Use JPA for storing the user accounts in a database

3 files changed, 199 insertions, 0 deletions

diff --git a/src/de/fhswf/in/inf/fit/aufgabe5/LoginServletWithJpa.java b/src/de/fhswf/in/inf/fit/aufgabe5/LoginServletWithJpa.java
new file mode 100644
index 0000000..d80e5c5
--- /dev/null
+++ b/src/de/fhswf/in/inf/fit/aufgabe5/LoginServletWithJpa.java
@@ -0,0 +1,132 @@
+package de.fhswf.in.inf.fit.aufgabe5;
+
+import java.io.IOException;
+import java.io.PrintWriter;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.util.Base64;
+
+import javax.persistence.EntityManager;
+import javax.persistence.EntityManagerFactory;
+import javax.persistence.Persistence;
+import javax.servlet.ServletException;
+import javax.servlet.annotation.WebServlet;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import de.fhswf.in.inf.fit.aufgabe5.model.Account;
+
+/**
+ * Servlet implementation class LoginServlet
+ */
+@WebServlet("/LoginServletWithJpa")
+public class LoginServletWithJpa extends HttpServlet
+{
+   private static final long serialVersionUID = 1L;
+
+   /**
+    * @see HttpServlet#HttpServlet()
+    */
+   public LoginServletWithJpa()
+   {
+      super();
+   }
+
+   /**
+    * @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse
+    *      response)
+    */
+   protected void doGet(HttpServletRequest request,
+         HttpServletResponse response) throws ServletException, IOException
+   {
+      response.sendRedirect("LoginFormWithJpa.jsp");
+   }
+
+   /**
+    * @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse
+    *      response)
+    */
+   protected void doPost(HttpServletRequest request,
+         HttpServletResponse response) throws ServletException, IOException
+   {
+      String requestUsername = request.getParameter("username");
+      String requestPassword = request.getParameter("password");
+
+      if (requestUsername == null || requestPassword == null)
+      {
+         doGet(request, response);
+      }
+
+      EntityManagerFactory emf = Persistence.createEntityManagerFactory(
+            getServletContext().getInitParameter("persistenceUnit"));
+      EntityManager em = emf.createEntityManager();
+
+      Account account = em.find(Account.class, requestUsername);
+
+      PrintWriter pw = response.getWriter();
+
+      pw.println("<!DOCTYPE html>");
+      pw.println("<html>");
+      pw.println("<head>");
+      pw.println("<meta charset=\"utf-8\" />");
+      pw.println("<title>Login Answer</title>");
+      pw.println("</head>");
+      pw.println("<body>");
+
+      System.out.println(account.getPassword() + " == "
+            + (createSaltedPasswordHash(requestPassword, account.getSalt())));
+
+      // This is very insecure and can be exploited via timing attacks
+      if (account != null && account.getPassword().equals(
+            createSaltedPasswordHash(requestPassword, account.getSalt())))
+      {
+         pw.println("<h1>Success</h1>");
+         request.getSession().setAttribute("loggedin", true);
+      }
+      else
+      {
+         pw.println("<h1>Failed</h1>");
+         pw.println("<a href=\"LoginFormWithJpa.jsp\">Retry</a>");
+      }
+
+      pw.println("</body>");
+      pw.println("</html>");
+
+      emf.close();
+   }
+
+   /**
+    * Generate a Base64 encoded SHA-1 hashed password that is salted.
+    *
+    * @param password
+    *           The password to encode.
+    * @param salt
+    *           The salt for salting the password.
+    * @return The salted and encoded password hash.
+    */
+   public static String createSaltedPasswordHash(String password, String salt)
+   {
+      if (password == null)
+      {
+         throw new IllegalArgumentException("Password can't be null");
+      }
+
+      if (salt == null)
+      {
+         throw new IllegalArgumentException("Salt can't be null");
+      }
+
+      try
+      {
+         MessageDigest md = MessageDigest.getInstance("SHA-1");
+         md.update((password + salt).getBytes());
+         return Base64.getEncoder().encodeToString(md.digest());
+      }
+      catch (NoSuchAlgorithmException e)
+      {
+         throw new IllegalStateException(
+               "SHA-1 for some reason is not supported.", e);
+      }
+   }
+}
diff --git a/src/de/fhswf/in/inf/fit/aufgabe5/model/Account.java b/src/de/fhswf/in/inf/fit/aufgabe5/model/Account.java
new file mode 100644
index 0000000..539353c
--- /dev/null
+++ b/src/de/fhswf/in/inf/fit/aufgabe5/model/Account.java
@@ -0,0 +1,54 @@
+package de.fhswf.in.inf.fit.aufgabe5.model;
+
+import java.io.Serializable;
+import javax.persistence.*;
+
+
+/**
+ * The persistent class for the account database table.
+ * 
+ */
+@Entity
+@Table(name="account")
+@NamedQuery(name="Account.findAll", query="SELECT a FROM Account a")
+public class Account implements Serializable {
+	private static final long serialVersionUID = 1L;
+
+	@Id
+	@Column(name="Username")
+	private String username;
+
+	@Column(name="Password")
+	private String password;
+
+	@Column(name="Salt")
+	private String salt;
+
+	public Account() {
+	}
+
+	public String getUsername() {
+		return this.username;
+	}
+
+	public void setUsername(String username) {
+		this.username = username;
+	}
+
+	public String getPassword() {
+		return this.password;
+	}
+
+	public void setPassword(String password) {
+		this.password = password;
+	}
+
+	public String getSalt() {
+		return this.salt;
+	}
+
+	public void setSalt(String salt) {
+		this.salt = salt;
+	}
+
+}
\ No newline at end of file
diff --git a/src/de/fhswf/in/inf/fit/aufgabe5/model/Account_.java b/src/de/fhswf/in/inf/fit/aufgabe5/model/Account_.java
new file mode 100644
index 0000000..e7da7b9
--- /dev/null
+++ b/src/de/fhswf/in/inf/fit/aufgabe5/model/Account_.java
@@ -0,0 +1,13 @@
+package de.fhswf.in.inf.fit.aufgabe5.model;
+
+import javax.annotation.Generated;
+import javax.persistence.metamodel.SingularAttribute;
+import javax.persistence.metamodel.StaticMetamodel;
+
+@Generated(value="Dali", date="2015-11-09T01:25:51.914+0100")
+@StaticMetamodel(Account.class)
+public class Account_ {
+	public static volatile SingularAttribute<Account, String> username;
+	public static volatile SingularAttribute<Account, String> password;
+	public static volatile SingularAttribute<Account, String> salt;
+}