Trying Out LDAP Modification | MySQL and JSP Web Applications: Data-Driven Programming Using Tomcat and MySQL

I l @ ve RuBoard

Writing a JSP to modify employee information is very similar to creating employee records (see Listing 15.6), although it saves a bit of time by having the form submit back to itself. On this page, the uid to modify is handed in as an argument (presumably from another page with a pull-down or fill-in-the-blank input field). The page checks to see if the employee requested exists; if not, it generates an error.

Listing 15.6 testLdapModify.jsp

 <%@ page import="com.bfg.employee.Employee" %> <HEAD><TITLE>Modify employee</TITLE></HEAD><BODY> <%! private boolean notNull(String str) {     return ((str != null) && (str.length() > 0)); } private String bn (String val) {     if (val == null) return "";     return val; } %> <% Employee emp = Employee.findEmployee(request.getParameter("uid")); if (emp == null) {     out.write("Employee Not Found!</BODY>");     return; } if (request.getParameter("SUBMITTED") != null) {     JspRuntimeLibrary.introspect(emp, request);     if (notNull(emp.getLastName()) &&      notNull(emp.getFirstName()) &&      notNull(emp.getTitle()) &&      notNull(emp.getEmployeeNumber()) &&      notNull(emp.getOrgUnit()) &&      notNull(emp.getTelephoneNumber()) &&      notNull(emp.getPassword())) {      emp.setOrganization("bfg");      emp.modifyEmployee();      out.write("Modified employee " + emp.getUserID() + "!</BODY>");      return;     } } if (emp.getOrgUnit() == null) {     emp.setOrgUnit(""); } %> <H1><CENTER>Modify Employee</CENTER></H1> <FORM ACTION="testLdapModify.jsp" METHOD="POST"> <INPUT TYPE="HIDDEN" NAME="SUBMITTED" VALUE="YES"> <INPUT TYPE="HIDDEN" NAME="uid" VALUE="<%= emp.getUserID() %>"> <TABLE WIDTH="75%" BORDER=1>   <TR><TD>Last Name: </TD>   <TD><INPUT TYPE="TEXT" NAME="lastName"               VALUE="<%= bn(emp.getLastName()) %>"></TD></TR>   <TR><TD>First Name: </TD>   <TD><INPUT TYPE="TEXT" NAME="firstName"               VALUE="<%= bn(emp.getFirstName()) %>"></TD></TR>   <TR><TD>Title: </TD>   <TD><INPUT TYPE="TEXT" NAME="title"               VALUE="<%= bn(emp.getTitle()) %>"></TD></TR>   <TR><TD>Emp Num: </TD>   <TD><INPUT TYPE="TEXT" NAME="employeeNumber"               VALUE="<%= bn(emp.getEmployeeNumber()) %>"></TD></TR>   <TR><TD>Division: </TD>   <TD><SELECT NAME="orgUnit">     <OPTION VALUE="">Please Select     <OPTION VALUE="admin"      <%= emp.getOrgUnit().equals("admin")?"SELECTED":"" %>>      Administrative     <OPTION VALUE="sales"      <%= emp.getOrgUnit().equals("sales")?"SELECTED":"" %>>      Sales     <OPTION VALUE="editorial"      <%= emp.getOrgUnit().equals("editorial")?"SELECTED":"" %>>      Editorial     </SELECT>   </TD>   <TR><TD>Telephone Number: </TD>   <TD><INPUT TYPE="TEXT" NAME="telephoneNumber"               VALUE="<%= bn(emp.getTelephoneNumber()) %>"></TD></TR>   <TR><TD>Password</TD>   <TD><INPUT TYPE="TEXT" NAME="password"p               VALUE="<%= bn(emp.getPassword()) %>"></TD></TR></TABLE>   <CENTER><INPUT TYPE=SUBMIT VALUE="Modify User"></CENTER> </BODY> if (request.getParameter("SUBMITTED") != null) {     JspRuntimeLibrary.introspect(emp, request);     if (notNull(emp.getLastName()) &&      notNull(emp.getFirstName()) &&      notNull(emp.getTitle()) &&      notNull(emp.getEmployeeNumber()) &&      notNull(emp.getOrgUnit()) &&      notNull(emp.getTelephoneNumber()) &&      notNull(emp.getPassword())) {      emp.setOrganization("bfg");      emp.modifyEmployee();      out.write("Modified employee " + emp.getUserID() + "!</BODY>");      return;     } } if (emp.getOrgUnit() == null) {     emp.setOrgUnit(""); } %> <H1><CENTER>Modify Employee</CENTER></H1> <FORM ACTION="testLdapModify.jsp" METHOD="POST"> <INPUT TYPE="HIDDEN" NAME="SUBMITTED" VALUE="YES"> <INPUT TYPE="HIDDEN" NAME="uid" VALUE="<%= emp.getUserID() %>"> <TABLE WIDTH="75%" BORDER=1>   <TR><TD>Last Name: </TD>   <TD><INPUT TYPE="TEXT" NAME="lastName"               VALUE="<%= bn(emp.getLastName()) %>"></TD></TR>   <TR><TD>First Name: </TD>   <TD><INPUT TYPE="TEXT" NAME="firstName"               VALUE="<%= bn(emp.getFirstName()) %>"></TD></TR>   <TR><TD>Title: </TD>   <TD><INPUT TYPE="TEXT" NAME="title"               VALUE="<%= bn(emp.getTitle()) %>"></TD></TR>   <TR><TD>Emp Num: </TD>   <TD><INPUT TYPE="TEXT" NAME="employeeNumber"               VALUE="<%= bn(emp.getEmployeeNumber()) %>"></TD></TR>   <TR><TD>Division: </TD>   <TD><SELECT NAME="orgUnit">     <OPTION VALUE="">Please Select     <OPTION VALUE="admin"      <%= emp.getOrgUnit().equals("admin")?"SELECTED":"" %>>      Administrative     <OPTION VALUE="sales"      <%= emp.getOrgUnit().equals("sales")?"SELECTED":"" %>>      Sales     <OPTION VALUE="editorial"      <%= emp.getOrgUnit().equals("editorial")?"SELECTED":"" %>>      Editorial     </SELECT>   </TD>   <TR><TD>Telephone Number: </TD>   <TD><INPUT TYPE="TEXT" NAME="telephoneNumber"               VALUE="<%= bn(emp.getTelephoneNumber()) %>"></TD></TR>   <TR><TD>Password</TD>   <TD><INPUT TYPE="TEXT" NAME="password"p               VALUE="<%= bn(emp.getPassword()) %>"></TD></TR></TABLE>   <CENTER><INPUT TYPE=SUBMIT VALUE="Modify User"></CENTER> </BODY>

If the employee does exist and the form has already been submitted, the code fills in all the values from the form in the emp employee record. The conventional way to conditionally set all the placeholder variables to their bean counterparts is to place a jsp:setProperty inside a conditional piece of Java code ”for example:

 if (request.getParameter("SUBMITTED") != null) { %> <jsp:setProperty name="emp" property="*"> <%

A slightly less awkward -looking method is to use the JspRuntimeLibrary.introspect call. This is exactly what happens when you do a setProperty . I discovered this method by looking at the Java code that resulted from doing a setProperty in a JSP.

JspRuntimeLibrary is found in the org.apache.jasper.runtime package, and I'm not sure how safe I would feel using it in code that I wanted to be 100% portable: That package might not be available in all implementation.

If you haven't submitted the form yet, or if the form isn't totally valid, you display the current values for the user (see Figure 15.10). You also can see that Al, like many new users, has used his wife's name as his password and is likely to get a call from the IT department if it runs a cracking program against the password file and learns this. Easily guessed passwords such as a spouse's name or birth dates are easy targets for hackers.

Figure 15.10. The employee modification screen.

graphics/15fig10.jpg

NOTE

If you are a system administrator, something that I highly recommend you do regularly is to run a cracking program. I've found guess rates as high as 40% running the password-guessing crack program against my /etc/shadow password file on a UNIX system.

For a moment, imagine that on Al's first day, the chief editor and all the rest of the editorial staff accept an offer en masse to relocate to Books for Nerds. Suddenly Al finds himself upgraded from slush pile reader (the slush pile, by the way, is the stack of unsolicited manuscripts that appear in a publisher's mailbox) to chief editor. So, the appropriate change is made by the Human Resources department using the form that you just created and is applied to his record. The results are shown in Figure 15.11.

Figure 15.11. The big promotion.

graphics/15fig11.jpg

Unable to believe his luck, Al checks via his LDAP browser (Al is an unusually technically savvy slush pile reader) and finds that, in fact, his record has been changed. (See Figure 15.12.)

Figure 15.12. The promoted employee seen from LBE.

graphics/15fig12.jpg

I l @ ve RuBoard