From e79100f16063160b7ae42384690ad3b80099a2f4 Mon Sep 17 00:00:00 2001
From: Stefan Suhren <suhren.stefan@fh-swf.de>
Date: Sun, 25 Oct 2015 19:14:17 +0100
Subject: Use salt for password authentication

---
 src/de/fhswf/in/inf/fit/aufgabe3/LoginServlet.java | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

(limited to 'src/de/fhswf/in/inf/fit')

diff --git a/src/de/fhswf/in/inf/fit/aufgabe3/LoginServlet.java b/src/de/fhswf/in/inf/fit/aufgabe3/LoginServlet.java
index c5900c7..ce5c0fd 100644
--- a/src/de/fhswf/in/inf/fit/aufgabe3/LoginServlet.java
+++ b/src/de/fhswf/in/inf/fit/aufgabe3/LoginServlet.java
@@ -17,7 +17,8 @@ import javax.servlet.http.HttpServletResponse;
  */
 @WebServlet(urlPatterns = { "/LoginServlet" }, initParams = {
       @WebInitParam(name = "username", value = "admin"),
-      @WebInitParam(name = "password", value = "12345") })
+      @WebInitParam(name = "password", value = "12345"),
+      @WebInitParam(name = "salt", value = "aabbcc112233") })
 public class LoginServlet extends HttpServlet
 {
    private static final long serialVersionUID = 1L;
@@ -49,6 +50,7 @@ public class LoginServlet extends HttpServlet
    {
       String validUsername = getInitParameter("username").toLowerCase();
       String validPassword = getInitParameter("password");
+      String salt = getInitParameter("salt");
 
       String requestUsername = request.getParameter("username").toLowerCase();
       String requestPassword = request.getParameter("password");
@@ -70,7 +72,8 @@ public class LoginServlet extends HttpServlet
 
       // This is very insecure and can be exploited via timing attacks
       if (requestUsername.equals(validUsername)
-            && requestPassword.equals(validPassword))
+            && createSaltedPasswordHash(validPassword, salt)
+                  .equals(createSaltedPasswordHash(requestPassword, salt)))
       {
          pw.println("<h1>Success</h1>");
       }
-- 
cgit v1.2.3-70-g09d2