Help coderanch get a
new server
by contributing to the fundraiser
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Ron McLeod
  • Paul Clapham
  • Devaka Cooray
  • Liutauras Vilda
Sheriffs:
  • Jeanne Boyarsky
  • paul wheaton
  • Henry Wong
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Tim Moores
  • Carey Brown
  • Mikalai Zaikin
Bartenders:
  • Lou Hamers
  • Piet Souris
  • Frits Walraven

Implementation of Security in Java

 
Ranch Hand
Posts: 603
Eclipse IDE Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,
I have a Web Application developed using J2EE,Java and we want to go ahead and implement Security in our Web Application.
How do i go ahead on this ?? Please suggest/Advice regarding Security/Login Implementation in Java ???

Regards,
Deepak Lal
 
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
As pointed out in the other topic where you asked about this, security is not a feature that can be "implemented" after the fact like a feature, it is something that needs to be designed into a system from the start. The SecurityFaq mentions many of the things that can or should be done, and links to further reading on those.

Also, security is a huge subject with many facets. If you want to improve some of those, tell us *specifically* what you're trying to guard against.
 
Deepak Lal
Ranch Hand
Posts: 603
Eclipse IDE Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Yeah i need to implement security feature for Login Module.where the password needs to be encrpyted format and stored in Backend database.The Security feature should be implemented in Java.
 
Ulf Dittmer
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
What are you trying to guard against? Is the password transferred all from the client to the server in a secure form? What do you have so far, and what difficulty are you facing implementing this?

Generally, passwords are not stored *encrypted*, they're stored *hashed* (or *digested*) using an algorithm like SHA-2. That way, nobody can retrieve them.
 
Deepak Lal
Ranch Hand
Posts: 603
Eclipse IDE Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Ulf wrote :What are you trying to guard against? Is the password transferred all from the client to the server in a secure form? What do you have so far, and what difficulty are you facing implementing this? Generally, passwords are not stored *encrypted*, they're stored *hashed* (or *digested*) using an algorithm like SHA-2. That way, nobody can retrieve them.



My Comments ::
1> The password text field in the form is of type "password",but while storing in the database,it should be "hashed" or "digested" as you have told,Sorry i thought passwords are stored in encrypted format in the database,Thanks for correcting me....so how can i use this algorithm called SHA-2 and while authenticating the user with correct credentials,it should login successfully,Is it possible to achieve this using the SHA-2 algorithm which you are mentioning,could you provide me some links where SHA-2 algorithm is used in Java.

> I need a Forgot Password link also to be implemented so that when end user enters the appropriate email id,the password which is in "hashed" format in database should be "de-hashed(decrypted)" appropriately and should be mailed to the end user's email address..Can i implement this in Java,,,Please guide me Ulff..

Thanks for replying so soon...

Sorry if i have mistaken/confused with "hashed"/"encrypted" terminologies...

Regards,
Deepak Lal
 
Ulf Dittmer
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Is it possible to achieve this using the SHA-2 algorithm which you are mentioning,could you provide me some links where SHA-2 algorithm is used in Java.


Here's how a password would be converted to something that can be stored securely. The Base64 class is part of the Apache Commons Codec library.


I need a Forgot Password link also to be implemented so that when end user enters the appropriate email id,the password which is in "hashed" format in database should be "de-hashed(decrypted)" appropriately and should be mailed to the end user's email address.


That's not how secure systems are implemented. Passwords are NEVER sent via email. What's more, a hash is a one-way algorithm: once something is hashed, you can't get it back. The login authentication works by digesting the password the user entered, and then comparing that to the stored password.

Password retrieval being impossible, the application would provide a way for the password to be re-entered: The user would be sent a link to his email address to a page that allows him to enter a new password. The link is good for only a single time, and it expires automatically after no more than 24 hours.

Sorry if i have mistaken/confused with "hashed"/"encrypted" terminologies...


No need to be sorry, we're all learners.
 
Deepak Lal
Ranch Hand
Posts: 603
Eclipse IDE Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks Ulf for your outstanding replies.

I have few concerns still left in Security.

1> Please have a look at coderanch website itself where in case of password recovery section Lost Recovery page of Code Ranch Forum ,the end user is prompted for email address.I want to implement this feature.

2> Ulf's comments :: What's more, a hash is a one-way algorithm: once something is hashed, you can't get it back. The login authentication works by digesting the password the user entered, and then comparing that to the stored password. :: "Any suggestions on how can i go about comparing the digested user entered password and the stored password in database."

3> What is the difference between http:// and https:// and how can i implement https:// ( secured socket layer with 32 bit implementation in java)

Please help
 
Ulf Dittmer
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Please have a look at coderanch website itself where in case of password recovery section Lost Recovery page of Code Ranch Forum ,the end user is prompted for email address.I want to implement this feature.


OK. What do you have so far, and where are you stuck making progress?

Any suggestions on how can i go about comparing the digested user entered password and the stored password in database.


Both being strings (or character arrays, depending on the details of your implementation), a comparison should be pretty straightforward, no?

What is the difference between http:// and https:// and how can i implement https:// ( secured socket layer with 32 bit implementation in java)


HTTPS is just HTTP over an SSL/TLS-secured connection. The details of how to SSL-enable a server are server-specific; for example, http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html describes how to do it for Tomcat.
 
reply
    Bookmark Topic Watch Topic
  • New Topic