Forums Register Login
encrypting passwrd on JSP page
Hi guys,

Looking to encrypt user's passwords, but really I need a way to do it at the JSP level. I've written a basic class which a Servlet can call, but this is pointless because surely the pasword would still be passing from JSP to Servlet in plain text and only getting encrypted once recieved (bit pointless)

I need to be able to encrypt the password when the user clicks 'login'.

I have seen a few dodgy ways to do this, but really I want to use some sort of standard Java way, because I will need to be able to match the encrypted password with the encrypted password sorted from registration.


Originally posted by Keith Seller:
Looking to encrypt user's passwords, but really I need a way to do it at the JSP level.

This makes little sense. JSP executes on the server in order to format the HTML page sent to the browser. Once sent to the borwser, all JSP-ness is gone. So there's no executing any JSP code when the user clicks Login. Perhaps this article might be instructive.

The conventional way to encrypt when submitting from the browser to the server is via SSL.
Where do you see the practical difference between doing the encryption in the JSP and a servlet? Both are executed on the server (and JSPs are compiled into servlets anyway).

If you're concerned about clear-text transmission, make sure the connection is using HTTPS (which you should do anyway wherever passwords are involved).
[ November 01, 2007: Message edited by: Ulf Dittmer ]
As pointed out above, use HTTPS to transmit password securely, but rather than looking at encrypting it, you should be hashing it. That way there is no way of retrieving the users password and makes non-repudiation easier, however all this comes at a cost, If you ever want to migrate users to a new system with its own password management (i.e. move to LDAP) you will have a harder time migrating the users accounts.
I'll rephrase the question.

When I say JSP i mean the physical JSP page which contains HTML, I don't want to POST plain txt accross from this to the Servlet (unless it considered safe to do this?).

but I'll look at SSL a bit closer instead, then.

Originally posted by Keith Seller:
When I say JSP i mean the physical JSP page which contains HTML

I repeat my answer. Code that runs on the server before your pages even gets sent to the brower can't do anything for you.

SSL is your best option.
I think you are confusing the JSP, which gets compiled into a servlet and runs on the server to generate a page, with the page the JSP generates, which can only run JavaScript.
[ November 01, 2007: Message edited by: Ed Thompson ]
Which is why I recommended the article linked in my initial response.
I have seen few websites (http://www.vbulletin.org/forum/index.php for example) that hash the password (using MD5) when the login form is submitted.

But, I agree with Bear and others. SSL is the way to go.
You should be able to encrypt password using java script, there are libraries available

http://www.webtoolkit.info/javascript-md5.html this might give you a direction
As pointed out in this earlier, use SSL, if you use client side encrytpion/hashing and send it in cleartext(http) you are achieving nothing, as the hashed/encrypted password is now the system password!!! Once someone intercepts the request, they can resend the hashed password to gain acess to the system at any time, making your efforts invane, SSl is the only way for this one!!
Yeah. What he said. Totally. Wait. What? Sorry, I was looking at this tiny ad:
Programmatically Create PDF Using Free Spire.PDF with Java

This thread has been viewed 2870 times.

All times above are in ranch (not your local) time.
The current ranch time is
Jan 20, 2019 17:58:36.