tags:

views:

1817

answers:

3
+1  Q: 

How to programatically encrypt/decrypt plain text credentials in JSP?

As as part of my daily routine, I have the misfortune of administering an ancient, once "just internal" JSP web application that relies on the following authentication schema:

...

// Validate the user name and password.
if ((user != null) && (password != null) && (
    (user.equals("brianmay") && password.equals("queen")) ||
    (user.equals("rogertaylor") && password.equals("queen")) ||
    (user.equals("freddiemercury") && password.equals("queen")) ||
    (user.equals("johndeacon") && password.equals("queen"))
   )) {
// Store the user name as a session variable.
    session.putValue("user", user);

...

As much as I would like to, the Queen members have never been users of the system but anyway it does make a great example, does it not?

Despite that by policy this client enforces security by domain authentication among other things, therefore this issue isn't seen as a security risk, still, my idea is to at least obfuscate that plain text credentials using perhaps a simple MD5 or SHA1 method, so such sensitive data is not visible to the naked eye.

I'm a total newbie when it comes to JSP so I would really appreciate any piece of advice you'd be willing to share with me.

Thanks much in advance!

+1  A: 

First of all you should move that logic from jsp to a separate class.

Second, you shouldn't keep plain text password anywhere in the code. Use some kind of one way hash function (md5, sha1, ...) and keep only password hashes.

When checking for user password, first hash it and then compare hashes.

Dev er dev  2008-11-21 12:30:39
Thanks much for the reply buddy. Would you mind elaborating about that techniques you mention?
Nano Taboada  2008-11-21 12:33:14
+2  A: 

It is hard to understand the exact scheme you are thinking about but I assume the password is coming in from a request and you want to calculate the MD5 hash in a JSP that the request is being sent to. After that you can compare it to the pre-computed MD5 version. You could even be more secure if it isn't being done with https and use a javascript MD5 library to hash the password before submitting it.

You can MD5 a string in java like this:

try
{
  String digestInput = "queen";

  MessageDigest messageDigest = MessageDigest.getInstance("MD5");
  messageDigest.update(digestInput.getBytes());

  BASE64Encoder base64Encoder = new BASE64Encoder();
  String digestString = base64Encoder.encode(messageDigest.digest());

  // digestString now contains the md5 hashed password
}
catch (Exception e)
{
  // do some type of logging here
}
carson  2008-11-21 13:00:00
Beautiful! Thanks a lot! What would be the simplest way to store that MD5 hash? A plain text file?
Nano Taboada  2008-11-21 13:25:00
Surely pre-computing with js would only be more secure if the password is being used other places. Otherwise precomputing the hash means you are just comparing two strings on the server side and it's no more secure than comparing naked passwords. An attacker could just submit the hash manually.
mtruesdell  2008-11-21 13:37:07
I don't think we're authorized to implement solutions in JS for that particular client so I'd have to stick with storing the pre calculated MD5 and then comparing. Could you give me some hint regarding how to implement that in JSP?
Nano Taboada  2008-11-21 13:57:46
Use carson's code to get the hash. First time through store it, after that compute and compare the stored value. A database is the common storage. The problem with a text file is that you would have to synchronize access to it so that multiple users didn't try to write to it at the same time.
mtruesdell  2008-11-26 04:11:05
+1  A: 

Good Day:

based on the previous example Could you please let me know how to decode or decrypt digestString ??? In order to get the word "queen" Thanks in Advance

 2009-03-20 14:31:56

related questions

Java Time Zone is messed up
Eclipse on win64
Automate builds for Java RCP for deployment with JNLP
Why are professors or schools picking Java over C++ to teach to students?
Is there a real benefit of using J#?
Public/Popular Websites using JavaServer Faces
Why can't I use a try block around my super() call?
Accessing post variables using Java Servlets
Personal Linux web server
Is this really widening vs autoboxing?
How can I Java webstart multiple, dependent, native libraries?
Why can't I call toString() on a Java primitive?
How do I use Java to read from a file that is actively being written?
What code analysis tools do you use for your Java projects?
IllegalArgumentException or NullPointerException for a null parameter?
How do I configure and communicate with a serial port?
What is the best way to parse strings in Java
Getting started with a custom JXTA PeerGroup
Creating a custom button in Java
How to get started "writing" a code coverage tool?
Which Build-/Configuration Management Tool?
What is the difference between an int and an Integer in Java/C#?
What is the meaning of the type safety warning in certain Java generics casts?
How would you access Object properties from within an object method?
Converting CSV File to XML in Java