• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Struts 2 password encrypt

 
Pj Casaro
Ranch Hand
Posts: 47
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
This seems simple enough, but I guess I never thought about it until I started trying to make my first Struts 2 website.

I have a simple form:

and I realized that the password is going to be sent in plain text via post. Is there a struts 2 tag to hash the password first?
 
David Newton
Author
Rancher
Posts: 12617
IntelliJ IDE Ruby
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
"First"? Struts has nothing to do with the client side.

This is what SSL/HTTPS is for.
 
Pj Casaro
Ranch Hand
Posts: 47
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I thought there might be a special struts tag that would perform some javascript to do the hash. I don't have experience with https/ssl but I'll look into it. Most websites I'm familiar with don't use it. I was under the impression that most websites didn't let your password go through in plain text, but it seems that many of them do.
 
David Newton
Author
Rancher
Posts: 12617
IntelliJ IDE Ruby
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Pj Casaro wrote:Most websites I'm familiar with don't use it. I was under the impression that most websites didn't let your password go through in plain text, but it seems that many of them do.

Very few do not use HTTPS for login. Look again.
 
Pj Casaro
Ranch Hand
Posts: 47
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The two that I quickly checked were, this site, and facebook. Both send my password in plain text.
 
David Newton
Author
Rancher
Posts: 12617
IntelliJ IDE Ruby
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Facebook: <form method="POST" action="https://login.facebook.com/login.php?login_attempt=1" id="login_form">
 
David Newton
Author
Rancher
Posts: 12617
IntelliJ IDE Ruby
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
David Newton wrote:Facebook: <form method="POST" action="https://login.facebook.com/login.php?login_attempt=1" id="login_form">


Do not confuse what you see via Firebug with what is sent over the wire: think about where the encryption is taking place.
 
Pj Casaro
Ranch Hand
Posts: 47
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I imagine the encryption takes place in storing the password in a database. But if someone was sniffing your network packets they could see all of your passwords because they get posted in plain text. I used LiveHTTPHeaders and the password is right there in the post fields.
 
David Newton
Author
Rancher
Posts: 12617
IntelliJ IDE Ruby
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Yeah, except that you're wrong. Run your facebook login through a proxy. You're still confused about when the encryption happens.
 
Pj Casaro
Ranch Hand
Posts: 47
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
So basically, livehttpheaders just shows what my browser is sending. The encryption happens after that stage and so if someone was snooping they would just see the encrypted info.
 
David Newton
Author
Rancher
Posts: 12617
IntelliJ IDE Ruby
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
It shows what you're sending before the encryption layer. JavaRanch *does* send in plain text (if you look at the form you'll see what it submits to). Facebook doesn't (HTTPS protocol), and the *vast* majority of sites use HTTPS for sending password info (I don't know why JavaRanch doesn't, other than nobody implemented it).

The way to verify this (assuming you don't trust your browser to do what it's told) is to connect through a logging proxy and examine what's actually on the wire.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic