From 120ee15ae5d7a6d8e184e6580e535112ec1e40cc Mon Sep 17 00:00:00 2001 From: Stefan Suhren Date: Sun, 15 Nov 2015 22:57:39 +0100 Subject: Build a login that forwards to a JSP --- .../fit/aufgabe6/LoginServletWithJpaAndJsp.java | 119 +++++++++++++++++++++ 1 file changed, 119 insertions(+) create mode 100644 src/de/fhswf/in/inf/fit/aufgabe6/LoginServletWithJpaAndJsp.java (limited to 'src/de/fhswf') diff --git a/src/de/fhswf/in/inf/fit/aufgabe6/LoginServletWithJpaAndJsp.java b/src/de/fhswf/in/inf/fit/aufgabe6/LoginServletWithJpaAndJsp.java new file mode 100644 index 0000000..68ea34a --- /dev/null +++ b/src/de/fhswf/in/inf/fit/aufgabe6/LoginServletWithJpaAndJsp.java @@ -0,0 +1,119 @@ +package de.fhswf.in.inf.fit.aufgabe6; + +import java.io.IOException; +import java.security.MessageDigest; +import java.security.NoSuchAlgorithmException; +import java.util.Base64; + +import javax.persistence.EntityManager; +import javax.persistence.EntityManagerFactory; +import javax.persistence.Persistence; +import javax.servlet.RequestDispatcher; +import javax.servlet.ServletException; +import javax.servlet.annotation.WebServlet; +import javax.servlet.http.HttpServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import de.fhswf.in.inf.fit.aufgabe5.model.Account; + +/** + * Servlet implementation class LoginServletWithJpaAndJsp + */ +@WebServlet("/LoginServletWithJpaAndJsp") +public class LoginServletWithJpaAndJsp extends HttpServlet +{ + private static final long serialVersionUID = 1L; + + /** + * @see HttpServlet#HttpServlet() + */ + public LoginServletWithJpaAndJsp() + { + super(); + } + + /** + * @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse + * response) + */ + protected void doGet(HttpServletRequest request, + HttpServletResponse response) throws ServletException, IOException + { + response.sendRedirect("LoginFormWithJpaAndJsp.jsp"); + } + + /** + * @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse + * response) + */ + protected void doPost(HttpServletRequest request, + HttpServletResponse response) throws ServletException, IOException + { + String requestUsername = request.getParameter("username"); + String requestPassword = request.getParameter("password"); + + if (requestUsername == null || requestPassword == null) + { + doGet(request, response); + } + + EntityManagerFactory emf = Persistence.createEntityManagerFactory( + getServletContext().getInitParameter("persistenceUnit")); + EntityManager em = emf.createEntityManager(); + + Account account = em.find(Account.class, requestUsername); + emf.close(); + + // This is very insecure and can be exploited via timing attacks + if (account != null && account.getPassword().equals( + createSaltedPasswordHash(requestPassword, account.getSalt()))) + { + request.getSession().setAttribute("username", account.getUsername()); + + RequestDispatcher dispatcher = getServletContext() + .getRequestDispatcher("/LoginSuccess.jsp"); + + dispatcher.forward(request, response); + } + else + { + doGet(request, response); + } + } + + /** + * Generate a Base64 encoded SHA-1 hashed password that is salted. + * + * @param password + * The password to encode. + * @param salt + * The salt for salting the password. + * @return The salted and encoded password hash. + */ + public static String createSaltedPasswordHash(String password, String salt) + { + if (password == null) + { + throw new IllegalArgumentException("Password can't be null"); + } + + if (salt == null) + { + throw new IllegalArgumentException("Salt can't be null"); + } + + try + { + MessageDigest md = MessageDigest.getInstance("SHA-1"); + md.update((password + salt).getBytes()); + return Base64.getEncoder().encodeToString(md.digest()); + } + catch (NoSuchAlgorithmException e) + { + throw new IllegalStateException( + "SHA-1 for some reason is not supported.", e); + } + } + +} -- cgit v1.2.3-70-g09d2