diff options
Diffstat (limited to 'src/de/fhswf/in/inf/fit/aufgabe5')
| -rw-r--r-- | src/de/fhswf/in/inf/fit/aufgabe5/LoginServletWithJpa.java | 43 |
1 files changed, 1 insertions, 42 deletions
diff --git a/src/de/fhswf/in/inf/fit/aufgabe5/LoginServletWithJpa.java b/src/de/fhswf/in/inf/fit/aufgabe5/LoginServletWithJpa.java index d80e5c5..f98b9ab 100644 --- a/src/de/fhswf/in/inf/fit/aufgabe5/LoginServletWithJpa.java +++ b/src/de/fhswf/in/inf/fit/aufgabe5/LoginServletWithJpa.java @@ -2,9 +2,6 @@ package de.fhswf.in.inf.fit.aufgabe5; import java.io.IOException; import java.io.PrintWriter; -import java.security.MessageDigest; -import java.security.NoSuchAlgorithmException; -import java.util.Base64; import javax.persistence.EntityManager; import javax.persistence.EntityManagerFactory; @@ -74,12 +71,8 @@ public class LoginServletWithJpa extends HttpServlet pw.println("</head>"); pw.println("<body>"); - System.out.println(account.getPassword() + " == " - + (createSaltedPasswordHash(requestPassword, account.getSalt()))); - // This is very insecure and can be exploited via timing attacks - if (account != null && account.getPassword().equals( - createSaltedPasswordHash(requestPassword, account.getSalt()))) + if (account != null && account.isPasswordCorrect(requestPassword)) { pw.println("<h1>Success</h1>"); request.getSession().setAttribute("loggedin", true); @@ -95,38 +88,4 @@ public class LoginServletWithJpa extends HttpServlet emf.close(); } - - /** - * Generate a Base64 encoded SHA-1 hashed password that is salted. - * - * @param password - * The password to encode. - * @param salt - * The salt for salting the password. - * @return The salted and encoded password hash. - */ - public static String createSaltedPasswordHash(String password, String salt) - { - if (password == null) - { - throw new IllegalArgumentException("Password can't be null"); - } - - if (salt == null) - { - throw new IllegalArgumentException("Salt can't be null"); - } - - try - { - MessageDigest md = MessageDigest.getInstance("SHA-1"); - md.update((password + salt).getBytes()); - return Base64.getEncoder().encodeToString(md.digest()); - } - catch (NoSuchAlgorithmException e) - { - throw new IllegalStateException( - "SHA-1 for some reason is not supported.", e); - } - } } |