From be337434a721178cc3efeb468e873b571855b605 Mon Sep 17 00:00:00 2001
From: Stefan Suhren <suhren.stefan@fh-swf.de>
Date: Mon, 16 Nov 2015 10:07:17 +0100
Subject: Use Account logic instead of own logic

---
 .../in/inf/fit/aufgabe5/LoginServletWithJpa.java   | 43 +---------------------
 1 file changed, 1 insertion(+), 42 deletions(-)

(limited to 'src/de/fhswf/in/inf/fit/aufgabe5/LoginServletWithJpa.java')

diff --git a/src/de/fhswf/in/inf/fit/aufgabe5/LoginServletWithJpa.java b/src/de/fhswf/in/inf/fit/aufgabe5/LoginServletWithJpa.java
index d80e5c5..f98b9ab 100644
--- a/src/de/fhswf/in/inf/fit/aufgabe5/LoginServletWithJpa.java
+++ b/src/de/fhswf/in/inf/fit/aufgabe5/LoginServletWithJpa.java
@@ -2,9 +2,6 @@ package de.fhswf.in.inf.fit.aufgabe5;
 
 import java.io.IOException;
 import java.io.PrintWriter;
-import java.security.MessageDigest;
-import java.security.NoSuchAlgorithmException;
-import java.util.Base64;
 
 import javax.persistence.EntityManager;
 import javax.persistence.EntityManagerFactory;
@@ -74,12 +71,8 @@ public class LoginServletWithJpa extends HttpServlet
       pw.println("</head>");
       pw.println("<body>");
 
-      System.out.println(account.getPassword() + " == "
-            + (createSaltedPasswordHash(requestPassword, account.getSalt())));
-
       // This is very insecure and can be exploited via timing attacks
-      if (account != null && account.getPassword().equals(
-            createSaltedPasswordHash(requestPassword, account.getSalt())))
+      if (account != null && account.isPasswordCorrect(requestPassword))
       {
          pw.println("<h1>Success</h1>");
          request.getSession().setAttribute("loggedin", true);
@@ -95,38 +88,4 @@ public class LoginServletWithJpa extends HttpServlet
 
       emf.close();
    }
-
-   /**
-    * Generate a Base64 encoded SHA-1 hashed password that is salted.
-    *
-    * @param password
-    *           The password to encode.
-    * @param salt
-    *           The salt for salting the password.
-    * @return The salted and encoded password hash.
-    */
-   public static String createSaltedPasswordHash(String password, String salt)
-   {
-      if (password == null)
-      {
-         throw new IllegalArgumentException("Password can't be null");
-      }
-
-      if (salt == null)
-      {
-         throw new IllegalArgumentException("Salt can't be null");
-      }
-
-      try
-      {
-         MessageDigest md = MessageDigest.getInstance("SHA-1");
-         md.update((password + salt).getBytes());
-         return Base64.getEncoder().encodeToString(md.digest());
-      }
-      catch (NoSuchAlgorithmException e)
-      {
-         throw new IllegalStateException(
-               "SHA-1 for some reason is not supported.", e);
-      }
-   }
 }
-- 
cgit v1.2.3-70-g09d2