Win a copy of Programmer's Guide to Java SE 8 Oracle Certified Associate (OCA) this week in the OCAJP forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

No security in Java

 
SRINI VASAN
Ranch Hand
Posts: 48
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hai ,
correct me if i am wrong.. I am finding giving security to a application damn tough..

In a pplication ,i need to get password from user & compare with a encrypted password which is given in a flat file to the client.well ! I can decrypt the flat file & compare with the user input for authentication ..
The catch is that if the user has decrypted password, and the function by which i have encrypted ( Using a tool like JAD, MOCHA he can easily see the code given a class file for knowing the function ) he can easily know the password ..
Is there is any tool ( other than code obfusication ) to brak the decomipling threat... if no, Then where is security in java?..

Regards,
srini
 
Michael Ernest
High Plains Drifter
Sheriff
Posts: 7292
Netbeans IDE VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
One solution would be not to store the password in the class at all -- treat it as a transient value that does not persist outside the life of the authentication mechanism.
There are a couple of frameworks out there that provide the kind of authentication scheme you might be looking for. Baltimore Technologies has one called JCrypto. There's also a Sun-sponsored API called JAAS (Java Authentication and Authorization Service) that you can download from java.sun.com.
That said, login authentication is not something a programming language would typically concern itself with. You'd use the language to write one, unless the language itself is also an application. Java's idea of security has to with ensuring bytecode instructions can't be spoofed, classes can't be dumped out of the VM and arbitrarily replaced, and stuff like that.
------------------
Michael Ernest, co-author of: The Complete Java 2 Certification Study Guide

[This message has been edited by Michael Ernest (edited January 23, 2001).]
 
Colin Chow
Greenhorn
Posts: 12
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Well I think you mean data encryption. Java has an extension package, called Java Cryptography Extension (JCE), that I have adopted 6 months ago in my project for data encryption. It has pretty rich algorithm by Sun to start off. I first used the TripleDES and later adopted the Password-based Encryption, which works a lot better in the user data encryption scenerio, in the project. Essentially it solves the key storage problem. Anyway, perhaps you should download the API and play with it.
Colin
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic