File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes JSP and the fly likes Encrypt form POST data before calling servlet through JSP Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Java » JSP
Bookmark "Encrypt form POST data before calling servlet through JSP" Watch "Encrypt form POST data before calling servlet through JSP" New topic
Author

Encrypt form POST data before calling servlet through JSP

Nikhil Lanjewar
Greenhorn

Joined: Jan 21, 2009
Posts: 15
Hi,

What I'm trying to achieve here is a login form that takes username and password as input and submits it to a servlet. The servlet then calls a backend API to authenticate and returns success/error result. Right now, everything's working fine but for the fact that the servlet receives username/password pair as plain text.

I believe the above method is insecure and a password can be retrieved by simply sniffing the servlet call and extracting it's POST data. I want to encrypt the username and password to some standard format (Base64, WSSE, etc) before sending it to the servlet. I can easily decode the encrypted parameters thereafter.

Is there a way to achieve this?

--
Nikhil
Deepak Bala
Bartender

Joined: Feb 24, 2006
Posts: 6661
    
    5

Base64 is encoding not encryption. WS security cannot apply to a servlet. Pass your data via HTTP over SSL. Install a certificate on your web or app server


SCJP 6 articles - SCJP 5/6 mock exams - More SCJP Mocks
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41146
    
  45
That's what SSL is for. I advise against trying to roll your own encryption scheme using JavaScript; the resulting solution is extremely unlikely to be more secure than that.

(As an aside, Base64 is an encoding, not a cipher; it provides no security.)

Edit: ... which, as I now see, is pretty much what Deepak said.


Ping & DNS - my free Android networking tools app
Nikhil Lanjewar
Greenhorn

Joined: Jan 21, 2009
Posts: 15
Thanks for the replies Ulf and Deepak...really appreciate that!
SSL is the best way to achieve security...can't agree more... would certainly have a word with the guy who takes care of the server.

I'm still wondering if there's a way in which I can pass a Base64 encoded string to my servlet instead of pain text. I just figured out, the backend APIs need the string to be that way and I'll have to encode the username/password on the servlet before calling APIs. So why not have it encoded before it reached the servlet itself and the servlet would simply make a call to backend APIs without bothering about Base64? I just want to avoid plain text flowing towards my webapp.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41146
    
  45
Basic Authentication uses Base64, but -as said before- it doesn't provide any meaningful security.
Biswa R Nayak
Greenhorn

Joined: Jan 19, 2010
Posts: 8
Implement Applet/Swing, and do your encryption there before calling servlet.
Or use encryption using javascript :: which is not robust.
- I do not see any other way of encryption before going to server side, unless SSL is used.
Nikhil Lanjewar
Greenhorn

Joined: Jan 21, 2009
Posts: 15
Okay...
So how can I use Basic Authentication on my JSP?

The overall flow would be:

1. User opens a login page
2. User enters data in input fields
3. User clicks on Submit button
4. Servlet call is initiated with Base 64 encoded string as it's POST parameter

How can I modify my JSP to achieve the above? Here's how my JSP snippet looks like:



I'm a newbie to JSPs, hence finding it difficult to hit the exact thing. It'd be great if anyone could please point me to some solution or even post a modified version of my code snippet.
Nikhil Lanjewar
Greenhorn

Joined: Jan 21, 2009
Posts: 15
Some addendum in reply to Biswa's post:

The pages I'm trying to design are to be consumed on Mobile devices as a WAP site. Due to the shortcoming of Mobile Browsers, I won't be using Javascript or Swing. Just want a JSP in this case which shall provide a simple HTML code to the browser.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41146
    
  45
Basic authentication, like form authentication, is configured in the web.xml file, but it looks as if you're using neither, but have rolled your own login system based on forms. In that case SSL is the way to go.
Nikhil Lanjewar
Greenhorn

Joined: Jan 21, 2009
Posts: 15
All right then... I'd better have things running through SSL.

True I'm not using any of the authentication systems if web.xml configurations are the ones Ulf was talking about. I need a custom login page since I need to pass this information to a third-party API.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Encrypt form POST data before calling servlet through JSP
 
Similar Threads
j_security_check .. how to check encrypted password ..
pre or post filter j_security_check
How to Encrypt and Decrypt the password in JSP
The onsubmit event
How to securely send password to website