From be337434a721178cc3efeb468e873b571855b605 Mon Sep 17 00:00:00 2001
From: Stefan Suhren <suhren.stefan@fh-swf.de>
Date: Mon, 16 Nov 2015 10:07:17 +0100
Subject: Use Account logic instead of own logic

---
 .../fit/aufgabe6/LoginServletWithJpaAndJsp.java    | 41 +---------------------
 1 file changed, 1 insertion(+), 40 deletions(-)

(limited to 'src/de/fhswf/in/inf/fit/aufgabe6')

diff --git a/src/de/fhswf/in/inf/fit/aufgabe6/LoginServletWithJpaAndJsp.java b/src/de/fhswf/in/inf/fit/aufgabe6/LoginServletWithJpaAndJsp.java
index a877dc2..e5611b8 100644
--- a/src/de/fhswf/in/inf/fit/aufgabe6/LoginServletWithJpaAndJsp.java
+++ b/src/de/fhswf/in/inf/fit/aufgabe6/LoginServletWithJpaAndJsp.java
@@ -1,9 +1,6 @@
 package de.fhswf.in.inf.fit.aufgabe6;
 
 import java.io.IOException;
-import java.security.MessageDigest;
-import java.security.NoSuchAlgorithmException;
-import java.util.Base64;
 
 import javax.persistence.EntityManager;
 import javax.persistence.EntityManagerFactory;
@@ -65,8 +62,7 @@ public class LoginServletWithJpaAndJsp extends HttpServlet
       emf.close();
 
       // This is very insecure and can be exploited via timing attacks
-      if (account != null && account.getPassword().equals(
-            createSaltedPasswordHash(requestPassword, account.getSalt())))
+      if (account != null && account.isPasswordCorrect(requestPassword))
       {
          request.getSession().setAttribute("username", account.getUsername());
 
@@ -77,39 +73,4 @@ public class LoginServletWithJpaAndJsp extends HttpServlet
          doGet(request, response);
       }
    }
-
-   /**
-    * Generate a Base64 encoded SHA-1 hashed password that is salted.
-    *
-    * @param password
-    *           The password to encode.
-    * @param salt
-    *           The salt for salting the password.
-    * @return The salted and encoded password hash.
-    */
-   public static String createSaltedPasswordHash(String password, String salt)
-   {
-      if (password == null)
-      {
-         throw new IllegalArgumentException("Password can't be null");
-      }
-
-      if (salt == null)
-      {
-         throw new IllegalArgumentException("Salt can't be null");
-      }
-
-      try
-      {
-         MessageDigest md = MessageDigest.getInstance("SHA-1");
-         md.update((password + salt).getBytes());
-         return Base64.getEncoder().encodeToString(md.digest());
-      }
-      catch (NoSuchAlgorithmException e)
-      {
-         throw new IllegalStateException(
-               "SHA-1 for some reason is not supported.", e);
-      }
-   }
-
 }
-- 
cgit v1.2.3-70-g09d2