Hey there! Let's tackle your two requirements for role-based login systems—first the core design concepts, then a concrete JSP implementation tailored to your university's department and role structure.

Before diving into code, let's lay out the foundational principles for any role-based login system:

• Define Clear Role Boundaries: First map out exactly what each role (staff, HOD, principal) can access. For example, principals might have system-wide access, while HODs only manage their department, and staff have limited view/edit rights.
• Secure Authentication Flow: The basic flow should be: user submits credentials → system verifies against stored data → valid credentials trigger a session with role/department attributes → redirect to role-specific dashboard.
• Post-Login Permission Checks: Don’t stop at login—add filters to validate role permissions for every protected page. This prevents users from manually typing URLs to access restricted areas.

Let’s build this step-by-step, with code examples you can adapt for your project.

1. Database Table Design (Core Foundation) #

First, create a users table to store user credentials, department, and role. Always hash passwords—never store plain text!

CREATE TABLE users (
    user_id INT PRIMARY KEY AUTO_INCREMENT,
    username VARCHAR(50) UNIQUE NOT NULL,
    password VARCHAR(255) NOT NULL, -- Store BCrypt-hashed passwords here
    department ENUM('CSE', 'ECE', 'MECH') NOT NULL,
    role ENUM('STAFF', 'HOD', 'PRINCIPAL') NOT NULL
);

Pro tip: Use BCrypt to hash passwords before inserting them into the database—it’s slow by design, making brute-force attacks much harder.

2. Frontend Login Form (login.jsp) #

A simple, user-friendly login page that captures username and password, and displays error messages if authentication fails:

<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<html>
<head>
    <title>University Staff Login Portal</title>
    <style>
        .login-box { max-width: 400px; margin: 60px auto; padding: 25px; border: 1px solid #e0e0e0; border-radius: 8px; box-shadow: 0 2px 5px rgba(0,0,0,0.1); }
        .form-group { margin-bottom: 18px; }
        label { display: block; margin-bottom: 6px; font-weight: 500; }
        input { width: 100%; padding: 10px; box-sizing: border-box; border: 1px solid #ddd; border-radius: 4px; }
        .login-btn { width: 100%; padding: 10px; background-color: #2196F3; color: white; border: none; border-radius: 4px; cursor: pointer; font-size: 16px; }
        .error-msg { color: #f44336; margin-bottom: 15px; text-align: center; }
    </style>
</head>
<body>
    <div class="login-box">
        <h2 style="text-align: center; margin-bottom: 25px;">University Login</h2>
        <% if(request.getAttribute("errorMsg") != null) { %>
            <div class="error-msg"><%= request.getAttribute("errorMsg") %></div>
        <% } %>
        <form action="LoginServlet" method="post">
            <div class="form-group">
                <label for="username">Username</label>
                <input type="text" id="username" name="username" required>
            </div>
            <div class="form-group">
                <label for="password">Password</label>
                <input type="password" id="password" name="password" required>
            </div>
            <button class="login-btn" type="submit">Sign In</button>
        </form>
    </div>
</body>
</html>

3. Backend Authentication Servlet (LoginServlet.java) #

This servlet handles the login request, verifies credentials, and sets up the user session with role and department attributes:

import java.io.IOException;
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.mindrot.jbcrypt.BCrypt;

@WebServlet("/LoginServlet")
public class LoginServlet extends HttpServlet {
    private static final long serialVersionUID = 1L;
    // Database config (use a datasource in production instead of hardcoding)
    private static final String DB_URL = "jdbc:mysql://localhost:3306/university_db";
    private static final String DB_USER = "root";
    private static final String DB_PASS = "your_db_password";

    protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
        String username = request.getParameter("username");
        String password = request.getParameter("password");

        try (Connection conn = DriverManager.getConnection(DB_URL, DB_USER, DB_PASS)) {
            String query = "SELECT password, department, role FROM users WHERE username = ?";
            PreparedStatement stmt = conn.prepareStatement(query);
            stmt.setString(1, username);
            ResultSet rs = stmt.executeQuery();

            if (rs.next()) {
                String storedHash = rs.getString("password");
                // Verify password against stored BCrypt hash
                if (BCrypt.checkpw(password, storedHash)) {
                    HttpSession session = request.getSession();
                    session.setAttribute("username", username);
                    session.setAttribute("department", rs.getString("department"));
                    session.setAttribute("role", rs.getString("role"));

                    // Redirect to role-specific dashboard
                    switch(rs.getString("role")) {
                        case "PRINCIPAL":
                            response.sendRedirect("principalDashboard.jsp");
                            break;
                        case "HOD":
                            response.sendRedirect("hodDashboard.jsp");
                            break;
                        case "STAFF":
                            response.sendRedirect("staffDashboard.jsp");
                            break;
                    }
                } else {
                    request.setAttribute("errorMsg", "Invalid username or password");
                    request.getRequestDispatcher("login.jsp").forward(request, response);
                }
            } else {
                request.setAttribute("errorMsg", "Invalid username or password");
                request.getRequestDispatcher("login.jsp").forward(request, response);
            }
        } catch (Exception e) {
            e.printStackTrace();
            request.setAttribute("errorMsg", "Login failed due to a system error");
            request.getRequestDispatcher("login.jsp").forward(request, response);
        }
    }
}

Note: Add the BCrypt dependency to your project (e.g., for Maven, include the jbcrypt artifact in your pom.xml).

4. Permission Filter (Prevent Unauthorized Access) #

Create a filter to block unauthenticated users and restrict access to role-specific pages:

import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.annotation.WebFilter;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;

@WebFilter("/*")
public class AuthFilter implements Filter {
    public void init(FilterConfig fConfig) throws ServletException {}

    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        HttpServletRequest req = (HttpServletRequest) request;
        HttpServletResponse res = (HttpServletResponse) response;
        String url = req.getRequestURI();

        // Allow public access to login page and static resources
        if (url.endsWith("login.jsp") || url.contains("css/") || url.contains("js/")) {
            chain.doFilter(request, response);
            return;
        }

        HttpSession session = req.getSession(false);
        // Check if user is logged in
        if (session == null || session.getAttribute("role") == null) {
            res.sendRedirect("login.jsp");
            return;
        }

        // Restrict dashboard access to specific roles
        String role = (String) session.getAttribute("role");
        if (url.endsWith("principalDashboard.jsp") && !"PRINCIPAL".equals(role)) {
            res.sendRedirect("unauthorized.jsp");
            return;
        }
        if (url.endsWith("hodDashboard.jsp") && !"HOD".equals(role)) {
            res.sendRedirect("unauthorized.jsp");
            return;
        }

        chain.doFilter(request, response);
    }

    public void destroy() {}
}

5. Role-Specific Dashboard Example (hodDashboard.jsp) #

A sample dashboard for HODs that displays their department and role:

<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<html>
<head>
    <title>HOD Dashboard</title>
</head>
<body>
    <div style="margin: 30px;">
        <h1>Welcome, <%= session.getAttribute("username") %>!</h1>
        <p>Role: Head of Department (<%= session.getAttribute("department") %>)</p>
        <p>You can manage department staff, review academic reports, and approve requests here.</p>
        <a href="LogoutServlet">Logout</a>
    </div>
</body>
</html>

内容的提问来源于stack exchange，提问作者Pankaj 4 U