1

I have a login JSP which takes username / password from the user in text boxes and on submit it forwards the username/password parameters to Login Servlet using POST method.

Now I am using Paros Proxy in between (as Man-In-The-Middle attack) to trap the parameters. The parameters received from JSP are captured in Paros as plain text.

Is there any specific method provided by Java standard API which we can use to encrypt these parameters such a way that:

  1. Even if the parameters are captured by Paros Proxy, it may not be able to display in plain text.

  2. Servlet do not have to decrypt it.

How can I achieve this?

Improve this question
2
  • You certainly don't want to just "encode" them. You want to "encrypt" them, which is an entirely different thing. Encoded information can be decoded without some security key (e.g. URL encoding, character encoding, HTML encoding, etc). Encrypted information can't be decrypted without some security key. I've fixed the wrong terminology in your question. Commented Sep 5, 2012 at 11:46
  • @BalusC Thanks for removing the boldness, it was little too much emphasis for my taste! Commented Sep 5, 2012 at 11:54

1 Answer 1

Reset to default
3

Use SSL to protect your data from being sniffable. If you require that no decoding (probably meaning decrypting) is to be performed on the server side, I cannot think of any other way.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Thanks for responding. I tried using SSL with my tomcat using this link, but it is showing certificate error (may be bcoz no cert from CA). But still it runs on HTTPS with certificate error.. but surprisingly Paros can look into those parameters as well in plaintext.. no luck with SSL either :-(
Why not try and use Apache HTTPD for SSL handling? Connecting it to servlet containers like Tomcat is quite easy, and there is plenty of documentation for each and every configuration aspect.
SSL is the answer to your question. You need to concentrate on solving your concrete certificate problem. Feel free to ask a new question about that step (on serverfault).

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.