diff options
Diffstat (limited to 'src/de/fhswf/in')
| -rw-r--r-- | src/de/fhswf/in/inf/fit/aufgabe5/LoginServletWithJpa.java | 43 | ||||
| -rw-r--r-- | src/de/fhswf/in/inf/fit/aufgabe6/LoginServletWithJpaAndJsp.java | 41 |
2 files changed, 2 insertions, 82 deletions
diff --git a/src/de/fhswf/in/inf/fit/aufgabe5/LoginServletWithJpa.java b/src/de/fhswf/in/inf/fit/aufgabe5/LoginServletWithJpa.java index d80e5c5..f98b9ab 100644 --- a/src/de/fhswf/in/inf/fit/aufgabe5/LoginServletWithJpa.java +++ b/src/de/fhswf/in/inf/fit/aufgabe5/LoginServletWithJpa.java @@ -2,9 +2,6 @@ package de.fhswf.in.inf.fit.aufgabe5; import java.io.IOException; import java.io.PrintWriter; -import java.security.MessageDigest; -import java.security.NoSuchAlgorithmException; -import java.util.Base64; import javax.persistence.EntityManager; import javax.persistence.EntityManagerFactory; @@ -74,12 +71,8 @@ public class LoginServletWithJpa extends HttpServlet pw.println("</head>"); pw.println("<body>"); - System.out.println(account.getPassword() + " == " - + (createSaltedPasswordHash(requestPassword, account.getSalt()))); - // This is very insecure and can be exploited via timing attacks - if (account != null && account.getPassword().equals( - createSaltedPasswordHash(requestPassword, account.getSalt()))) + if (account != null && account.isPasswordCorrect(requestPassword)) { pw.println("<h1>Success</h1>"); request.getSession().setAttribute("loggedin", true); @@ -95,38 +88,4 @@ public class LoginServletWithJpa extends HttpServlet emf.close(); } - - /** - * Generate a Base64 encoded SHA-1 hashed password that is salted. - * - * @param password - * The password to encode. - * @param salt - * The salt for salting the password. - * @return The salted and encoded password hash. - */ - public static String createSaltedPasswordHash(String password, String salt) - { - if (password == null) - { - throw new IllegalArgumentException("Password can't be null"); - } - - if (salt == null) - { - throw new IllegalArgumentException("Salt can't be null"); - } - - try - { - MessageDigest md = MessageDigest.getInstance("SHA-1"); - md.update((password + salt).getBytes()); - return Base64.getEncoder().encodeToString(md.digest()); - } - catch (NoSuchAlgorithmException e) - { - throw new IllegalStateException( - "SHA-1 for some reason is not supported.", e); - } - } } diff --git a/src/de/fhswf/in/inf/fit/aufgabe6/LoginServletWithJpaAndJsp.java b/src/de/fhswf/in/inf/fit/aufgabe6/LoginServletWithJpaAndJsp.java index a877dc2..e5611b8 100644 --- a/src/de/fhswf/in/inf/fit/aufgabe6/LoginServletWithJpaAndJsp.java +++ b/src/de/fhswf/in/inf/fit/aufgabe6/LoginServletWithJpaAndJsp.java @@ -1,9 +1,6 @@ package de.fhswf.in.inf.fit.aufgabe6; import java.io.IOException; -import java.security.MessageDigest; -import java.security.NoSuchAlgorithmException; -import java.util.Base64; import javax.persistence.EntityManager; import javax.persistence.EntityManagerFactory; @@ -65,8 +62,7 @@ public class LoginServletWithJpaAndJsp extends HttpServlet emf.close(); // This is very insecure and can be exploited via timing attacks - if (account != null && account.getPassword().equals( - createSaltedPasswordHash(requestPassword, account.getSalt()))) + if (account != null && account.isPasswordCorrect(requestPassword)) { request.getSession().setAttribute("username", account.getUsername()); @@ -77,39 +73,4 @@ public class LoginServletWithJpaAndJsp extends HttpServlet doGet(request, response); } } - - /** - * Generate a Base64 encoded SHA-1 hashed password that is salted. - * - * @param password - * The password to encode. - * @param salt - * The salt for salting the password. - * @return The salted and encoded password hash. - */ - public static String createSaltedPasswordHash(String password, String salt) - { - if (password == null) - { - throw new IllegalArgumentException("Password can't be null"); - } - - if (salt == null) - { - throw new IllegalArgumentException("Salt can't be null"); - } - - try - { - MessageDigest md = MessageDigest.getInstance("SHA-1"); - md.update((password + salt).getBytes()); - return Base64.getEncoder().encodeToString(md.digest()); - } - catch (NoSuchAlgorithmException e) - { - throw new IllegalStateException( - "SHA-1 for some reason is not supported.", e); - } - } - } |