3 files changed, 149 insertions, 0 deletions
diff --git a/WebContent/LoginFormWithJpaAndJsp.jsp b/WebContent/LoginFormWithJpaAndJsp.jsp
new file mode 100644
index 0000000..fa89d8f
--- /dev/null
+++ b/WebContent/LoginFormWithJpaAndJsp.jsp
@@ -0,0 +1,16 @@
+<%@ page language="java" contentType="text/html; charset=UTF-8"
+    pageEncoding="UTF-8"%>
+<!DOCTYPE html>
+<html>
+<head>
+<meta charset="utf-8" />
+<title>Login</title>
+</head>
+<body>
+	<form action="LoginServletWithJpaAndJsp" method="post">
+		<label for="username">Username:</label><input type="text" name="username" id="username"><br>
+		<label for="password">Password:</label><input type="password" name="password" id="password"><br>
+		<input type="submit"><input type="reset">
+	</form>
+</body>
+</html>
+\ No newline at end of file
diff --git a/WebContent/LoginSuccess.jsp b/WebContent/LoginSuccess.jsp
new file mode 100644
index 0000000..d4fe5de
--- /dev/null
+++ b/WebContent/LoginSuccess.jsp
@@ -0,0 +1,14 @@
+<%@ page language="java" contentType="text/html; charset=UTF-8"
+    pageEncoding="UTF-8"%>
+<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
+<!DOCTYPE html>
+<html>
+<head>
+<meta charset="utf-8" />
+<title>Welcome</title>
+</head>
+<body>
+	<h1>Welcome <%= session.getAttribute("username") %><br>
+	<a href="LoginFormWithJpaAndJsp.jsp">Retry</a>
+</body>
+</html>
+\ No newline at end of file
diff --git a/src/de/fhswf/in/inf/fit/aufgabe6/LoginServletWithJpaAndJsp.java b/src/de/fhswf/in/inf/fit/aufgabe6/LoginServletWithJpaAndJsp.java
new file mode 100644
index 0000000..68ea34a
--- /dev/null
+++ b/src/de/fhswf/in/inf/fit/aufgabe6/LoginServletWithJpaAndJsp.java
@@ -0,0 +1,119 @@
+package de.fhswf.in.inf.fit.aufgabe6;
+
+import java.io.IOException;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.util.Base64;
+
+import javax.persistence.EntityManager;
+import javax.persistence.EntityManagerFactory;
+import javax.persistence.Persistence;
+import javax.servlet.RequestDispatcher;
+import javax.servlet.ServletException;
+import javax.servlet.annotation.WebServlet;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import de.fhswf.in.inf.fit.aufgabe5.model.Account;
+
+/**
+ * Servlet implementation class LoginServletWithJpaAndJsp
+ */
+@WebServlet("/LoginServletWithJpaAndJsp")
+public class LoginServletWithJpaAndJsp extends HttpServlet
+{
+   private static final long serialVersionUID = 1L;
+
+   /**
+    * @see HttpServlet#HttpServlet()
+    */
+   public LoginServletWithJpaAndJsp()
+   {
+      super();
+   }
+
+   /**
+    * @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse
+    *      response)
+    */
+   protected void doGet(HttpServletRequest request,
+         HttpServletResponse response) throws ServletException, IOException
+   {
+      response.sendRedirect("LoginFormWithJpaAndJsp.jsp");
+   }
+
+   /**
+    * @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse
+    *      response)
+    */
+   protected void doPost(HttpServletRequest request,
+         HttpServletResponse response) throws ServletException, IOException
+   {
+      String requestUsername = request.getParameter("username");
+      String requestPassword = request.getParameter("password");
+
+      if (requestUsername == null || requestPassword == null)
+      {
+         doGet(request, response);
+      }
+
+      EntityManagerFactory emf = Persistence.createEntityManagerFactory(
+            getServletContext().getInitParameter("persistenceUnit"));
+      EntityManager em = emf.createEntityManager();
+
+      Account account = em.find(Account.class, requestUsername);
+      emf.close();
+
+      // This is very insecure and can be exploited via timing attacks
+      if (account != null && account.getPassword().equals(
+            createSaltedPasswordHash(requestPassword, account.getSalt())))
+      {
+         request.getSession().setAttribute("username", account.getUsername());
+
+         RequestDispatcher dispatcher = getServletContext()
+               .getRequestDispatcher("/LoginSuccess.jsp");
+
+         dispatcher.forward(request, response);
+      }
+      else
+      {
+         doGet(request, response);
+      }
+   }
+
+   /**
+    * Generate a Base64 encoded SHA-1 hashed password that is salted.
+    *
+    * @param password
+    *           The password to encode.
+    * @param salt
+    *           The salt for salting the password.
+    * @return The salted and encoded password hash.
+    */
+   public static String createSaltedPasswordHash(String password, String salt)
+   {
+      if (password == null)
+      {
+         throw new IllegalArgumentException("Password can't be null");
+      }
+
+      if (salt == null)
+      {
+         throw new IllegalArgumentException("Salt can't be null");
+      }
+
+      try
+      {
+         MessageDigest md = MessageDigest.getInstance("SHA-1");
+         md.update((password + salt).getBytes());
+         return Base64.getEncoder().encodeToString(md.digest());
+      }
+      catch (NoSuchAlgorithmException e)
+      {
+         throw new IllegalStateException(
+               "SHA-1 for some reason is not supported.", e);
+      }
+   }
+
+}