From 726d30ae4db5643e00b1bedcad132b05e2d6e091 Mon Sep 17 00:00:00 2001
From: Stefan Suhren <suhren.stefan@fh-swf.de>
Date: Mon, 26 Oct 2015 10:17:15 +0100
Subject: Only store hashed and base64 encoded password

---
 WebContent/WEB-INF/web.xml                         |  2 +-
 src/de/fhswf/in/inf/fit/aufgabe3/LoginServlet.java | 10 +++++-----
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/WebContent/WEB-INF/web.xml b/WebContent/WEB-INF/web.xml
index 1fd1e4e..84f418f 100644
--- a/WebContent/WEB-INF/web.xml
+++ b/WebContent/WEB-INF/web.xml
@@ -15,7 +15,7 @@
   </context-param>
   <context-param>
     <param-name>password</param-name>
-    <param-value>12345</param-value>
+    <param-value>RiJG5MhUxGrw/PJcXaPbBW8XmaI=</param-value>
   </context-param>
   <context-param>
     <param-name>salt</param-name>
diff --git a/src/de/fhswf/in/inf/fit/aufgabe3/LoginServlet.java b/src/de/fhswf/in/inf/fit/aufgabe3/LoginServlet.java
index 7f56c3e..a3b06e6 100644
--- a/src/de/fhswf/in/inf/fit/aufgabe3/LoginServlet.java
+++ b/src/de/fhswf/in/inf/fit/aufgabe3/LoginServlet.java
@@ -4,6 +4,7 @@ import java.io.IOException;
 import java.io.PrintWriter;
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
+import java.util.Base64;
 
 import javax.servlet.ServletException;
 import javax.servlet.annotation.WebServlet;
@@ -68,9 +69,8 @@ public class LoginServlet extends HttpServlet
       pw.println("<body>");
 
       // This is very insecure and can be exploited via timing attacks
-      if (requestUsername.equals(validUsername)
-            && createSaltedPasswordHash(validPassword, salt)
-                  .equals(createSaltedPasswordHash(requestPassword, salt)))
+      if (requestUsername.equals(validUsername) && validPassword
+            .equals(createSaltedPasswordHash(requestPassword, salt)))
       {
          pw.println("<h1>Success</h1>");
          request.getSession().setAttribute("loggedin", true);
@@ -86,7 +86,7 @@ public class LoginServlet extends HttpServlet
    }
 
    /**
-    * Generate a SHA-1 encoded password that is salted.
+    * Generate a Base64 encoded SHA-1 hashed password that is salted.
     *
     * @param password
     *           The password to encode.
@@ -110,7 +110,7 @@ public class LoginServlet extends HttpServlet
       {
          MessageDigest md = MessageDigest.getInstance("SHA-1");
          md.update((password + salt).getBytes());
-         return new String(md.digest());
+         return Base64.getEncoder().encodeToString(md.digest());
       }
       catch (NoSuchAlgorithmException e)
       {
-- 
cgit v1.2.3-70-g09d2