How can I encrypt the password using j_security_check?

Hi,

I have two applications: a web application and a rich client application (Swing), both of them are using the same loginModule.
In the rich client application, in the in the login dialog I encrypt the password before sending in to the loginModule, and in the login module I decrypt it.

I want to use the same encryption methods in the web application, in my login.jsp.
After the user presses the ok button I want to encrypt the password before sending it to the login module.

For this I am holding the two hidden fields:

<TD><INPUT TYPE="Hidden" NAME="j_username" SIZE=17 CLASS=FORM VALUE="name"></TD> <TD><INPUT TYPE="Hidden" NAME="j_password" SIZE=17 CLASS=FORM VALUE="password"></TD>
And when pressing the ok button I am calling a javascript method using the onclick.
In the javascript function I am able to manipulate the name & password that I pass to the login module, but I don't know how to encrypt them (using my java code). I don't know if & how to use jsp tags in the javascript method (I tried, but of course it doesn't work...)

Can anyone please help me?
Thanks a lot,
Efrat

JSP tags are executed on the server, while JavaScript is executed on the client - you can't combine them.

What kind of encryption does the Swing app? Do you have the same encyption algorithm coded in JavaScript?

I would question the need to use encryption explicitly, though. Why don't you use an HTTPS connection instead, which gives you encryption for free?

How can I use the https?
How does it work?
I wanted to encrypt it the same way I do in the rich client (I'm using sun.misc.BASE64Decoder & javax.crypto functionality),so that the login module will behave the same for both application.
If I use the https, I guess that I'll have to know in the login module who the invoking application is, to know if I should decrypt or not.
Am I right?

Thanks,
Efrat

How can I use the https?

If you're using Tomcat, follow the steps outlined in the documentation

I wanted to encrypt it the same way I do in the rich client (I'm using sun.misc.BASE64Decoder & javax.crypto functionality)

Duplicating javax.crypto code in JavaScript may not be impossible, but will be very hard.

If I use the https, I guess that I'll have to know in the login module who the invoking application is, to know if I should decrypt or not.

If you use HTTPS, there is no need for further encryption, because an HTTPS connection is already encrypted. So unless you have very unusually strong security requirements, you don't need to do any encrypting/decrypting.

The thing is, that I have 2 applications: the first one is web, and the second is rich client.
I cannot use the https for the rich client, so I have to take care of the encryption my self.
I decrypt in the login module, that I also use for the web application.
So when using the https in the web application, I will need to know if the login method in the login module needs to decrypt (in case it was called by the rich client application), or not (in case it was called from the web application).
Am I wrong?

I cannot use the https for the rich client

Why not?

How?
It is not running over Tomcat.
Am I missing something?

I'm not following - surely the web app must be running in a web container, Tomcat or other, which can do HTTPS?

If this is the same app you described in the other thread, then the Swing app isn't accessing the web app anyway - the browser is, which speaks HTTPS.

If it is a different Swing app, which accesses the web app directly, then too you can use HTTPS - the necessary classes (mainly javax.net.ssl.HttpsUrlConnection) have been built into the JVM ever since Java 1.4.

Yes, it's the same application that invokes the web application.
I'll try it.

Thanks a lot,
Efrat