I have a authentication method that gets login name and password and checks it against an xml file to see if it matches. This works fine and returns bad authentication if the login matches and the pass is wrong, but if the login doesnt exist it just sits there. Anyone have a suggestion?

<datapointer id="mypointer" xpath="authdata:/">
<method name="findNode" args="login,pass">
Debug.write( "Authenticating user... " + login );
this.setAttribute( "login", login );
this.setAttribute( "pass" , pass );
return this.authenticator();
</method>

<method name="authenticator">
do {
if ( this.xpathQuery("@login")==this.login ) {
Debug.write( "-------------- USER LOCATED" );
debug.write("ROLE:" + this.xpathQuery("@role"));
var myrole = this.xpathQuery("@role");
var match = this.xpathQuery("@pass");
if( match == this.pass){
debug.write("Authenticated");
loginwindow.setVisible(false);
if (myrole == "res"){
resstate.apply();
}
else { managementstate.apply(); }
this.setXpath("authdata:/");

}
else{
debug.write("Authentication Failed")
this.setXpath("authdata:/");
}
return this;
}
if ( this.selectChild() ) {
this.authenticator();
}
} while( this.selectNext() );

return null;
</method>
</datapointer>

... but if the login doesnt exist it just sits there.

That makes sense. If the login doesn't exist, then the outermost if block will never be entered at all, and the do/while loop will continue until the end, whereupon nothing will happen.

I would set a "loginFound" flag variable to false just before the do/while loop, and set that variable to true at the start of the outermost if block. Then check if that loginFound variable is still false after the do/while loop, and perform your "invalid login" action at that point.

-Antun

PS I'm not sure if sending the usernames and passwords back to the client is the best way to go:
- It's a potential security problem.
- The more logins that you have, the larger the dataset that the client will deal with.

You might want to pass the username and password to a service that returns a simple <login value="OK" msg="" /> or <login value="bad" msg="Username not found" /> message.

Antun-

Thanks. Understood on the security and data size comments. This is just a proof of concept demonstratiion .