views:

85

answers:

2

Hi

I have a Java web service and a Java web client making use of this service. One of the functions is to create a new user account. My two concerns are:

  1. How will I send the user's password securely from the client.
  2. How will I store the user's password securely on the server.

How can I achieve these? I know the theory basically behind security, security algorithms etc but can anyone give me some advice on how I should go about in coding? Could anyone point me to some good (and if possible not complicated) examples to follow since I found some examples on the Internet very contorted?

Thanks a lot and regards, Krt_Malta

+3  A: 

Typically, if you are concerned about the password being transmitted in the clear from the web client to the service, you would run the service through SSL.

On the back-end, I do not ever store the password in the clear, hashing it before storing it. Make sure to use salts. When the user logs in at a later date, I hash the password they submitted, and then compare the hashed value with the previously stored hashed value. If they match, then the user has authenticated. In my case there's more to it than this (with remember me features, etc.), but that it the guts of it.

I use the Apache Shiro framework to help with much of this. It is fairly lightweight and doesn't require a web-environment, but will work with one as well. It integrates with Spring and other solutions as well, but again, this is not required. Probably worth checking out.

Tauren
Do not encrypt it, hash it.
Gumbo
@Gumbo: Yes, exactly, that's what I meant to say. Hash it. I'll update my answer.
Tauren
Thanks for the quick answer :) I'm running the web service on a Tomcat 6.0. If I add SSL to it (found a good article here: http://mircwiki.rsna.org/index.php?title=Configuring_Tomcat_to_Support_SSL) will the password be transmitted securely? Should I change anything from the client?
Krt_Malta
@Tauren I hope you're using salts in your password hashing, otherwise you're open to rainbow table attacks.
crazyscot
@crazyscot: indeed, I do use salts. thanks for pointing this out.
Tauren
@Krt_Malta: If you Tomcat service is running SSL, then you will need to use a URL that starts with https: to securely transmit data. If your app is running on both http port 80) and https (port 443), and you do not use https, then it will still be insecure. In typical webapps, you only permit your login pages/code to run in a secure environment.
Tauren
+2  A: 

John's rule: always try to avoid writing your own security software. It's too easy to make mistakes like encrypting instead of hashing, not using salts, etc. You won't find many security experts to review your code, but you can expect that quite a few have looked at the more popular open source systems.

Firstly, can you use OpenID or Shibboleth to avoid giving people yet another system that they need a password on -- I'd thank you if I could use an existing account!

If the answer is no, then for password storage, try a free LDAP server such as OpenDS or Apache Directory Server.

Use Spring Security or similar to manage the logins, and the remember-me. (There's a nice video that introduces spring security.)

You will need to use SSL (https) as mentioned in other answers if you want your system to communicate passwords from client to server.

John