Only store hashed and base64 encoded password

1 files changed, 5 insertions, 5 deletions

diff --git a/src/de/fhswf/in/inf/fit/aufgabe3/LoginServlet.java b/src/de/fhswf/in/inf/fit/aufgabe3/LoginServlet.java
index 7f56c3e..a3b06e6 100644
--- a/src/de/fhswf/in/inf/fit/aufgabe3/LoginServlet.java
+++ b/src/de/fhswf/in/inf/fit/aufgabe3/LoginServlet.java
@@ -4,6 +4,7 @@ import java.io.IOException;
 import java.io.PrintWriter;
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
+import java.util.Base64;
 
 import javax.servlet.ServletException;
 import javax.servlet.annotation.WebServlet;
@@ -68,9 +69,8 @@ public class LoginServlet extends HttpServlet
       pw.println("<body>");
 
       // This is very insecure and can be exploited via timing attacks
-      if (requestUsername.equals(validUsername)
-            && createSaltedPasswordHash(validPassword, salt)
-                  .equals(createSaltedPasswordHash(requestPassword, salt)))
+      if (requestUsername.equals(validUsername) && validPassword
+            .equals(createSaltedPasswordHash(requestPassword, salt)))
       {
          pw.println("<h1>Success</h1>");
          request.getSession().setAttribute("loggedin", true);
@@ -86,7 +86,7 @@ public class LoginServlet extends HttpServlet
    }
 
    /**
-    * Generate a SHA-1 encoded password that is salted.
+    * Generate a Base64 encoded SHA-1 hashed password that is salted.
     *
     * @param password
     *           The password to encode.
@@ -110,7 +110,7 @@ public class LoginServlet extends HttpServlet
       {
          MessageDigest md = MessageDigest.getInstance("SHA-1");
          md.update((password + salt).getBytes());
-         return new String(md.digest());
+         return Base64.getEncoder().encodeToString(md.digest());
       }
       catch (NoSuchAlgorithmException e)
       {