Win a copy of Functional Reactive Programming this week in the Other Languages forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

How can I encrypt the password using j_security_check?

 
Efrat Bar-Nahum
Ranch Hand
Posts: 57
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

I have two applications: a web application and a rich client application (Swing), both of them are using the same loginModule.
In the rich client application, in the in the login dialog I encrypt the password before sending in to the loginModule, and in the login module I decrypt it.

I want to use the same encryption methods in the web application, in my login.jsp.
After the user presses the ok button I want to encrypt the password before sending it to the login module.

For this I am holding the two hidden fields:


And when pressing the ok button I am calling a javascript method using the onclick.
In the javascript function I am able to manipulate the name & password that I pass to the login module, but I don't know how to encrypt them (using my java code). I don't know if & how to use jsp tags in the javascript method (I tried, but of course it doesn't work...)

Can anyone please help me?
Thanks a lot,
Efrat
 
Ulf Dittmer
Rancher
Posts: 42968
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
JSP tags are executed on the server, while JavaScript is executed on the client - you can't combine them.

What kind of encryption does the Swing app? Do you have the same encyption algorithm coded in JavaScript?

I would question the need to use encryption explicitly, though. Why don't you use an HTTPS connection instead, which gives you encryption for free?
 
Efrat Bar-Nahum
Ranch Hand
Posts: 57
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
How can I use the https?
How does it work?
I wanted to encrypt it the same way I do in the rich client (I'm using sun.misc.BASE64Decoder & javax.crypto functionality),so that the login module will behave the same for both application.
If I use the https, I guess that I'll have to know in the login module who the invoking application is, to know if I should decrypt or not.
Am I right?

Thanks,
Efrat
 
Ulf Dittmer
Rancher
Posts: 42968
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
How can I use the https?

If you're using Tomcat, follow the steps outlined in the documentation

I wanted to encrypt it the same way I do in the rich client (I'm using sun.misc.BASE64Decoder & javax.crypto functionality)

Duplicating javax.crypto code in JavaScript may not be impossible, but will be very hard.

If I use the https, I guess that I'll have to know in the login module who the invoking application is, to know if I should decrypt or not.

If you use HTTPS, there is no need for further encryption, because an HTTPS connection is already encrypted. So unless you have very unusually strong security requirements, you don't need to do any encrypting/decrypting.
 
Efrat Bar-Nahum
Ranch Hand
Posts: 57
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The thing is, that I have 2 applications: the first one is web, and the second is rich client.
I cannot use the https for the rich client, so I have to take care of the encryption my self.
I decrypt in the login module, that I also use for the web application.
So when using the https in the web application, I will need to know if the login method in the login module needs to decrypt (in case it was called by the rich client application), or not (in case it was called from the web application).
Am I wrong?
 
Ulf Dittmer
Rancher
Posts: 42968
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I cannot use the https for the rich client

Why not?
 
Efrat Bar-Nahum
Ranch Hand
Posts: 57
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
How?
It is not running over Tomcat.
Am I missing something?
 
Ulf Dittmer
Rancher
Posts: 42968
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I'm not following - surely the web app must be running in a web container, Tomcat or other, which can do HTTPS?

If this is the same app you described in the other thread, then the Swing app isn't accessing the web app anyway - the browser is, which speaks HTTPS.

If it is a different Swing app, which accesses the web app directly, then too you can use HTTPS - the necessary classes (mainly javax.net.ssl.HttpsUrlConnection) have been built into the JVM ever since Java 1.4.
 
Efrat Bar-Nahum
Ranch Hand
Posts: 57
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Yes, it's the same application that invokes the web application.
I'll try it.

Thanks a lot,
Efrat
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic