This week's book giveaway is in the Servlets forum.
We're giving away four copies of Murach's Java Servlets and JSP and have Joel Murach on-line!
See this thread for details.
The moose likes Java in General and the fly likes Using Serialize to hold login info Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Murach's Java Servlets and JSP this week in the Servlets forum!
JavaRanch » Java Forums » Java » Java in General
Bookmark "Using Serialize to hold login info" Watch "Using Serialize to hold login info" New topic
Author

Using Serialize to hold login info

Alexander Cowie
Greenhorn

Joined: Mar 25, 2010
Posts: 8
Hi there, i am attempting to write a simple login system in java. I have taken the approach of Serializing the login data of the user (username and password), which seems to work just fine. I am then trying to deSerialize the username and password in order to check them against the username and password entered in a JText/JpasswordField in my login gui class. This does not seem to work, please see my code below. I welcome any advice on the approach i am taking for this login system, as im not sure if i am going about this in the right way at all .

thanks in advance
Alex

Jesper de Jong
Java Cowboy
Saloon Keeper

Joined: Aug 16, 2005
Posts: 14074
    
  16

Welcome to JavaRanch.

Please UseCodeTags when you post source code.

About your code: You are writing four objects: sName, sUName, correctPassword and position, in lines 31-34. But in the reading code, you read only correctPassword (line 57). Why are you not reading the other objects? It won't work if you read something different than what you wrote - you need to read the same objects in the same order as you wrote them.


Java Beginners FAQ - JavaRanch SCJP FAQ - The Java Tutorial - Java SE 7 API documentation
Scala Notes - My blog about Scala
William Brogden
Author and all-around good cowpoke
Rancher

Joined: Mar 22, 2000
Posts: 12756
    
    5
Also note that your file writing and reading code, such as:



will always use the "current directory" - not a good idea.

Instead use an absolute file path.

Bill
Alexander Cowie
Greenhorn

Joined: Mar 25, 2010
Posts: 8
thanks guys, that has solved my problem.
and apologies for the sloppy post
Campbell Ritchie
Sheriff

Joined: Oct 13, 2005
Posts: 37897
    
  22
Do you really want to serialise a password? Any gaining access to the serialised object can easily extract the password from it.
Jatin Dhingra
Greenhorn

Joined: Jun 28, 2010
Posts: 29
Hi Campbell,

I had query similar to the fact that you pointed out....can anyone gain access to data inside serialized object IF he does not have class of serialized object ?

What other security concerns are related to sensitive data stored in serialized object ( assuming that hacker does not have class file of serialized object).

Thanks in advance.
Jesper de Jong
Java Cowboy
Saloon Keeper

Joined: Aug 16, 2005
Posts: 14074
    
  16

Jatin Dhingra wrote:I had query similar to the fact that you pointed out....can anyone gain access to data inside serialized object IF he does not have class of serialized object ?

Yes! You can look at the contents of the serialized file with a hex editor and you will most likely see the password in plain text. Serialized files are not encrypted or anything like that, don't rely on the fact that serialized files are binary files that you can't read with for example a text editor (security through obscurity is not real security). In principle, everybody can read anything in your serialized files, even if they don't have the matching Java classes.
Rob Spoor
Sheriff

Joined: Oct 27, 2005
Posts: 19649
    
  18

It's not exactly plain text, but it comes very close. Even worse, the serialization algorithm is not closed - you can look up how serialized data is built-up. You can start by checking here, but there is a complete spec to be found here (and on the next pages).


SCJP 1.4 - SCJP 6 - SCWCD 5 - OCEEJBD 6
How To Ask Questions How To Answer Questions
Campbell Ritchie
Sheriff

Joined: Oct 13, 2005
Posts: 37897
    
  22
Jatin Dhingra wrote: . . ..can anyone gain access to data inside serialized object IF he does not have class of serialized object ? . . .
I had already said "easily extract the password", and Rob and Jesper have given fuller explanations.
Jatin Dhingra
Greenhorn

Joined: Jun 28, 2010
Posts: 29
@ Jesper : Thanks for your comment.

@ Rob: Thanks again and nice link !
Jatin Dhingra
Greenhorn

Joined: Jun 28, 2010
Posts: 29
Campbell Ritchie wrote:
Jatin Dhingra wrote: . . ..can anyone gain access to data inside serialized object IF he does not have class of serialized object ? . . .
I had already said "easily extract the password", and Rob and Jesper have given fuller explanations.


Thanks campbell, I was doubtful of what "gaining access to serialized object.." meant.. whether access to class and serialized object or only serialized object. I got my doubts cleared up now.
Campbell Ritchie
Sheriff

Joined: Oct 13, 2005
Posts: 37897
    
  22
Try opening a serialised object with a text editor, and you will see what I mean.
Alexander Cowie
Greenhorn

Joined: Mar 25, 2010
Posts: 8
hi guys i have decided to change the way in which my login info in my earlier post is stored. Ihave taken the approach of creating a SystemUser object that contains all of the relevent login info. I have managed to serialize the object, but i am having some trouble when tring to deserialize again.
this is the code im using to serialize:


this is the code im using to deserialize

im getting this error msg: .ClassCastException: SystemUser cannot be cast to [C

any advice on this will appreciated
thanks in advanve Alex
 
Consider Paul's rocket mass heater.
 
subject: Using Serialize to hold login info
 
Similar Threads
runtime exception
Static variables are never saved during Serialization, yet my code seems to do the opposite
Serialize object
serialization example of kathy siera book(page no-471)
Regarding Serializable