permaculture playing cards*
The moose likes Security and the fly likes Implementation of Security in Java Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » Security
Bookmark "Implementation of Security in Java" Watch "Implementation of Security in Java" New topic
Author

Implementation of Security in Java

Deepak Lal
Ranch Hand

Joined: Jul 01, 2008
Posts: 507

Hi,
I have a Web Application developed using J2EE,Java and we want to go ahead and implement Security in our Web Application.
How do i go ahead on this ?? Please suggest/Advice regarding Security/Login Implementation in Java ???

Regards,
Deepak Lal


When The Going Gets Tougher,The Tougher gets Going
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41108
    
  45
As pointed out in the other topic where you asked about this, security is not a feature that can be "implemented" after the fact like a feature, it is something that needs to be designed into a system from the start. The SecurityFaq mentions many of the things that can or should be done, and links to further reading on those.

Also, security is a huge subject with many facets. If you want to improve some of those, tell us *specifically* what you're trying to guard against.


Ping & DNS - my free Android networking tools app
Deepak Lal
Ranch Hand

Joined: Jul 01, 2008
Posts: 507

Yeah i need to implement security feature for Login Module.where the password needs to be encrpyted format and stored in Backend database.The Security feature should be implemented in Java.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41108
    
  45
What are you trying to guard against? Is the password transferred all from the client to the server in a secure form? What do you have so far, and what difficulty are you facing implementing this?

Generally, passwords are not stored *encrypted*, they're stored *hashed* (or *digested*) using an algorithm like SHA-2. That way, nobody can retrieve them.
Deepak Lal
Ranch Hand

Joined: Jul 01, 2008
Posts: 507

Ulf wrote :What are you trying to guard against? Is the password transferred all from the client to the server in a secure form? What do you have so far, and what difficulty are you facing implementing this? Generally, passwords are not stored *encrypted*, they're stored *hashed* (or *digested*) using an algorithm like SHA-2. That way, nobody can retrieve them.


My Comments ::
1> The password text field in the form is of type "password",but while storing in the database,it should be "hashed" or "digested" as you have told,Sorry i thought passwords are stored in encrypted format in the database,Thanks for correcting me....so how can i use this algorithm called SHA-2 and while authenticating the user with correct credentials,it should login successfully,Is it possible to achieve this using the SHA-2 algorithm which you are mentioning,could you provide me some links where SHA-2 algorithm is used in Java.

> I need a Forgot Password link also to be implemented so that when end user enters the appropriate email id,the password which is in "hashed" format in database should be "de-hashed(decrypted)" appropriately and should be mailed to the end user's email address..Can i implement this in Java,,,Please guide me Ulff..

Thanks for replying so soon...

Sorry if i have mistaken/confused with "hashed"/"encrypted" terminologies...

Regards,
Deepak Lal
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41108
    
  45
Is it possible to achieve this using the SHA-2 algorithm which you are mentioning,could you provide me some links where SHA-2 algorithm is used in Java.

Here's how a password would be converted to something that can be stored securely. The Base64 class is part of the Apache Commons Codec library.


I need a Forgot Password link also to be implemented so that when end user enters the appropriate email id,the password which is in "hashed" format in database should be "de-hashed(decrypted)" appropriately and should be mailed to the end user's email address.

That's not how secure systems are implemented. Passwords are NEVER sent via email. What's more, a hash is a one-way algorithm: once something is hashed, you can't get it back. The login authentication works by digesting the password the user entered, and then comparing that to the stored password.

Password retrieval being impossible, the application would provide a way for the password to be re-entered: The user would be sent a link to his email address to a page that allows him to enter a new password. The link is good for only a single time, and it expires automatically after no more than 24 hours.

Sorry if i have mistaken/confused with "hashed"/"encrypted" terminologies...

No need to be sorry, we're all learners.
Deepak Lal
Ranch Hand

Joined: Jul 01, 2008
Posts: 507

Thanks Ulf for your outstanding replies.

I have few concerns still left in Security.

1> Please have a look at coderanch website itself where in case of password recovery section Lost Recovery page of Code Ranch Forum ,the end user is prompted for email address.I want to implement this feature.

2> Ulf's comments :: What's more, a hash is a one-way algorithm: once something is hashed, you can't get it back. The login authentication works by digesting the password the user entered, and then comparing that to the stored password. :: "Any suggestions on how can i go about comparing the digested user entered password and the stored password in database."

3> What is the difference between http:// and https:// and how can i implement https:// ( secured socket layer with 32 bit implementation in java)

Please help
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41108
    
  45
Please have a look at coderanch website itself where in case of password recovery section Lost Recovery page of Code Ranch Forum ,the end user is prompted for email address.I want to implement this feature.

OK. What do you have so far, and where are you stuck making progress?

Any suggestions on how can i go about comparing the digested user entered password and the stored password in database.

Both being strings (or character arrays, depending on the details of your implementation), a comparison should be pretty straightforward, no?

What is the difference between http:// and https:// and how can i implement https:// ( secured socket layer with 32 bit implementation in java)

HTTPS is just HTTP over an SSL/TLS-secured connection. The details of how to SSL-enable a server are server-specific; for example, http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html describes how to do it for Tomcat.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Implementation of Security in Java
 
Similar Threads
What do you do when you are 'On-Bench'?
Credit Card authorization project(ASAP)
manage users for programmatic security
Urgent: Is signed applet really necessary to read local files ?
JAAS Vs. Container managed security in web tier (managed at web.xml)