diff options
| author | Stefan Suhren <suhren.stefan@fh-swf.de> | 2015-11-16 10:07:17 +0100 |
|---|---|---|
| committer | Stefan Suhren <suhren.stefan@fh-swf.de> | 2015-11-16 10:07:17 +0100 |
| commit | be337434a721178cc3efeb468e873b571855b605 (patch) | |
| tree | 2eec41dbb2c24bc065cb4ac26d546a6b64e4933a /src/de/fhswf/in/inf/fit/aufgabe5/LoginServletWithJpa.java | |
| parent | f8d050310b2eed163f2365928d63611edbe3e4b1 (diff) | |
| download | FIT-be337434a721178cc3efeb468e873b571855b605.tar.gz FIT-be337434a721178cc3efeb468e873b571855b605.zip | |
Use Account logic instead of own logic
Diffstat (limited to 'src/de/fhswf/in/inf/fit/aufgabe5/LoginServletWithJpa.java')
| -rw-r--r-- | src/de/fhswf/in/inf/fit/aufgabe5/LoginServletWithJpa.java | 43 |
1 files changed, 1 insertions, 42 deletions
diff --git a/src/de/fhswf/in/inf/fit/aufgabe5/LoginServletWithJpa.java b/src/de/fhswf/in/inf/fit/aufgabe5/LoginServletWithJpa.java index d80e5c5..f98b9ab 100644 --- a/src/de/fhswf/in/inf/fit/aufgabe5/LoginServletWithJpa.java +++ b/src/de/fhswf/in/inf/fit/aufgabe5/LoginServletWithJpa.java @@ -2,9 +2,6 @@ package de.fhswf.in.inf.fit.aufgabe5; import java.io.IOException; import java.io.PrintWriter; -import java.security.MessageDigest; -import java.security.NoSuchAlgorithmException; -import java.util.Base64; import javax.persistence.EntityManager; import javax.persistence.EntityManagerFactory; @@ -74,12 +71,8 @@ public class LoginServletWithJpa extends HttpServlet pw.println("</head>"); pw.println("<body>"); - System.out.println(account.getPassword() + " == " - + (createSaltedPasswordHash(requestPassword, account.getSalt()))); - // This is very insecure and can be exploited via timing attacks - if (account != null && account.getPassword().equals( - createSaltedPasswordHash(requestPassword, account.getSalt()))) + if (account != null && account.isPasswordCorrect(requestPassword)) { pw.println("<h1>Success</h1>"); request.getSession().setAttribute("loggedin", true); @@ -95,38 +88,4 @@ public class LoginServletWithJpa extends HttpServlet emf.close(); } - - /** - * Generate a Base64 encoded SHA-1 hashed password that is salted. - * - * @param password - * The password to encode. - * @param salt - * The salt for salting the password. - * @return The salted and encoded password hash. - */ - public static String createSaltedPasswordHash(String password, String salt) - { - if (password == null) - { - throw new IllegalArgumentException("Password can't be null"); - } - - if (salt == null) - { - throw new IllegalArgumentException("Salt can't be null"); - } - - try - { - MessageDigest md = MessageDigest.getInstance("SHA-1"); - md.update((password + salt).getBytes()); - return Base64.getEncoder().encodeToString(md.digest()); - } - catch (NoSuchAlgorithmException e) - { - throw new IllegalStateException( - "SHA-1 for some reason is not supported.", e); - } - } } |