wood burning stoves 2.0*
The moose likes JSP and the fly likes encrypting passwrd on JSP page Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » JSP
Bookmark "encrypting passwrd on JSP page" Watch "encrypting passwrd on JSP page" New topic
Author

encrypting passwrd on JSP page

Kevin P Smith
Ranch Hand

Joined: Feb 18, 2005
Posts: 362
Hi guys,

Looking to encrypt user's passwords, but really I need a way to do it at the JSP level. I've written a basic class which a Servlet can call, but this is pointless because surely the pasword would still be passing from JSP to Servlet in plain text and only getting encrypted once recieved (bit pointless)

I need to be able to encrypt the password when the user clicks 'login'.

I have seen a few dodgy ways to do this, but really I want to use some sort of standard Java way, because I will need to be able to match the encrypted password with the encrypted password sorted from registration.

Cheers
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61206
    
  66

Originally posted by Keith Seller:
Looking to encrypt user's passwords, but really I need a way to do it at the JSP level.

This makes little sense. JSP executes on the server in order to format the HTML page sent to the browser. Once sent to the borwser, all JSP-ness is gone. So there's no executing any JSP code when the user clicks Login. Perhaps this article might be instructive.

The conventional way to encrypt when submitting from the browser to the server is via SSL.


[Asking smart questions] [Bear's FrontMan] [About Bear] [Books by Bear]
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41852
    
  63
Where do you see the practical difference between doing the encryption in the JSP and a servlet? Both are executed on the server (and JSPs are compiled into servlets anyway).

If you're concerned about clear-text transmission, make sure the connection is using HTTPS (which you should do anyway wherever passwords are involved).
[ November 01, 2007: Message edited by: Ulf Dittmer ]

Ping & DNS - my free Android networking tools app
damien malone
Ranch Hand

Joined: May 06, 2003
Posts: 35
As pointed out above, use HTTPS to transmit password securely, but rather than looking at encrypting it, you should be hashing it. That way there is no way of retrieving the users password and makes non-repudiation easier, however all this comes at a cost, If you ever want to migrate users to a new system with its own password management (i.e. move to LDAP) you will have a harder time migrating the users accounts.
Kevin P Smith
Ranch Hand

Joined: Feb 18, 2005
Posts: 362
I'll rephrase the question.

When I say JSP i mean the physical JSP page which contains HTML, I don't want to POST plain txt accross from this to the Servlet (unless it considered safe to do this?).


but I'll look at SSL a bit closer instead, then.
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61206
    
  66

Originally posted by Keith Seller:
When I say JSP i mean the physical JSP page which contains HTML


I repeat my answer. Code that runs on the server before your pages even gets sent to the brower can't do anything for you.

SSL is your best option.
Ed Thompson
Ranch Hand

Joined: Jan 20, 2006
Posts: 43
I think you are confusing the JSP, which gets compiled into a servlet and runs on the server to generate a page, with the page the JSP generates, which can only run JavaScript.
[ November 01, 2007: Message edited by: Ed Thompson ]

Even if the voices <i>aren't</i> real, they still have some good ideas!
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61206
    
  66

Which is why I recommended the article linked in my initial response.
Richard Green
Ranch Hand

Joined: Aug 25, 2005
Posts: 536
I have seen few websites (http://www.vbulletin.org/forum/index.php for example) that hash the password (using MD5) when the login form is submitted.



But, I agree with Bear and others. SSL is the way to go.


MCSD, SCJP, SCWCD, SCBCD, SCJD (in progress - URLybird 1.2.1)
sudhir nim
Ranch Hand

Joined: Aug 29, 2007
Posts: 212

You should be able to encrypt password using java script, there are libraries available

http://www.webtoolkit.info/javascript-md5.html this might give you a direction


[Servlet tutorial] [Servlet 3.0 Cook Book]
damien malone
Ranch Hand

Joined: May 06, 2003
Posts: 35
As pointed out in this earlier, use SSL, if you use client side encrytpion/hashing and send it in cleartext(http) you are achieving nothing, as the hashed/encrypted password is now the system password!!! Once someone intercepts the request, they can resend the hashed password to gain acess to the system at any time, making your efforts invane, SSl is the only way for this one!!
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: encrypting passwrd on JSP page