Win a copy of Re-engineering Legacy Software this week in the Refactoring forum
or Docker in Action in the Cloud/Virtualization forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Login page security using Servlet

 
Meet Gaurav
Ranch Hand
Posts: 492
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi

Am designing a web page that has a login page and I have to validate the login details in DB. How can I add security to my Servlet.


Or could someone please provide me a link where I can find Servlet web application template.

 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 64633
86
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Use SSL.
 
Meet Gaurav
Ranch Hand
Posts: 492
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Bear Thanks for the reply...

Sure We are using SSL only, https login page. But in the Servlet Whether I need to encode the user Id or password or SessionID ?. Or any other security tips please.
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 64633
86
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
That greatly depends on what you are trying to secure against. DB break-ins? Stolen laptops? Cat burglars?

SSL protects the data in transmission, what else are you looking for?
 
Meet Gaurav
Ranch Hand
Posts: 492
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I like to secure the DB details + login credentials..........
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 64633
86
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You could store the password as a one-way hash like MD5 or SHA. That way, even someone peeking at your database would not be able to see clear-text passwords.
 
Meet Gaurav
Ranch Hand
Posts: 492
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks bear...

For MD5 can we use base64.jar

EX:

Actual Password : Password123

Can I encrypt the password using base64.jar and then store the password in the database ? Am I rite.
 
Ulf Dittmer
Rancher
Pie
Posts: 42967
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Base-64 is not an encryption, it is an encoding that is easily reversed; it provides no security at all.

You also should no longer use MD5, it is obsolete; use SHA-2 (in the shape of SHA-256) instead.
 
Meet Gaurav
Ranch Hand
Posts: 492
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks Ulf,

I downloaded the jasypt jar for SHA-2 Encryption. But I didn't get any sample code to encrypy the password and to compare it with user entered password. Please assist me
 
Ulf Dittmer
Rancher
Pie
Posts: 42967
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
SHA-2 is not an encryption, it's a hash. With all due respect, if you think that base-64 and SHA are ciphers, then IMO you are not qualified to implement security for a computer system.

Note that you do not need any extra library like jasypt - the standard Java class libraries have everything you need. Here's an example of how to do that: http://www.exampledepot.com/egs/java.security/Digest.html Do not use "MD5", though, use "SHA-256". The way to compare the password to some other password is to digest both, and then to compare the digest arrays.
 
Meet Gaurav
Ranch Hand
Posts: 492
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Ulf Thanks a lot for your valuable time.

Something I tried as per your guidence, Could you please confirm whether am going on the rite path.

 
Ulf Dittmer
Rancher
Pie
Posts: 42967
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You're sort of on the right way, with a couple of caveats:

"String" PwdRetrivedFromDB: the digest is binary, it can't be stored as character data in the DB (and thus can't be a Java String after retrieving it). If for some reason you need to use a character field, then you need to base-64 encode the digest before storing it.

You need to reset() the MessageDigest object between uses.
 
Meet Gaurav
Ranch Hand
Posts: 492
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Ulf once again thanks for your help. Now am clear.

I tried

1. convert user ped to byte array pass it to MessageDigest to ("SHA-256") return a byte array
2. encode using base64 return a string
3. store it in DB
4. Retrive the value from DB then decode using base64 return a byte array
5. pass the byte array to MessageDigest to ("SHA-256") return a byte array
6. then compare to digest byte.

It's returning true...

Thanks a lot Ulf..

what's the difference between

import com.sun.org.apache.xerces.internal.impl.dv.util.Base64;
and
import org.apache.soap.encoding.soapenc.Base64;
 
Ulf Dittmer
Rancher
Pie
Posts: 42967
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
what's the difference between com.sun.org.apache.xerces.internal.impl.dv.util.Base64 and org.apache.soap.encoding.soapenc.Base64

They most likely have slightly different APIs. In terms of functionality, there's hopefully no difference, since Base-64 is a standard.
 
Meet Gaurav
Ranch Hand
Posts: 492
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks to Ulf and Bear.....

Ulf,

Still Can I encode sessionId for security reasons
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 64633
86
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
SSL handles that.
 
Meet Gaurav
Ranch Hand
Posts: 492
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Bear / Ulf,

Am getting False here. Please help me.. Is it Failing because of md.reset() ?. But this is must rite ?


 
Ben Souther
Sheriff
Posts: 13411
Firefox Browser Redhat VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Meet Gaurav wrote:
what's the difference between

import com.sun.org.apache.xerces.internal.impl.dv.util.Base64;
and
import org.apache.soap.encoding.soapenc.Base64;


As Ulf said, the output from the same should be the same.

The big difference to us, as application developers is that we've been told not to directly rely on packages that start with "sun.com.".
Sun makes it very clear in their documentation that this a bad idea and that anything in those packages is subject to change without notice.
Those packages are for their internal use.
In later versions of javac, you will actually get a warning when you try to compile code that relies on these packages.
 
Meet Gaurav
Ranch Hand
Posts: 492
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Bear / Ulf,

Please respond to my latest post or Can I craete a new thread ?

Please assit me

Thanks
 
Ulf Dittmer
Rancher
Pie
Posts: 42967
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Why are you base64-decoding UserId and UserEnteredPassword when they are not actually base64-encoded?

I might try to run this code myself if it was compilable without any changes.
 
Meet Gaurav
Ranch Hand
Posts: 492
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Ulf,

Am not clear. Could you please assist me more clear..

instead of byte [] user = Base64.decode(UserId); you want me to use byte [] user = UserId.getBytes() ?






Still failing
 
Ulf Dittmer
Rancher
Pie
Posts: 42967
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Why would the two values be equal? One is obtained using the cleartext password, the other one using the digested password.
 
Meet Gaurav
Ranch Hand
Posts: 492
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Nope,

Both (value1 and value) are from Digest only.. Please assist me with the code. How to check the Login validation.
 
Ulf Dittmer
Rancher
Pie
Posts: 42967
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Nope, Both (value1 and value) are from Digest only.

The values that go into the digests are different, so the outputs wouldn't be the same.
 
It is sorta covered in the JavaRanch Style Guide.
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic