aspose file tools*
The moose likes Security and the fly likes How can I encrypt the password using j_security_check? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » Security
Bookmark "How can I encrypt the password using j_security_check?" Watch "How can I encrypt the password using j_security_check?" New topic
Author

How can I encrypt the password using j_security_check?

Efrat Bar-Nahum
Ranch Hand

Joined: Jan 19, 2006
Posts: 57
Hi,

I have two applications: a web application and a rich client application (Swing), both of them are using the same loginModule.
In the rich client application, in the in the login dialog I encrypt the password before sending in to the loginModule, and in the login module I decrypt it.

I want to use the same encryption methods in the web application, in my login.jsp.
After the user presses the ok button I want to encrypt the password before sending it to the login module.

For this I am holding the two hidden fields:


And when pressing the ok button I am calling a javascript method using the onclick.
In the javascript function I am able to manipulate the name & password that I pass to the login module, but I don't know how to encrypt them (using my java code). I don't know if & how to use jsp tags in the javascript method (I tried, but of course it doesn't work...)

Can anyone please help me?
Thanks a lot,
Efrat
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41885
    
  63
JSP tags are executed on the server, while JavaScript is executed on the client - you can't combine them.

What kind of encryption does the Swing app? Do you have the same encyption algorithm coded in JavaScript?

I would question the need to use encryption explicitly, though. Why don't you use an HTTPS connection instead, which gives you encryption for free?


Ping & DNS - my free Android networking tools app
Efrat Bar-Nahum
Ranch Hand

Joined: Jan 19, 2006
Posts: 57
How can I use the https?
How does it work?
I wanted to encrypt it the same way I do in the rich client (I'm using sun.misc.BASE64Decoder & javax.crypto functionality),so that the login module will behave the same for both application.
If I use the https, I guess that I'll have to know in the login module who the invoking application is, to know if I should decrypt or not.
Am I right?

Thanks,
Efrat
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41885
    
  63
How can I use the https?

If you're using Tomcat, follow the steps outlined in the documentation

I wanted to encrypt it the same way I do in the rich client (I'm using sun.misc.BASE64Decoder & javax.crypto functionality)

Duplicating javax.crypto code in JavaScript may not be impossible, but will be very hard.

If I use the https, I guess that I'll have to know in the login module who the invoking application is, to know if I should decrypt or not.

If you use HTTPS, there is no need for further encryption, because an HTTPS connection is already encrypted. So unless you have very unusually strong security requirements, you don't need to do any encrypting/decrypting.
Efrat Bar-Nahum
Ranch Hand

Joined: Jan 19, 2006
Posts: 57
The thing is, that I have 2 applications: the first one is web, and the second is rich client.
I cannot use the https for the rich client, so I have to take care of the encryption my self.
I decrypt in the login module, that I also use for the web application.
So when using the https in the web application, I will need to know if the login method in the login module needs to decrypt (in case it was called by the rich client application), or not (in case it was called from the web application).
Am I wrong?
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41885
    
  63
I cannot use the https for the rich client

Why not?
Efrat Bar-Nahum
Ranch Hand

Joined: Jan 19, 2006
Posts: 57
How?
It is not running over Tomcat.
Am I missing something?
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41885
    
  63
I'm not following - surely the web app must be running in a web container, Tomcat or other, which can do HTTPS?

If this is the same app you described in the other thread, then the Swing app isn't accessing the web app anyway - the browser is, which speaks HTTPS.

If it is a different Swing app, which accesses the web app directly, then too you can use HTTPS - the necessary classes (mainly javax.net.ssl.HttpsUrlConnection) have been built into the JVM ever since Java 1.4.
Efrat Bar-Nahum
Ranch Hand

Joined: Jan 19, 2006
Posts: 57
Yes, it's the same application that invokes the web application.
I'll try it.

Thanks a lot,
Efrat
 
wood burning stoves
 
subject: How can I encrypt the password using j_security_check?