2

As as part of my daily routine, I have the misfortune of administering an ancient, once "just internal" JSP web application that relies on the following authentication schema:

...

// Validate the user name and password.
if ((user != null) && (password != null) && (
    (user.equals("brianmay") && password.equals("queen")) ||
    (user.equals("rogertaylor") && password.equals("queen")) ||
    (user.equals("freddiemercury") && password.equals("queen")) ||
    (user.equals("johndeacon") && password.equals("queen"))
   )) {
// Store the user name as a session variable.
    session.putValue("user", user);

...

As much as I would like to, the Queen members have never been users of the system but anyway it does make a great example, does it not?

Despite that by policy this client enforces security by domain authentication among other things, therefore this issue isn't seen as a security risk, still, my idea is to at least obfuscate that plain text credentials using perhaps a simple MD5 or SHA1 method, so such sensitive data is not visible to the naked eye.

I'm a total newbie when it comes to JSP so I would really appreciate any piece of advice you'd be willing to share with me.

Thanks much in advance!

Improve this question

2 Answers 2

Reset to default
4

It is hard to understand the exact scheme you are thinking about but I assume the password is coming in from a request and you want to calculate the MD5 hash in a JSP that the request is being sent to. After that you can compare it to the pre-computed MD5 version. You could even be more secure if it isn't being done with https and use a javascript MD5 library to hash the password before submitting it.

You can MD5 a string in java like this:

try
{
  String digestInput = "queen";

  MessageDigest messageDigest = MessageDigest.getInstance("MD5");
  messageDigest.update(digestInput.getBytes());

  BASE64Encoder base64Encoder = new BASE64Encoder();
  String digestString = base64Encoder.encode(messageDigest.digest());

  // digestString now contains the md5 hashed password
}
catch (Exception e)
{
  // do some type of logging here
}
Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Beautiful! Thanks a lot! What would be the simplest way to store that MD5 hash? A plain text file?
Surely pre-computing with js would only be more secure if the password is being used other places. Otherwise precomputing the hash means you are just comparing two strings on the server side and it's no more secure than comparing naked passwords. An attacker could just submit the hash manually.
I don't think we're authorized to implement solutions in JS for that particular client so I'd have to stick with storing the pre calculated MD5 and then comparing. Could you give me some hint regarding how to implement that in JSP?
Use carson's code to get the hash. First time through store it, after that compute and compare the stored value. A database is the common storage. The problem with a text file is that you would have to synchronize access to it so that multiple users didn't try to write to it at the same time.
2

First of all you should move that logic from jsp to a separate class.

Second, you shouldn't keep plain text password anywhere in the code. Use some kind of one way hash function (md5, sha1, ...) and keep only password hashes.

When checking for user password, first hash it and then compare hashes.

Improve this answer

1 Comment

Thanks much for the reply buddy. Would you mind elaborating about that techniques you mention?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.