• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Using Serialize to hold login info

 
Greenhorn
Posts: 8
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi there, i am attempting to write a simple login system in java. I have taken the approach of Serializing the login data of the user (username and password), which seems to work just fine. I am then trying to deSerialize the username and password in order to check them against the username and password entered in a JText/JpasswordField in my login gui class. This does not seem to work, please see my code below. I welcome any advice on the approach i am taking for this login system, as im not sure if i am going about this in the right way at all .

thanks in advance
Alex

 
Java Cowboy
Posts: 16084
88
Android Scala IntelliJ IDE Spring Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Welcome to JavaRanch.

Please UseCodeTags when you post source code.

About your code: You are writing four objects: sName, sUName, correctPassword and position, in lines 31-34. But in the reading code, you read only correctPassword (line 57). Why are you not reading the other objects? It won't work if you read something different than what you wrote - you need to read the same objects in the same order as you wrote them.
 
Author and all-around good cowpoke
Posts: 13078
6
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Also note that your file writing and reading code, such as:



will always use the "current directory" - not a good idea.

Instead use an absolute file path.

Bill
 
Alexander Cowie
Greenhorn
Posts: 8
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
thanks guys, that has solved my problem.
and apologies for the sloppy post
 
Marshal
Posts: 79179
377
  • Likes 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Do you really want to serialise a password? Any gaining access to the serialised object can easily extract the password from it.
 
Greenhorn
Posts: 29
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Campbell,

I had query similar to the fact that you pointed out....can anyone gain access to data inside serialized object IF he does not have class of serialized object ?

What other security concerns are related to sensitive data stored in serialized object ( assuming that hacker does not have class file of serialized object).

Thanks in advance.
 
Jesper de Jong
Java Cowboy
Posts: 16084
88
Android Scala IntelliJ IDE Spring Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Jatin Dhingra wrote:I had query similar to the fact that you pointed out....can anyone gain access to data inside serialized object IF he does not have class of serialized object ?


Yes! You can look at the contents of the serialized file with a hex editor and you will most likely see the password in plain text. Serialized files are not encrypted or anything like that, don't rely on the fact that serialized files are binary files that you can't read with for example a text editor (security through obscurity is not real security). In principle, everybody can read anything in your serialized files, even if they don't have the matching Java classes.
 
Sheriff
Posts: 22783
131
Eclipse IDE Spring VI Editor Chrome Java Windows
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
It's not exactly plain text, but it comes very close. Even worse, the serialization algorithm is not closed - you can look up how serialized data is built-up. You can start by checking here, but there is a complete spec to be found here (and on the next pages).
 
Campbell Ritchie
Marshal
Posts: 79179
377
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Jatin Dhingra wrote: . . ..can anyone gain access to data inside serialized object IF he does not have class of serialized object ? . . .

I had already said "easily extract the password", and Rob and Jesper have given fuller explanations.
 
Jatin Dhingra
Greenhorn
Posts: 29
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
@ Jesper : Thanks for your comment.

@ Rob: Thanks again and nice link !
 
Jatin Dhingra
Greenhorn
Posts: 29
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Campbell Ritchie wrote:

Jatin Dhingra wrote: . . ..can anyone gain access to data inside serialized object IF he does not have class of serialized object ? . . .

I had already said "easily extract the password", and Rob and Jesper have given fuller explanations.



Thanks campbell, I was doubtful of what "gaining access to serialized object.." meant.. whether access to class and serialized object or only serialized object. I got my doubts cleared up now.
 
Campbell Ritchie
Marshal
Posts: 79179
377
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Try opening a serialised object with a text editor, and you will see what I mean.
 
Alexander Cowie
Greenhorn
Posts: 8
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
hi guys i have decided to change the way in which my login info in my earlier post is stored. Ihave taken the approach of creating a SystemUser object that contains all of the relevent login info. I have managed to serialize the object, but i am having some trouble when tring to deserialize again.
this is the code im using to serialize:


this is the code im using to deserialize

im getting this error msg: .ClassCastException: SystemUser cannot be cast to [C

any advice on this will appreciated
thanks in advanve Alex
 
reply
    Bookmark Topic Watch Topic
  • New Topic