aspose file tools*
The moose likes Servlets and the fly likes Login page security using Servlet Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Java 8 in Action this week in the Java 8 forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "Login page security using Servlet" Watch "Login page security using Servlet" New topic
Author

Login page security using Servlet

Meet Gaurav
Ranch Hand

Joined: Oct 08, 2008
Posts: 492
Hi

Am designing a web page that has a login page and I have to validate the login details in DB. How can I add security to my Servlet.


Or could someone please provide me a link where I can find Servlet web application template.

Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60082
    
  65

Use SSL.


[Asking smart questions] [Bear's FrontMan] [About Bear] [Books by Bear]
Meet Gaurav
Ranch Hand

Joined: Oct 08, 2008
Posts: 492
Bear Thanks for the reply...

Sure We are using SSL only, https login page. But in the Servlet Whether I need to encode the user Id or password or SessionID ?. Or any other security tips please.
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60082
    
  65

That greatly depends on what you are trying to secure against. DB break-ins? Stolen laptops? Cat burglars?

SSL protects the data in transmission, what else are you looking for?
Meet Gaurav
Ranch Hand

Joined: Oct 08, 2008
Posts: 492
I like to secure the DB details + login credentials..........
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60082
    
  65

You could store the password as a one-way hash like MD5 or SHA. That way, even someone peeking at your database would not be able to see clear-text passwords.
Meet Gaurav
Ranch Hand

Joined: Oct 08, 2008
Posts: 492
Thanks bear...

For MD5 can we use base64.jar

EX:

Actual Password : Password123

Can I encrypt the password using base64.jar and then store the password in the database ? Am I rite.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 39578
    
  27
Base-64 is not an encryption, it is an encoding that is easily reversed; it provides no security at all.

You also should no longer use MD5, it is obsolete; use SHA-2 (in the shape of SHA-256) instead.


Ping & DNS - updated with new look and Ping home screen widget
Meet Gaurav
Ranch Hand

Joined: Oct 08, 2008
Posts: 492
Thanks Ulf,

I downloaded the jasypt jar for SHA-2 Encryption. But I didn't get any sample code to encrypy the password and to compare it with user entered password. Please assist me
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 39578
    
  27
SHA-2 is not an encryption, it's a hash. With all due respect, if you think that base-64 and SHA are ciphers, then IMO you are not qualified to implement security for a computer system.

Note that you do not need any extra library like jasypt - the standard Java class libraries have everything you need. Here's an example of how to do that: http://www.exampledepot.com/egs/java.security/Digest.html Do not use "MD5", though, use "SHA-256". The way to compare the password to some other password is to digest both, and then to compare the digest arrays.
Meet Gaurav
Ranch Hand

Joined: Oct 08, 2008
Posts: 492
Ulf Thanks a lot for your valuable time.

Something I tried as per your guidence, Could you please confirm whether am going on the rite path.

Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 39578
    
  27
You're sort of on the right way, with a couple of caveats:

"String" PwdRetrivedFromDB: the digest is binary, it can't be stored as character data in the DB (and thus can't be a Java String after retrieving it). If for some reason you need to use a character field, then you need to base-64 encode the digest before storing it.

You need to reset() the MessageDigest object between uses.
Meet Gaurav
Ranch Hand

Joined: Oct 08, 2008
Posts: 492
Ulf once again thanks for your help. Now am clear.

I tried

1. convert user ped to byte array pass it to MessageDigest to ("SHA-256") return a byte array
2. encode using base64 return a string
3. store it in DB
4. Retrive the value from DB then decode using base64 return a byte array
5. pass the byte array to MessageDigest to ("SHA-256") return a byte array
6. then compare to digest byte.

It's returning true...

Thanks a lot Ulf..

what's the difference between

import com.sun.org.apache.xerces.internal.impl.dv.util.Base64;
and
import org.apache.soap.encoding.soapenc.Base64;
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 39578
    
  27
what's the difference between com.sun.org.apache.xerces.internal.impl.dv.util.Base64 and org.apache.soap.encoding.soapenc.Base64

They most likely have slightly different APIs. In terms of functionality, there's hopefully no difference, since Base-64 is a standard.
Meet Gaurav
Ranch Hand

Joined: Oct 08, 2008
Posts: 492
Thanks to Ulf and Bear.....

Ulf,

Still Can I encode sessionId for security reasons
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60082
    
  65

SSL handles that.
Meet Gaurav
Ranch Hand

Joined: Oct 08, 2008
Posts: 492
Bear / Ulf,

Am getting False here. Please help me.. Is it Failing because of md.reset() ?. But this is must rite ?


Ben Souther
Sheriff

Joined: Dec 11, 2004
Posts: 13410

Meet Gaurav wrote:
what's the difference between

import com.sun.org.apache.xerces.internal.impl.dv.util.Base64;
and
import org.apache.soap.encoding.soapenc.Base64;


As Ulf said, the output from the same should be the same.

The big difference to us, as application developers is that we've been told not to directly rely on packages that start with "sun.com.".
Sun makes it very clear in their documentation that this a bad idea and that anything in those packages is subject to change without notice.
Those packages are for their internal use.
In later versions of javac, you will actually get a warning when you try to compile code that relies on these packages.


Java API J2EE API Servlet Spec JSP Spec How to ask a question... Simple Servlet Examples jsonf
Meet Gaurav
Ranch Hand

Joined: Oct 08, 2008
Posts: 492
Bear / Ulf,

Please respond to my latest post or Can I craete a new thread ?

Please assit me

Thanks
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 39578
    
  27
Why are you base64-decoding UserId and UserEnteredPassword when they are not actually base64-encoded?

I might try to run this code myself if it was compilable without any changes.
Meet Gaurav
Ranch Hand

Joined: Oct 08, 2008
Posts: 492
Ulf,

Am not clear. Could you please assist me more clear..

instead of byte [] user = Base64.decode(UserId); you want me to use byte [] user = UserId.getBytes() ?






Still failing
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 39578
    
  27
Why would the two values be equal? One is obtained using the cleartext password, the other one using the digested password.
Meet Gaurav
Ranch Hand

Joined: Oct 08, 2008
Posts: 492
Nope,

Both (value1 and value) are from Digest only.. Please assist me with the code. How to check the Login validation.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 39578
    
  27
Nope, Both (value1 and value) are from Digest only.

The values that go into the digests are different, so the outputs wouldn't be the same.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Login page security using Servlet
 
Similar Threads
WAS - Form Based Login
web.xml
Tomcat authentication and RACF
login-config question
how to let Java login tomcat form authorization