wood burning stoves 2.0*
The moose likes Java in General and the fly likes No security in Java Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of The Java EE 7 Tutorial Volume 1 or Volume 2 this week in the Java EE forum
or jQuery UI in Action in the JavaScript forum!
JavaRanch » Java Forums » Java » Java in General
Bookmark "No security in Java" Watch "No security in Java" New topic
Author

No security in Java

SRINI VASAN
Ranch Hand

Joined: Aug 29, 2000
Posts: 48
Hai ,
correct me if i am wrong.. I am finding giving security to a application damn tough..

In a pplication ,i need to get password from user & compare with a encrypted password which is given in a flat file to the client.well ! I can decrypt the flat file & compare with the user input for authentication ..
The catch is that if the user has decrypted password, and the function by which i have encrypted ( Using a tool like JAD, MOCHA he can easily see the code given a class file for knowing the function ) he can easily know the password ..
Is there is any tool ( other than code obfusication ) to brak the decomipling threat... if no, Then where is security in java?..

Regards,
srini


You can contact me in srinivas_an@yahoo.com
Michael Ernest
High Plains Drifter
Sheriff

Joined: Oct 25, 2000
Posts: 7292

One solution would be not to store the password in the class at all -- treat it as a transient value that does not persist outside the life of the authentication mechanism.
There are a couple of frameworks out there that provide the kind of authentication scheme you might be looking for. Baltimore Technologies has one called JCrypto. There's also a Sun-sponsored API called JAAS (Java Authentication and Authorization Service) that you can download from java.sun.com.
That said, login authentication is not something a programming language would typically concern itself with. You'd use the language to write one, unless the language itself is also an application. Java's idea of security has to with ensuring bytecode instructions can't be spoofed, classes can't be dumped out of the VM and arbitrarily replaced, and stuff like that.
------------------
Michael Ernest, co-author of: The Complete Java 2 Certification Study Guide

[This message has been edited by Michael Ernest (edited January 23, 2001).]


Make visible what, without you, might perhaps never have been seen.
- Robert Bresson
Colin Chow
Greenhorn

Joined: Jan 23, 2001
Posts: 12
Well I think you mean data encryption. Java has an extension package, called Java Cryptography Extension (JCE), that I have adopted 6 months ago in my project for data encryption. It has pretty rich algorithm by Sun to start off. I first used the TripleDES and later adopted the Password-based Encryption, which works a lot better in the user data encryption scenerio, in the project. Essentially it solves the key storage problem. Anyway, perhaps you should download the API and play with it.
Colin
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: No security in Java