aspose file tools*
The moose likes Struts and the fly likes Struts 2 password encrypt Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Frameworks » Struts
Bookmark "Struts 2 password encrypt" Watch "Struts 2 password encrypt" New topic
Author

Struts 2 password encrypt

Pj Casaro
Ranch Hand

Joined: Jul 13, 2010
Posts: 47
This seems simple enough, but I guess I never thought about it until I started trying to make my first Struts 2 website.

I have a simple form:

and I realized that the password is going to be sent in plain text via post. Is there a struts 2 tag to hash the password first?
David Newton
Author
Rancher

Joined: Sep 29, 2008
Posts: 12617

"First"? Struts has nothing to do with the client side.

This is what SSL/HTTPS is for.
Pj Casaro
Ranch Hand

Joined: Jul 13, 2010
Posts: 47
I thought there might be a special struts tag that would perform some javascript to do the hash. I don't have experience with https/ssl but I'll look into it. Most websites I'm familiar with don't use it. I was under the impression that most websites didn't let your password go through in plain text, but it seems that many of them do.
David Newton
Author
Rancher

Joined: Sep 29, 2008
Posts: 12617

Pj Casaro wrote:Most websites I'm familiar with don't use it. I was under the impression that most websites didn't let your password go through in plain text, but it seems that many of them do.

Very few do not use HTTPS for login. Look again.
Pj Casaro
Ranch Hand

Joined: Jul 13, 2010
Posts: 47
The two that I quickly checked were, this site, and facebook. Both send my password in plain text.
David Newton
Author
Rancher

Joined: Sep 29, 2008
Posts: 12617

Facebook: <form method="POST" action="https://login.facebook.com/login.php?login_attempt=1" id="login_form">
David Newton
Author
Rancher

Joined: Sep 29, 2008
Posts: 12617

David Newton wrote:Facebook: <form method="POST" action="https://login.facebook.com/login.php?login_attempt=1" id="login_form">


Do not confuse what you see via Firebug with what is sent over the wire: think about where the encryption is taking place.
Pj Casaro
Ranch Hand

Joined: Jul 13, 2010
Posts: 47
I imagine the encryption takes place in storing the password in a database. But if someone was sniffing your network packets they could see all of your passwords because they get posted in plain text. I used LiveHTTPHeaders and the password is right there in the post fields.
David Newton
Author
Rancher

Joined: Sep 29, 2008
Posts: 12617

Yeah, except that you're wrong. Run your facebook login through a proxy. You're still confused about when the encryption happens.
Pj Casaro
Ranch Hand

Joined: Jul 13, 2010
Posts: 47
So basically, livehttpheaders just shows what my browser is sending. The encryption happens after that stage and so if someone was snooping they would just see the encrypted info.
David Newton
Author
Rancher

Joined: Sep 29, 2008
Posts: 12617

It shows what you're sending before the encryption layer. JavaRanch *does* send in plain text (if you look at the form you'll see what it submits to). Facebook doesn't (HTTPS protocol), and the *vast* majority of sites use HTTPS for sending password info (I don't know why JavaRanch doesn't, other than nobody implemented it).

The way to verify this (assuming you don't trust your browser to do what it's told) is to connect through a logging proxy and examine what's actually on the wire.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Struts 2 password encrypt