diff options
Diffstat (limited to 'src/de')
| -rw-r--r-- | src/de/fhswf/in/inf/fit/aufgabe5/LoginServletWithJpa.java | 132 | ||||
| -rw-r--r-- | src/de/fhswf/in/inf/fit/aufgabe5/model/Account.java | 54 | ||||
| -rw-r--r-- | src/de/fhswf/in/inf/fit/aufgabe5/model/Account_.java | 13 |
3 files changed, 199 insertions, 0 deletions
diff --git a/src/de/fhswf/in/inf/fit/aufgabe5/LoginServletWithJpa.java b/src/de/fhswf/in/inf/fit/aufgabe5/LoginServletWithJpa.java new file mode 100644 index 0000000..d80e5c5 --- /dev/null +++ b/src/de/fhswf/in/inf/fit/aufgabe5/LoginServletWithJpa.java @@ -0,0 +1,132 @@ +package de.fhswf.in.inf.fit.aufgabe5; + +import java.io.IOException; +import java.io.PrintWriter; +import java.security.MessageDigest; +import java.security.NoSuchAlgorithmException; +import java.util.Base64; + +import javax.persistence.EntityManager; +import javax.persistence.EntityManagerFactory; +import javax.persistence.Persistence; +import javax.servlet.ServletException; +import javax.servlet.annotation.WebServlet; +import javax.servlet.http.HttpServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import de.fhswf.in.inf.fit.aufgabe5.model.Account; + +/** + * Servlet implementation class LoginServlet + */ +@WebServlet("/LoginServletWithJpa") +public class LoginServletWithJpa extends HttpServlet +{ + private static final long serialVersionUID = 1L; + + /** + * @see HttpServlet#HttpServlet() + */ + public LoginServletWithJpa() + { + super(); + } + + /** + * @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse + * response) + */ + protected void doGet(HttpServletRequest request, + HttpServletResponse response) throws ServletException, IOException + { + response.sendRedirect("LoginFormWithJpa.jsp"); + } + + /** + * @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse + * response) + */ + protected void doPost(HttpServletRequest request, + HttpServletResponse response) throws ServletException, IOException + { + String requestUsername = request.getParameter("username"); + String requestPassword = request.getParameter("password"); + + if (requestUsername == null || requestPassword == null) + { + doGet(request, response); + } + + EntityManagerFactory emf = Persistence.createEntityManagerFactory( + getServletContext().getInitParameter("persistenceUnit")); + EntityManager em = emf.createEntityManager(); + + Account account = em.find(Account.class, requestUsername); + + PrintWriter pw = response.getWriter(); + + pw.println("<!DOCTYPE html>"); + pw.println("<html>"); + pw.println("<head>"); + pw.println("<meta charset=\"utf-8\" />"); + pw.println("<title>Login Answer</title>"); + pw.println("</head>"); + pw.println("<body>"); + + System.out.println(account.getPassword() + " == " + + (createSaltedPasswordHash(requestPassword, account.getSalt()))); + + // This is very insecure and can be exploited via timing attacks + if (account != null && account.getPassword().equals( + createSaltedPasswordHash(requestPassword, account.getSalt()))) + { + pw.println("<h1>Success</h1>"); + request.getSession().setAttribute("loggedin", true); + } + else + { + pw.println("<h1>Failed</h1>"); + pw.println("<a href=\"LoginFormWithJpa.jsp\">Retry</a>"); + } + + pw.println("</body>"); + pw.println("</html>"); + + emf.close(); + } + + /** + * Generate a Base64 encoded SHA-1 hashed password that is salted. + * + * @param password + * The password to encode. + * @param salt + * The salt for salting the password. + * @return The salted and encoded password hash. + */ + public static String createSaltedPasswordHash(String password, String salt) + { + if (password == null) + { + throw new IllegalArgumentException("Password can't be null"); + } + + if (salt == null) + { + throw new IllegalArgumentException("Salt can't be null"); + } + + try + { + MessageDigest md = MessageDigest.getInstance("SHA-1"); + md.update((password + salt).getBytes()); + return Base64.getEncoder().encodeToString(md.digest()); + } + catch (NoSuchAlgorithmException e) + { + throw new IllegalStateException( + "SHA-1 for some reason is not supported.", e); + } + } +} diff --git a/src/de/fhswf/in/inf/fit/aufgabe5/model/Account.java b/src/de/fhswf/in/inf/fit/aufgabe5/model/Account.java new file mode 100644 index 0000000..539353c --- /dev/null +++ b/src/de/fhswf/in/inf/fit/aufgabe5/model/Account.java @@ -0,0 +1,54 @@ +package de.fhswf.in.inf.fit.aufgabe5.model; + +import java.io.Serializable; +import javax.persistence.*; + + +/** + * The persistent class for the account database table. + * + */ +@Entity +@Table(name="account") +@NamedQuery(name="Account.findAll", query="SELECT a FROM Account a") +public class Account implements Serializable { + private static final long serialVersionUID = 1L; + + @Id + @Column(name="Username") + private String username; + + @Column(name="Password") + private String password; + + @Column(name="Salt") + private String salt; + + public Account() { + } + + public String getUsername() { + return this.username; + } + + public void setUsername(String username) { + this.username = username; + } + + public String getPassword() { + return this.password; + } + + public void setPassword(String password) { + this.password = password; + } + + public String getSalt() { + return this.salt; + } + + public void setSalt(String salt) { + this.salt = salt; + } + +}
\ No newline at end of file diff --git a/src/de/fhswf/in/inf/fit/aufgabe5/model/Account_.java b/src/de/fhswf/in/inf/fit/aufgabe5/model/Account_.java new file mode 100644 index 0000000..e7da7b9 --- /dev/null +++ b/src/de/fhswf/in/inf/fit/aufgabe5/model/Account_.java @@ -0,0 +1,13 @@ +package de.fhswf.in.inf.fit.aufgabe5.model; + +import javax.annotation.Generated; +import javax.persistence.metamodel.SingularAttribute; +import javax.persistence.metamodel.StaticMetamodel; + +@Generated(value="Dali", date="2015-11-09T01:25:51.914+0100") +@StaticMetamodel(Account.class) +public class Account_ { + public static volatile SingularAttribute<Account, String> username; + public static volatile SingularAttribute<Account, String> password; + public static volatile SingularAttribute<Account, String> salt; +} |