Use JPA for storing the user accounts in a database

author: Stefan Suhren <suhren.stefan@fh-swf.de> 2015-11-09 09:37:31 +0100
committer: Stefan Suhren <suhren.stefan@fh-swf.de> 2015-11-09 10:04:19 +0100
commit: c58001fdf1defd03ff30cd9c39160b03eec02434 (patch)
tree: 3944040b15461618a1076a09a189d87dbfd45851 /src/de/fhswf/in/inf/fit/aufgabe5/LoginServletWithJpa.java
parent: 886ea8362d80e8855da839a95f9539a2b199f6fe (diff)
download: FIT-c58001fdf1defd03ff30cd9c39160b03eec02434.tar.gz
FIT-c58001fdf1defd03ff30cd9c39160b03eec02434.zip
1 files changed, 132 insertions, 0 deletions
diff --git a/src/de/fhswf/in/inf/fit/aufgabe5/LoginServletWithJpa.java b/src/de/fhswf/in/inf/fit/aufgabe5/LoginServletWithJpa.java
new file mode 100644
index 0000000..d80e5c5
--- /dev/null
+++ b/src/de/fhswf/in/inf/fit/aufgabe5/LoginServletWithJpa.java
@@ -0,0 +1,132 @@
+package de.fhswf.in.inf.fit.aufgabe5;
+
+import java.io.IOException;
+import java.io.PrintWriter;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.util.Base64;
+
+import javax.persistence.EntityManager;
+import javax.persistence.EntityManagerFactory;
+import javax.persistence.Persistence;
+import javax.servlet.ServletException;
+import javax.servlet.annotation.WebServlet;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import de.fhswf.in.inf.fit.aufgabe5.model.Account;
+
+/**
+ * Servlet implementation class LoginServlet
+ */
+@WebServlet("/LoginServletWithJpa")
+public class LoginServletWithJpa extends HttpServlet
+{
+   private static final long serialVersionUID = 1L;
+
+   /**
+    * @see HttpServlet#HttpServlet()
+    */
+   public LoginServletWithJpa()
+   {
+      super();
+   }
+
+   /**
+    * @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse
+    *      response)
+    */
+   protected void doGet(HttpServletRequest request,
+         HttpServletResponse response) throws ServletException, IOException
+   {
+      response.sendRedirect("LoginFormWithJpa.jsp");
+   }
+
+   /**
+    * @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse
+    *      response)
+    */
+   protected void doPost(HttpServletRequest request,
+         HttpServletResponse response) throws ServletException, IOException
+   {
+      String requestUsername = request.getParameter("username");
+      String requestPassword = request.getParameter("password");
+
+      if (requestUsername == null || requestPassword == null)
+      {
+         doGet(request, response);
+      }
+
+      EntityManagerFactory emf = Persistence.createEntityManagerFactory(
+            getServletContext().getInitParameter("persistenceUnit"));
+      EntityManager em = emf.createEntityManager();
+
+      Account account = em.find(Account.class, requestUsername);
+
+      PrintWriter pw = response.getWriter();
+
+      pw.println("<!DOCTYPE html>");
+      pw.println("<html>");
+      pw.println("<head>");
+      pw.println("<meta charset=\"utf-8\" />");
+      pw.println("<title>Login Answer</title>");
+      pw.println("</head>");
+      pw.println("<body>");
+
+      System.out.println(account.getPassword() + " == "
+            + (createSaltedPasswordHash(requestPassword, account.getSalt())));
+
+      // This is very insecure and can be exploited via timing attacks
+      if (account != null && account.getPassword().equals(
+            createSaltedPasswordHash(requestPassword, account.getSalt())))
+      {
+         pw.println("<h1>Success</h1>");
+         request.getSession().setAttribute("loggedin", true);
+      }
+      else
+      {
+         pw.println("<h1>Failed</h1>");
+         pw.println("<a href=\"LoginFormWithJpa.jsp\">Retry</a>");
+      }
+
+      pw.println("</body>");
+      pw.println("</html>");
+
+      emf.close();
+   }
+
+   /**
+    * Generate a Base64 encoded SHA-1 hashed password that is salted.
+    *
+    * @param password
+    *           The password to encode.
+    * @param salt
+    *           The salt for salting the password.
+    * @return The salted and encoded password hash.
+    */
+   public static String createSaltedPasswordHash(String password, String salt)
+   {
+      if (password == null)
+      {
+         throw new IllegalArgumentException("Password can't be null");
+      }
+
+      if (salt == null)
+      {
+         throw new IllegalArgumentException("Salt can't be null");
+      }
+
+      try
+      {
+         MessageDigest md = MessageDigest.getInstance("SHA-1");
+         md.update((password + salt).getBytes());
+         return Base64.getEncoder().encodeToString(md.digest());
+      }
+      catch (NoSuchAlgorithmException e)
+      {
+         throw new IllegalStateException(
+               "SHA-1 for some reason is not supported.", e);
+      }
+   }
+}
author	Stefan Suhren <suhren.stefan@fh-swf.de>	2015-11-09 09:37:31 +0100
committer	Stefan Suhren <suhren.stefan@fh-swf.de>	2015-11-09 10:04:19 +0100
commit	c58001fdf1defd03ff30cd9c39160b03eec02434 (patch)
tree	3944040b15461618a1076a09a189d87dbfd45851 /src/de/fhswf/in/inf/fit/aufgabe5/LoginServletWithJpa.java
parent	886ea8362d80e8855da839a95f9539a2b199f6fe (diff)
download	FIT-c58001fdf1defd03ff30cd9c39160b03eec02434.tar.gz FIT-c58001fdf1defd03ff30cd9c39160b03eec02434.zip