File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
Win a copy of Clojure in Action this week in the Clojure forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

encrypting passwrd on JSP page

 
Kevin P Smith
Ranch Hand
Posts: 362
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi guys,

Looking to encrypt user's passwords, but really I need a way to do it at the JSP level. I've written a basic class which a Servlet can call, but this is pointless because surely the pasword would still be passing from JSP to Servlet in plain text and only getting encrypted once recieved (bit pointless)

I need to be able to encrypt the password when the user clicks 'login'.

I have seen a few dodgy ways to do this, but really I want to use some sort of standard Java way, because I will need to be able to match the encrypted password with the encrypted password sorted from registration.

Cheers
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 64194
83
IntelliJ IDE Java jQuery Mac Mac OS X
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Keith Seller:
Looking to encrypt user's passwords, but really I need a way to do it at the JSP level.

This makes little sense. JSP executes on the server in order to format the HTML page sent to the browser. Once sent to the borwser, all JSP-ness is gone. So there's no executing any JSP code when the user clicks Login. Perhaps this article might be instructive.

The conventional way to encrypt when submitting from the browser to the server is via SSL.
 
Ulf Dittmer
Rancher
Pie
Posts: 42966
73
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Where do you see the practical difference between doing the encryption in the JSP and a servlet? Both are executed on the server (and JSPs are compiled into servlets anyway).

If you're concerned about clear-text transmission, make sure the connection is using HTTPS (which you should do anyway wherever passwords are involved).
[ November 01, 2007: Message edited by: Ulf Dittmer ]
 
damien malone
Ranch Hand
Posts: 35
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
As pointed out above, use HTTPS to transmit password securely, but rather than looking at encrypting it, you should be hashing it. That way there is no way of retrieving the users password and makes non-repudiation easier, however all this comes at a cost, If you ever want to migrate users to a new system with its own password management (i.e. move to LDAP) you will have a harder time migrating the users accounts.
 
Kevin P Smith
Ranch Hand
Posts: 362
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I'll rephrase the question.

When I say JSP i mean the physical JSP page which contains HTML, I don't want to POST plain txt accross from this to the Servlet (unless it considered safe to do this?).


but I'll look at SSL a bit closer instead, then.
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 64194
83
IntelliJ IDE Java jQuery Mac Mac OS X
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Keith Seller:
When I say JSP i mean the physical JSP page which contains HTML


I repeat my answer. Code that runs on the server before your pages even gets sent to the brower can't do anything for you.

SSL is your best option.
 
Ed Thompson
Ranch Hand
Posts: 43
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I think you are confusing the JSP, which gets compiled into a servlet and runs on the server to generate a page, with the page the JSP generates, which can only run JavaScript.
[ November 01, 2007: Message edited by: Ed Thompson ]
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 64194
83
IntelliJ IDE Java jQuery Mac Mac OS X
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Which is why I recommended the article linked in my initial response.
 
Richard Green
Ranch Hand
Posts: 536
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I have seen few websites (http://www.vbulletin.org/forum/index.php for example) that hash the password (using MD5) when the login form is submitted.



But, I agree with Bear and others. SSL is the way to go.
 
sudhir nim
Ranch Hand
Posts: 212
Eclipse IDE Spring Ubuntu
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You should be able to encrypt password using java script, there are libraries available

http://www.webtoolkit.info/javascript-md5.html this might give you a direction
 
damien malone
Ranch Hand
Posts: 35
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
As pointed out in this earlier, use SSL, if you use client side encrytpion/hashing and send it in cleartext(http) you are achieving nothing, as the hashed/encrypted password is now the system password!!! Once someone intercepts the request, they can resend the hashed password to gain acess to the system at any time, making your efforts invane, SSl is the only way for this one!!
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic