version 1.0
* @since 1.0
* @see HttpServlet
*/
public class AddressBookServlet extends HttpServlet {
/**
* Loading of the database driver class is a bit of a kludge. We need this
* field to test if the class really was loaded. If a request is made and this
* is false, then an error page will be returned.
*/
protected boolean dbClassLoaded = false ;
/**
* The URL to access the database - needs the database type, "postgresql",
* the hostname, "random", the port (5432 is the default) and the
* database name "addressbook".
*/
protected String JDBC_URL = "jdbc:postgresql://random:5432/addressbook" ;
/**
* The name of a user who is allowed to read and write to the database
*/
protected String DB_USER = "rob" ;
/**
* The password to access the database.
*/
protected String DB_PASSWORD = "" ;
/**
* The name of the JDBC class that implements java.sql.Driver. This must
* be in the classpath of the servlet engine.
*/
protected String DB_CLASSNAME = "org.postgresql.Driver" ;
/**
* Initialize the servlet; this is called by the server before any of the
* other methods. The default values for the fields above may be altered
* by setting servlet parameters in the zone.properties file.
* * Once the parameters have been read the servlet attempts to load the * database driver class. If this fails (i.e. the class cannot be found) * then any requests to the servlet will return an error.
*
* @param config the ServletConfig object passed to the servlet
* by the server.
*/
public void init(ServletConfig config) throws ServletException {
// Always call super.init(config) first
super.init(config);
// Read the initial parameters
String param = null ;
if ((param = config.getInitParameter("JDBC_URL")) != null
&& !param.equals(""))
JDBC_URL = param ;
if ((param = config.getInitParameter("DB_USER")) != null
&& !param.equals(""))
DB_USER = param ;
if ((param = config.getInitParameter("DB_CLASSNAME")) != null
&& !param.equals(""))
DB_CLASSNAME = param ;
if ((param = config.getInitParameter("DB_PASSWORD")) != null)
DB_PASSWORD = param ;
// Initialize the database
try {
Class.forName(DB_CLASSNAME) ;
dbClassLoaded = true ;
} catch (ClassNotFoundException cnfe) {
dbClassLoaded = false ;
}
}
/**
* Process a GET request - this checks to see if the database
* driver class was loaded, returns an error if not, and then reads the
* action parameter to see what to do next. If there is no action parameter,
* then the login page is returned; if the action is recognised it is performed,
* otherwise an error is returned.
*
* @param req the HttpServletRequest object passed in by the
* server
* @param res the HttpServletResponse object passed in by the
* server
*
* @exception ServletException if anything goes wrong with the
* servlet/server communication
* @exception IOException if anything goes wrong with the io
* streams.
*/
public void doGet(HttpServletRequest req, HttpServletResponse res)
throws ServletException, IOException {
res.setContentType("text/html") ;
PrintWriter out = res.getWriter() ;
// Check that the driver class was loaded
if (!dbClassLoaded) {
error(out, "Unable to load database driver.") ;
return ;
}
// Delegate reading the request parameters to a separate method - this
// is to collect all that stuff in one place.
Properties p = getParameters(req) ;
String action = p.getProperty("action") ;
if (action == null || action.equals(""))
login(out) ;
else if (action.equals("Open"))
open(out, p) ;
else if (action.equals("Add"))
add(out, p) ;
else if (action.equals("Edit"))
edit(out, p) ;
else if (action.equals("Save"))
save(out, p) ;
else if (action.equals("Delete"))
delete(out, p) ;
else if (action.equals("Log Out"))
logout(out, p) ;
else if (action.equals("Search"))
search(out, p) ;
else
error(out, "Your command: "+action+" was not understood.") ;
}
/**
* Pass the request back to doGet.
*
* @param req The servlet request
* @param res The servlet response
* @exception ServletException if an error occurs
* @exception IOException if an error occurs
*/
public void doPost(HttpServletRequest req, HttpServletResponse res)
throws ServletException, IOException {
doGet(req, res) ;
}
/**
* This may be called by doGet or doPost to
* generate a Properties object with a list of name/value pairs
* from the parameters passed in with the ServletRequest object.
* The ServletRequest is used to get a list of parameter names,
* then their values put into the Properties object.
* * One of the reasons to put this in a separate method is so that if a * parameter has multiple values, then the values may be strung togther * easily.
*
* Once the parameters are saved a session is obtained (created if
* necessary) and also stored with the properties. Note the a
* Properties object is intended for name=value pairs
* where name and value are both Strings
* but it extends Hashtable so arbitrary pairs of
* Objects may in fact be stored there.
*
* @param req the HttpServletRequest object passed in by the
* server
*
* @return a Properties object representing the name/value pairs
* passed in as parameters
*/
protected Properties getParameters(HttpServletRequest req) {
Enumeration enum = req.getParameterNames() ;
Properties props = new Properties() ;
while (enum.hasMoreElements()) {
// This is the parameter name
String name = (String) enum.nextElement() ;
// These are the values for the parameter - there may be more than one
String[] values = req.getParameterValues(name) ;
StringBuffer value = new StringBuffer() ;
String sep = "" ;
// Store the values separated by commas - this is bad if any of the
// values contains a comma, be warned.
for (int i=0; iString value
*/
public void error(PrintWriter out, String msg) {
new ErrorPage(msg).write(out) ;
}
/**
* Return the login page - this is completely static.
*
* @param out a PrintWriter value
*/
public void login(PrintWriter out) {
// Nothing to do yet. Just return the page
new LoginPage().write(out) ;
if (out.checkError())
error(out, "There was an error returning the login page.") ;
}
/**
* Try to access the database with the user's id and password. Return the
* main address book page if success, otherwise return the error page. If
* we accessed the database successfully, then a cookie is created to note that
* we are logged in, and save the userid - this avoids writing it into the
* HTML page each time.
*
* All of the calls to the database are wrapped inside the methods
* executeQuery and executeUpdate for clarity.
*
* @param out a PrintWriter value
* @param params a Properties value containing the parameters
* from the servlet request in case the class needs them to help
* construct the HTML page.
*/
public void open(PrintWriter out, Properties params) {
// Get the userid (param "userid") and password (param "password")
// Look the user up in the DB
// if success, then return the initial page,
// else return and error message
// There must be a userid and password.
String userid = params.getProperty("userid") ;
String password = params.getProperty("password") ;
if (userid == null || userid.equals(""))
error(out, "Please specify a userid.") ;
else if (password == null)
error(out, "Please specify a password.") ;
else {
try {
// Send the SQL 'SELECT password FROM Users WHERE userid = userid'
// This will return nothing if the userid couldn't be found,
// and the encrypted password if the userid was valid
//
// The password from the request is checked against the encrypted
// one using the UnixCrypt class that comes with postgresql.
// There are many other ways to do encryption...
//
String[][] response = executeQuery
("SELECT password FROM Users WHERE userid = '"+userid+"'");
if (response == null || response.length == 0)
error(out, "No such user id.") ;
else if (!UnixCrypt.matches(response[0][0], password))
error(out, "Invalid user id/password.") ;
else { // We're in!!!
// Get the cookie and save the userid
HttpSession session = (HttpSession) params.get("HttpSession") ;
session.putValue("IsLoggedIn", Boolean.TRUE) ;
session.putValue("userid", userid) ;
new MainPage(userid, null).write(out) ;
}
} catch (SQLException sqle) {
// This means that there was some error accessing the database
error(out, sqle.getMessage()) ;
}
}
}
/**
* This is a list of the fields in the database so that we may refer to them
* later.
*/
public static final String[] fields = new String[] {
"name", "email", "address1", "address2", "city",
"state", "zipcode", "telephone"
} ;
/**
* A helper class that returns the userid from the cookie with the request.
*
* @param params a Properties value
* @return the userid, or null if it couldn't be found
*/
public String validate(Properties params) {
HttpSession session = (HttpSession) params.get("HttpSession") ;
String userid = null ;
if (session == null ||
!Boolean.TRUE.equals(session.getValue("IsLoggedIn")) ||
(userid = (String) session.getValue("userid")) == null)
return null ;
else
return userid ;
}
/**
* Insert an address into the database and return the main page with a
* message to say if we were successful or not. Minimal checks are done by the
* database to validate the address: the name must not be null, the email
* address must contain an '@' symbol and the userid(of the user adding the
* address)/email address combination must be unique.
*
* @param out a PrintWriter value
* @param params a Properties value
*/
public void add(PrintWriter out, Properties params) {
String userid = validate(params) ;
if (userid == null)
login(out) ;
else {
//
// Construct the SQL statement
//
// INSERT INTO Addresses ( userid, name, email, address1, address2,
// city, state, zipcode, telephone) VALUES ('userid', 'name', 'email',
// 'address1', 'address2', 'city', 'state', 'zipcode', 'telephone')
//
StringBuffer sql = new StringBuffer("INSERT INTO Addresses ( ") ;
sql.append("userid") ;
for (int i=0, max=fields.length; iPrintWriter value
* @param params a Properties value
*/
public void edit(PrintWriter out, Properties params) {
String userid = validate(params) ;
if (userid == null)
login(out) ;
else {
// Get the address information from the request
String[] info = new String[fields.length+2] ;
info[info.length-1] = userid ;
for (int i=0, max=fields.length; iProperties value
*/
public void save(PrintWriter out, Properties params) {
String userid = validate(params) ;
String addressid = params.getProperty("addressid", "") ;
if (userid == null)
login(out) ;
else if (addressid.equals(""))
error(out, "No address given.") ;
else {
// Construct the SQL
//
// UPDATE Addresses SET name = 'name', email = 'email',
// address1 = 'address1', address2 = 'address2', city = 'city',
// state = 'state', zipcode = 'zipcode', telephone = 'telephone'
// WHERE userid = 'userid' AND addressid = 'addressid'
//
StringBuffer sql = new StringBuffer("UPDATE Addresses SET ") ;
String sep = "" ;
for (int i=0, max=fields.length; iPrintWriter value
* @param params a Properties value
*/
public void delete(PrintWriter out, Properties params) {
String userid = validate(params) ;
String addressid = params.getProperty("addressid", "") ;
String msg = null ;
if (userid == null)
error(out, "No userid.") ;// login(out, params) ;
else if (addressid.equals(""))
error(out, "No address given.") ;
else {
try {
// Execute the SQL
//
// DELETE FROM Addresses WHERE userid = 'userid'
// AND addressid = 'addressid'
//
// and count how many rows were affected
int count = executeUpdate
("DELETE FROM Addresses WHERE userid = '"+userid+
"' AND addressid = '"+addressid+"' ") ;
if (count >= 1) msg = "Address deleted." ;
else msg = "No records match" ;
} catch (SQLException sqle) {
msg = sqle.getMessage() ;
}
new MainPage(userid, null, msg).write(out) ;
}
}
/**
* Logs out the user from the servlet. Since we don't store any database
* information between requests all that needs be done is invalidate the cookie.
*
* @param out a PrintWriter value
* @param params a Properties value
*/
public void logout(PrintWriter out, Properties params) {
HttpSession session = (HttpSession) params.get("HttpSession") ;
if (session != null) session.invalidate() ;
login(out) ;
}
/**
* Search for a string in the addresses and return all those that match.
* The field to search in, or all of them, may be specified.
*
* @param out a PrintWriter value
* @param params a Properties value
*/
public void search(PrintWriter out, Properties params) {
String userid = validate(params) ;
if (userid == null)
login(out) ;
else {
//
// Construct the SQL statement
//
// SELECT name, email, address1, address2, city, state, zipcode,
// telephone, addressid FROM Addresses WHERE userid = 'userid'
// [ AND (name ~* 'search_str' OR email ~* 'search_str' OR
// address1 ~* 'search_str' OR address2 ~* 'search_str' OR
// city ~* 'search_str' OR state ~* 'search_str' OR
// zipcode ~* 'search_str' OR telephone ~* 'search_str') |
// AND field ~* 'search_str' ]
//
StringBuffer sql =
new StringBuffer("SELECT ") ;
String sep = "" ;
for (int j=0, max=fields.length; jSQLException if anything went wrong.
*/
protected String[][] executeQuery(String sql) throws SQLException {
// Create a connection
Connection conn = DriverManager.getConnection(JDBC_URL,DB_USER,DB_PASSWORD);
// Create a statement - this is a placeholder for the sql to execute
Statement stmt = conn.createStatement() ;
// Execute the sql and get the 'Result Set' that is returned
ResultSet rows = stmt.executeQuery(sql) ;
log("Executed "+sql) ;
ArrayList response = new ArrayList() ;
// Get the number of columns in the response
int cols = rows.getMetaData().getColumnCount() ;
log("Col count "+cols) ;
// Loop through the rows saving the information
while (rows.next()) {
String[] record = new String[cols] ;
for (int i=0, max=record.length; i