summaryrefslogtreecommitdiffstats
path: root/src/de/fhswf/in/inf
diff options
context:
space:
mode:
Diffstat (limited to 'src/de/fhswf/in/inf')
-rw-r--r--src/de/fhswf/in/inf/fit/aufgabe3/LoginServlet.java7
1 files changed, 5 insertions, 2 deletions
diff --git a/src/de/fhswf/in/inf/fit/aufgabe3/LoginServlet.java b/src/de/fhswf/in/inf/fit/aufgabe3/LoginServlet.java
index c5900c7..ce5c0fd 100644
--- a/src/de/fhswf/in/inf/fit/aufgabe3/LoginServlet.java
+++ b/src/de/fhswf/in/inf/fit/aufgabe3/LoginServlet.java
@@ -17,7 +17,8 @@ import javax.servlet.http.HttpServletResponse;
*/
@WebServlet(urlPatterns = { "/LoginServlet" }, initParams = {
@WebInitParam(name = "username", value = "admin"),
- @WebInitParam(name = "password", value = "12345") })
+ @WebInitParam(name = "password", value = "12345"),
+ @WebInitParam(name = "salt", value = "aabbcc112233") })
public class LoginServlet extends HttpServlet
{
private static final long serialVersionUID = 1L;
@@ -49,6 +50,7 @@ public class LoginServlet extends HttpServlet
{
String validUsername = getInitParameter("username").toLowerCase();
String validPassword = getInitParameter("password");
+ String salt = getInitParameter("salt");
String requestUsername = request.getParameter("username").toLowerCase();
String requestPassword = request.getParameter("password");
@@ -70,7 +72,8 @@ public class LoginServlet extends HttpServlet
// This is very insecure and can be exploited via timing attacks
if (requestUsername.equals(validUsername)
- && requestPassword.equals(validPassword))
+ && createSaltedPasswordHash(validPassword, salt)
+ .equals(createSaltedPasswordHash(requestPassword, salt)))
{
pw.println("<h1>Success</h1>");
}
generated by cgit v1.2.3-70-g09d2 (git 2.52.0) at 2025-12-06 15:17:39 +0000