aspose file tools*
The moose likes Java in General and the fly likes Call a javascript function from Java Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Java in General
Bookmark "Call a javascript function from Java" Watch "Call a javascript function from Java" New topic
Author

Call a javascript function from Java

lekurwale amol
Ranch Hand

Joined: Apr 22, 2010
Posts: 55
Hi,
I am using a password hashing mechanism wherein using some liabrary written in javascript.
It basically encrypts the password and sends it to the server.
Now, on the server, if I need to check if password is right, I need to decrypt it.
The decryption liabrary is not available. So I need to call the same javascript liabrary from java, supplying the db password.
Then I can compare.

My question : Is there any way to call a javascript function from a simple java class, and if it is, provide the snippet/code to do so.

Note : I am using "http://pajhome.org.uk/crypt/md5/" JS function to encrypt. I did not find any java decrypter over there.

Regards,
Amol
Henry Wong
author
Sheriff

Joined: Sep 28, 2004
Posts: 18824
    
  40


First of all, MD5 is *not* an encryption library -- as you may have noticed, there is no way to "decrypt" it. Also, it didn't take a password (or keys) which encryption requires.


You have two options. You can use the scripting API to run the same Javascript that did the MD5, or you can use the MD5 that is built into the Java API. I would recommend that you do the later.

Henry


Books: Java Threads, 3rd Edition, Jini in a Nutshell, and Java Gems (contributor)
lekurwale amol
Ranch Hand

Joined: Apr 22, 2010
Posts: 55
Henry Wong wrote:
First of all, MD5 is *not* an encryption library -- as you may have noticed, there is no way to "decrypt" it. Also, it didn't take a password (or keys) which encryption requires.


Hi Henry,
Thanks for your prompt reply. My requirement is : when user enters password in browser, I need to hash/encrypt it before sending to server. On server, I need to decrypt it. So, I am in search of a liabrary, where the 'encryption' is written in javascript and 'decryption' in java. Would be grateful if you provide a reference to such a kind of stuff.

Regards,
Amol
Henry Wong
author
Sheriff

Joined: Sep 28, 2004
Posts: 18824
    
  40

lekurwale amol wrote:
Hi Henry,
Thanks for your prompt reply. My requirement is : when user enters password in browser, I need to hash/encrypt it before sending to server. On server, I need to decrypt it. So, I am in search of a liabrary, where the 'encryption' is written in javascript and 'decryption' in java. Would be grateful if you provide a reference to such a kind of stuff.

Regards,
Amol


The correct solution is to not decrypt it -- meaning have the java side take a MD5 hash (of the correct password), and compare the two hashes.

Henry
Jesper de Jong
Java Cowboy
Saloon Keeper

Joined: Aug 16, 2005
Posts: 14143
    
  18

lekurwale amol wrote:My requirement is : when user enters password in browser, I need to hash/encrypt it before sending to server. On server, I need to decrypt it.

No, you don't, that's not how MD5 hash codes work. MD5 is a one-way algorithm: you can use it to calculate a hash value over some data. It is not possible to get the original data back from the hash value. So it is impossible to "decrypt" this - it's not an encryption algorithm as Henry explained, so the words "encrypt" and "decrypt" do not even apply here. Hashing and encryption are two totally different things.

How this normally works is that you have the hash codes of the passwords stored in a database somewhere, and you compare the hash code of the password that the user entered with the hash code in the database.

Note that calculating the hash code on the client side in JavaScript is not a secure solution by itself. Someone could easily send a fake request with a hashed password in it. You should at least use HTTPS instead of normal HTTP to make it more secure.

Java Beginners FAQ - JavaRanch SCJP FAQ - The Java Tutorial - Java SE 7 API documentation
Scala Notes - My blog about Scala
lekurwale amol
Ranch Hand

Joined: Apr 22, 2010
Posts: 55
Jesper,
You were right. I was confused with encryption and hashing. I have now to choose RSA algorithm to encrypt and decrypt the data. I cannot store the hashed password at server. It has to be the decrypted one. I found a couple of sites providing the javascript to encode and also decode.
I need your comments on this :
1. As per the directions, it appears safe to use it as decryption is using a different key

Regards,
Amol
Henry Wong
author
Sheriff

Joined: Sep 28, 2004
Posts: 18824
    
  40

Jesper Young wrote:
Note that calculating the hash code on the client side in JavaScript is not a secure solution by itself. Someone could easily send a fake request with a hashed password in it. You should at least use HTTPS instead of normal HTTP to make it more secure.


One option around this is to have the server send a salt (which could be based on the current time)... basically, the client must hash both the salt and the password. It won't be possible to fake a request, unless of course, the salt repeats.

Henry
Nevin kumar
Ranch Hand

Joined: Mar 15, 2008
Posts: 93
Dear Amol,

You can get a hashing algorithm here http://www.webtoolkit.info/javascript/page/4 if required.As Henry suggested there is no reason to decryt the password,you can store the hashed password in the database directly and compare the same on login.The better way is always hashing and salting together.

regards,
Naveen

lekurwale amol
Ranch Hand

Joined: Apr 22, 2010
Posts: 55
Hi,
I agree that storing the encrypted one is better but my client requires to store the actual password in DB. So, now using a RSA algorithm to encrypt on client and decrypt it on server.
Any comments about the security of this algorithm is appreciated. I repeat, I am using SSL. My issue is onsubmit on form, on which browser tends to store. So, a javascript function before the browser starts 'storing/caching' which will encrypt is to be written.

Regards.
Amol
Jesper de Jong
Java Cowboy
Saloon Keeper

Joined: Aug 16, 2005
Posts: 14143
    
  18

lekurwale amol wrote:I agree that storing the encrypted one is better but my client requires to store the actual password in DB.

Storing actual passwords (in plain text?) in a database is a dubious idea (what if someone hacks into the database - then they can easily steal passwords) but OK...

You can do this with a hashing algorithm; you don't need real encryption / decryption algorithms (which are more complicated to use than hashing algorithms). You could do this (taking Henry's tip about using a salt into account):

1. The user goes to the login page. The server sends a "salt" (some random string of characters) along with the login page.
2. The user types in his username and password. The JavaScript on the page takes the password and the salt (append them together in a string) and calculates the hash value (using some hashing algorithm such as MD5).
3. The user presses the submit button. The server looks up the user and password in the database.
4. The server takes the password from the database and the salt and calculates the hash value.
5. The server compares the hash value received from the browser with what it has just calculated from the database. If the hash values are the same, the login is OK.

To make this work, the salt should be a random string that the server needs to remember for each user session.
lekurwale amol
Ranch Hand

Joined: Apr 22, 2010
Posts: 55
Jesper,

We are using a webserivce call for password and userid verification. We cannot change that code (Ownership). So at the max, what we can do is to decrypt to original at server and send further.
I think we are deviating from the original query.

Now, I do have the javascript functions to encode and decode. Encoding is not an issue as it would be done at the client browser.
I need to call the decryption function, with input as the encrypted text and private key residing on server.
Please suggest an API for the same.

Regards,
Amol
lekurwale amol
Ranch Hand

Joined: Apr 22, 2010
Posts: 55
Also, I found a couple of solutions using JSObject and Applets etc.
My requirement is a simple Java API to just evaluate a simple Javascript method taking String parameters and returing a String
 
Don't get me started about those stupid light bulbs.
 
subject: Call a javascript function from Java