Authentication & Session Flow
Overview
Section titled “Overview”AncoraERP uses multi-tenant login: one Tomcat instance, many companies, each with its own isolated PostgreSQL database. Users identify their company via CUI (Cod Unic de Identificare = Romanian VAT/tax ID), then authenticate with username + password.
Login Flow
Section titled “Login Flow”sequenceDiagram
participant B as Browser
participant IDX as index.jsp
participant PUB as public DB
participant CHK as checkuser.jsp
participant CO as company DB (maxx)
participant S as Tomcat Session
B->>IDX: GET /ancoraerp/index.jsp
IDX->>PUB: SELECT bazadate, denumire FROM unitati
WHERE inactiv='N' AND codjudet=9
AND bazadate IN (cookie remembered list)
PUB-->>IDX: list of remembered companies
IDX-->>B: HTML login form (company picker + credentials)
B->>CHK: POST checkuser.jsp {user, parola, cod=CUI, unitate, lista_db}
alt First time — CUI provided
CHK->>PUB: SELECT bazadate FROM unitati WHERE UPPER(cod)=UPPER(CUI)
PUB-->>CHK: bazadate = 'maxx'
else Already known (from browser cookie)
Note over CHK: use unitate param directly
end
CHK->>CO: SELECT * FROM utilizatori WHERE user=? AND parola=MD5(?)
CO-->>CHK: user record (id, drepturi, gestiunecrt, email...)
alt Valid credentials
CHK->>S: setAttribute(utilizator, database='maxx',
idreprezentanta, drepturi, unitatecrt)
CHK-->>B: Set-Cookie: ancoraerp_lista_db_login2=...
302 → checkcursvalutar.jsp → start.do
else Invalid credentials
CHK->>CO: UPDATE utilizatori SET nr_incercari_esuate = nr+1
Note over CHK: ≥3 failures = account locked
CHK-->>B: 302 → index.jsp?eroare=Credentiale incorecte
end
Session Guard (lib/lib1.jsp)
Section titled “Session Guard (lib/lib1.jsp)”Every single JSP <%@ include file="lib/lib1.jsp" %> acts as a security gate:
graph TD
REQ["Every HTTP Request"] --> AUTH
AUTH{"session.getAttribute\n'utilizator' != null?"} -->|NO| REDIR["302 → index.jsp\n(login)"]
AUTH -->|YES| BLOCK
BLOCK{"isblocare_neplata == D?\n(payment blocked)"} -->|YES| REDIR2["302 → blocked.jsp"]
BLOCK -->|NO| ARCH
ARCH{"isarhivare == D?\n(archiving in progress)"} -->|YES| REDIR3["302 → archiving.jsp"]
ARCH -->|NO| OK["✓ Request proceeds\nto actual JSP content"]
style OK fill:#2d6a4f,color:#fff
style REDIR fill:#c0392b,color:#fff
style REDIR2 fill:#c0392b,color:#fff
style REDIR3 fill:#e67e22,color:#fff
Multi-Tenant Database Model
Section titled “Multi-Tenant Database Model”graph TB
subgraph META["PostgreSQL: public (meta/directory database)"]
UNITATI["unitati table\n─────────────────────────\n bazadate 'maxx'\n denumire 'Maxx Computers SRL'\n cod '12345678' (CUI)\n localitate 'Iasi'\n inactiv 'N'\n isbackup 'D'\n codjudet 9\n isblocare_neplata 'N'"]
end
subgraph CO1["PostgreSQL: maxx (company 1)"]
T1["utilizatori (users)\ndocumente (invoices/docs)\nproduse (products)\nterti (customers/suppliers)\ncursvalutarbnr (exchange rates)\nflx_meniu_principal (menu)\n... 100+ more tables"]
end
subgraph CO2["PostgreSQL: maxx_suport (company 2)"]
T2["Support / configuration data"]
end
subgraph OTHER["Other clients on other servers..."]
CO3["other_company_db"]
end
UNITATI -->|bazadate field| CO1
UNITATI -->|bazadate field| CO2
style META fill:#1a5276,color:#fff
style CO1 fill:#1a5276,color:#fff
style CO2 fill:#1a5276,color:#fff
Cookie Mechanism
Section titled “Cookie Mechanism”Cookie name: ancoraerp_lista_db_login2Cookie value: maxx`COMMA`other_db`COMMA`...Remembers which company databases a browser has logged into before. On next visit index.jsp shows a quick-pick list so the CUI doesn’t need to be re-entered. Purely a UX feature — not a security mechanism.
Session Attributes Set On Login
Section titled “Session Attributes Set On Login”| Attribute | Example Value | Purpose |
|---|---|---|
utilizator | "ion.popescu" | Username |
database | "maxx" | Which tenant DB to query |
idreprezentanta | "1" | Company ID |
drepturi | "11111000..." | Access rights bitmask |
gestiunecrt | "DEP1" | Current default warehouse |
unitatecrt | "Maxx SRL" | Company display name |
ismobil | "N" | Mobile layout? |
datainceput | "01.01.2026" | Default filter start date |
datasfarsit | "31.12.2026" | Default filter end date |