Use salt for password authentication

1 files changed, 5 insertions, 2 deletions

diff --git a/src/de/fhswf/in/inf/fit/aufgabe3/LoginServlet.java b/src/de/fhswf/in/inf/fit/aufgabe3/LoginServlet.java
index c5900c7..ce5c0fd 100644
--- a/src/de/fhswf/in/inf/fit/aufgabe3/LoginServlet.java
+++ b/src/de/fhswf/in/inf/fit/aufgabe3/LoginServlet.java
@@ -17,7 +17,8 @@ import javax.servlet.http.HttpServletResponse;
  */
 @WebServlet(urlPatterns = { "/LoginServlet" }, initParams = {
       @WebInitParam(name = "username", value = "admin"),
-      @WebInitParam(name = "password", value = "12345") })
+      @WebInitParam(name = "password", value = "12345"),
+      @WebInitParam(name = "salt", value = "aabbcc112233") })
 public class LoginServlet extends HttpServlet
 {
    private static final long serialVersionUID = 1L;
@@ -49,6 +50,7 @@ public class LoginServlet extends HttpServlet
    {
       String validUsername = getInitParameter("username").toLowerCase();
       String validPassword = getInitParameter("password");
+      String salt = getInitParameter("salt");
 
       String requestUsername = request.getParameter("username").toLowerCase();
       String requestPassword = request.getParameter("password");
@@ -70,7 +72,8 @@ public class LoginServlet extends HttpServlet
 
       // This is very insecure and can be exploited via timing attacks
       if (requestUsername.equals(validUsername)
-            && requestPassword.equals(validPassword))
+            && createSaltedPasswordHash(validPassword, salt)
+                  .equals(createSaltedPasswordHash(requestPassword, salt)))
       {
          pw.println("<h1>Success</h1>");
       }