File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes Beginning Java and the fly likes Java Security Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login

Win a copy of Head First Android this week in the Android forum!
JavaRanch » Java Forums » Java » Beginning Java
Bookmark "Java Security" Watch "Java Security" New topic

Java Security

Ray Marsh
Ranch Hand

Joined: Jan 12, 2000
Posts: 458
How difficult is it write an Java program that prompts the user for a userid and password?

The specific need is to secure an applet on a web-server that allows access to an internal system.
Is this fairly advanced Java?

Anxiety does not empty tomorrow of its sorrows, but only empties today of its strength. – Charles Spurgeon
paul wheaton

Joined: Dec 14, 1998
Posts: 20861

If the data is not too sensitive, it is pretty easy. If the data is sensitive, then you will want to at least encrypt the stuff going back and forth.
My opinion on passwords: Never store the actual password, store the CRC of the password. The applet should not send the password over the web, it should send the CRC. If the CRC's match, then the password is good.

permaculture Wood Burning Stoves 2.0 - 4-DVD set
Ranch Hand

Joined: Nov 22, 2008
Posts: 18944
Ho do i use this class to check for the crc value
Frank Carver

Joined: Jan 07, 1999
Posts: 6920
I don't want to get into an argument, but surely sending the CRC and comparing it on the server is actually less secure than using the password. A CRC is a numeric value, and thus limited in range, (say a Java int limited to 32 bits, or even a long at 64 bits), whereas an arbitrary length character string has far more possibilities, and thus a lesser chance of being found by random or sequential selection.
For real security, you need an algorithmic approach such as the server sending a challenge, and the applet replying with the correct answer, which depends on the challenge.

Read about me at ~ Raspberry Alpha Omega ~ Frank's Punchbarrel Blog
Ray Marsh
Ranch Hand

Joined: Jan 12, 2000
Posts: 458
What about encryption, or is that what you are refering to Frank?
Frank Carver

Joined: Jan 07, 1999
Posts: 6920
Well, encryption by itself doesn't help much for password authentication. An attacker can copy the encrypted password as easily as the unencrypted one.
The challenge-response mechanism, on the other hand works like this:
1. The server asks a question
2. The client answers it
3. The server checks the answer agains the question.
As a very simple example, consider a system where both the client and the server each have a copy of an array of 1000 randomly generated numbers, created when the system was compiled. When the client trys to log in, the server chooses a random index from 1 to 1000 and asks the client for the number at that position in the "code book".
Simply intercepting the datastream between the client and the server is not enough to be able to spoof the login process. The answer won't be the same next time. This approach can be made as complex as you like, and include things like the date, time or IP address of the client in the reply for extra security.
I agree. Here's the link:
subject: Java Security
It's not a secret anymore!