Meaningless Drivel is fun!*
The moose likes Security and the fly likes Login security issue Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of EJB 3 in Action this week in the EJB and other Java EE Technologies forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "Login security issue" Watch "Login security issue" New topic
Author

Login security issue

Jhakda Velu
Ranch Hand

Joined: Feb 26, 2008
Posts: 166
Hi All
This may be a known issue. I have to code a login page and i validate the user name and password. I connect to the server through a XMLhttp request, the user name and password being sent as 2 parameters. I extract these 2 params in the servlet and pass it to the DAO to validate against the ones stored in the user table.
I do no encryption.
What is the best way to avoid spooking?
My login page is a excel form(VBA),not a JSP and my servlet is on JBoss.

Jhakda

[ July 16, 2008: Message edited by: Jhakda Velu ]
[ July 16, 2008: Message edited by: Jhakda Velu ]

If I become filthy rich, I'll sponsor research for painless dental treatment at Harvard Medical School. Thats why,I'm learning Java.I have 32 teeth, 22 are man made.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 39547
    
  27
What do you mean by "spooking"? Spoofing? What exactly are you trying to protect against?
[ July 16, 2008: Message edited by: Ulf Dittmer ]

Ping & DNS - updated with new look and Ping home screen widget
Jhakda Velu
Ranch Hand

Joined: Feb 26, 2008
Posts: 166
Hi
By spooking is meant bad guys trying to get the password.
I was looking at other threads,most of them suggested using https as an option. I'm trying to find what all cchanges i need to do to enable it. I am heading in the right direction? Some also talked about using keys and some about encryption.

Jhakda
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 39547
    
  27
I really think you mean "spoofing".

If you're concerned about someone eavesdropping on the connection, then using HTTPS is a good start. Certainly better than using your own encryption on top of HTTP, and much easier to implement.

Of course, network eavesdropping is only one way in which passwords can be compromised. Social engineering, written-down passwords and weak passwords are others. The latter you can do something about technologically, but that might increase the chance of the password being written down.

More fundamentally, passwords are not tied to a person (they can become "un-tied" by the ways mentioned above). If you're REALLY serious about authentication, consider two-factor or three-factor authentication.
Jhakda Velu
Ranch Hand

Joined: Feb 26, 2008
Posts: 166
Hi Ulf
Many thanks for your help.
All i'm concerned about is network eavesdropping.
I'll go about with the https implementation,now looking at ways to do it with minimal changes.
I'm connecting to JBoss using a XMLHTTP object,where in i have to specify the url string. Right now, i'm using http, so my connection url reads something like this
<blockquote><font size="1" face="Verdana, Arial">code:</font><hr><pre name="code" class="core"><font size="2">
http://jbossIP/context/servletName?Param1=user_name &Param2=password
</font></pre><hr></blockquote>
This is for the entire application,so should i go about having a https for the login only and http for other requests?
How much is using https an over kill for gettings things which may not require very high security concerns?
Our application will be deployed on company intranet,so is my concern about evesdropping valid?
And the way my login page works,the password does appear to be tied to a user. So am i adopting the wrong way to do a user's validation? I believe i have to send teh user name along with the password. Or is it that i should be sending the user name in 1 request and the password in another with some code to identify the 2 requests and then carry on with the validation? Writing that piece of code to tie 2 requests together seems a headache,though.

Awaiting your expert comments.

Jhakda
[ July 16, 2008: Message edited by: Jhakda Velu ]
Jhakda Velu
Ranch Hand

Joined: Feb 26, 2008
Posts: 166
Hi All
I'm a bit confused. I'm trying to use https, but gettigna feeling that we need browser to use it. I'm not using a browser in my application,so is there way out?

Thanks

Jhakda
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 39547
    
  27
This is for the entire application,so should i go about having a https for the login only and http for other requests? How much is using https an over kill for gettings things which may not require very high security concerns?

My approach is that either everything is worth protecting by HTTPS, or nothing is. Mixing HTTP and HTTPS in a same web app creates certain problems, and it may just be easier not to bother with it. My rule of thumb is that for a web app that's used by dozens of people, the HTTPS overhead is negligible, while for a web app that's used by thousand of people you need to think about scalability anyway, and HTTPS certainly plays a role in that. In between, run realistic tests to see how noticeable the impact is.

Our application will be deployed on company intranet,so is my concern about evesdropping valid?

That depends on whether you a) trust the other employees of the company not to try to compromise security, and b) whether you trust the sysadmins to run a secure network. Generally I wouldn't be concerned about eavesdropping in an intranet, but only you can answer that with regard to your company.

Or is it that i should be sending the user name in 1 request and the password in another with some code to identify the 2 requests and then carry on with the validation?

Submitting them both together is fine.

I'm trying to use https, but getting a feeling that we need browser to use it. I'm not using a browser in my application,so is there way out?

Not really. E.g., HTTPS can be used by a Java client. Not sure about VBA, though.
[ July 16, 2008: Message edited by: Ulf Dittmer ]
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Login security issue
 
Similar Threads
Login problem
strange result of Modulo
Basic Auth login box
Reading a CSV file--> Fastest way
creating a Loginpage.jsp in JSP with LOGIN id and Password.