File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes Java in General and the fly likes No security in Java Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Java in General
Bookmark "No security in Java" Watch "No security in Java" New topic

No security in Java

Ranch Hand

Joined: Aug 29, 2000
Posts: 48
Hai ,
correct me if i am wrong.. I am finding giving security to a application damn tough..

In a pplication ,i need to get password from user & compare with a encrypted password which is given in a flat file to the client.well ! I can decrypt the flat file & compare with the user input for authentication ..
The catch is that if the user has decrypted password, and the function by which i have encrypted ( Using a tool like JAD, MOCHA he can easily see the code given a class file for knowing the function ) he can easily know the password ..
Is there is any tool ( other than code obfusication ) to brak the decomipling threat... if no, Then where is security in java?..


You can contact me in
Michael Ernest
High Plains Drifter

Joined: Oct 25, 2000
Posts: 7292

One solution would be not to store the password in the class at all -- treat it as a transient value that does not persist outside the life of the authentication mechanism.
There are a couple of frameworks out there that provide the kind of authentication scheme you might be looking for. Baltimore Technologies has one called JCrypto. There's also a Sun-sponsored API called JAAS (Java Authentication and Authorization Service) that you can download from
That said, login authentication is not something a programming language would typically concern itself with. You'd use the language to write one, unless the language itself is also an application. Java's idea of security has to with ensuring bytecode instructions can't be spoofed, classes can't be dumped out of the VM and arbitrarily replaced, and stuff like that.
Michael Ernest, co-author of: The Complete Java 2 Certification Study Guide

[This message has been edited by Michael Ernest (edited January 23, 2001).]

Make visible what, without you, might perhaps never have been seen.
- Robert Bresson
Colin Chow

Joined: Jan 23, 2001
Posts: 12
Well I think you mean data encryption. Java has an extension package, called Java Cryptography Extension (JCE), that I have adopted 6 months ago in my project for data encryption. It has pretty rich algorithm by Sun to start off. I first used the TripleDES and later adopted the Password-based Encryption, which works a lot better in the user data encryption scenerio, in the project. Essentially it solves the key storage problem. Anyway, perhaps you should download the API and play with it.
I agree. Here's the link:
subject: No security in Java
It's not a secret anymore!