What I'm trying to achieve here is a login form that takes username and password as input and submits it to a servlet. The servlet then calls a backend API to authenticate and returns success/error result. Right now, everything's working fine but for the fact that the servlet receives username/password pair as plain text.
I believe the above method is insecure and a password can be retrieved by simply sniffing the servlet call and extracting it's POST data. I want to encrypt the username and password to some standard format (Base64, WSSE, etc) before sending it to the servlet. I can easily decode the encrypted parameters thereafter.
Thanks for the replies Ulf and Deepak...really appreciate that!
SSL is the best way to achieve security...can't agree more... would certainly have a word with the guy who takes care of the server.
I'm still wondering if there's a way in which I can pass a Base64 encoded string to my servlet instead of pain text. I just figured out, the backend APIs need the string to be that way and I'll have to encode the username/password on the servlet before calling APIs. So why not have it encoded before it reached the servlet itself and the servlet would simply make a call to backend APIs without bothering about Base64? I just want to avoid plain text flowing towards my webapp.
Implement Applet/Swing, and do your encryption there before calling servlet.
- I do not see any other way of encryption before going to server side, unless SSL is used.
Basic authentication, like form authentication, is configured in the web.xml file, but it looks as if you're using neither, but have rolled your own login system based on forms. In that case SSL is the way to go.
All right then... I'd better have things running through SSL.
True I'm not using any of the authentication systems if web.xml configurations are the ones Ulf was talking about. I need a custom login page since I need to pass this information to a third-party API.
You showed up just in time for the waffles! And this tiny ad:
Building a Better World in your Backyard by Paul Wheaton and Shawn Klassen-Koop