• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Liutauras Vilda
  • Bear Bibeault
  • Junilu Lacar
  • Martin Vashko
Sheriffs:
  • Jeanne Boyarsky
  • Tim Cooke
  • Knute Snortum
Saloon Keepers:
  • Ron McLeod
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
Bartenders:
  • Scott Selikoff
  • salvin francis
  • Piet Souris

Password Encryption in JSP

 
Ranch Foreman
Posts: 316
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The following is the complete error message

SEVERE: Servlet.service() for servlet [RegisterServlet] in context with path [/RegistrationMvc] threw exception
java.lang.NullPointerException
at com.mvc.dao.RegisterDao.registerUser(RegisterDao.java:26)
at com.mvc.controller.RegisterServlet.doPost(RegisterServlet.java:34)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:660)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:493)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:137)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:660)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:798)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:808)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1498)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)

 
Master Rancher
Posts: 2249
20
Android Java ME Eclipse IDE Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
And web.xml
 
Gayathri Gayu
Ranch Foreman
Posts: 316
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

web.xml
 
Gayathri Gayu
Ranch Foreman
Posts: 316
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
This is how i created database. and this is how i am inserting.
 
Saloon Keeper
Posts: 10858
234
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The stack trace implies that System.out is null, which is weird. Are you sure that that exact stack trace belongs to the version of the RegisterDao that you posted? The line numbers must match up.
 
Swastik Dey
Master Rancher
Posts: 2249
20
Android Java ME Eclipse IDE Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I believe the db connection is not established.  Just include a if check and see what happens


 
Gayathri Gayu
Ranch Foreman
Posts: 316
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Yes connection is not established.
 
Gayathri Gayu
Ranch Foreman
Posts: 316
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Do i need to add any jar files for jdbc connectivity?
 
Swastik Dey
Master Rancher
Posts: 2249
20
Android Java ME Eclipse IDE Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
So the issue seems to be with your DBConnection class.  It might be classpath issue or something wrong with connection parameters.  Post the code, lets see if we can figure out something.
 
Gayathri Gayu
Ranch Foreman
Posts: 316
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator


Code for DBConnection
 
Swastik Dey
Master Rancher
Posts: 2249
20
Android Java ME Eclipse IDE Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Gayathri Gayu wrote:Do i need to add any jar files for jdbc connectivity?



Of course you do, and the jar file should be under WEB-INF\libs
 
Gayathri Gayu
Ranch Foreman
Posts: 316
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I had added

mysql-connector-java-5.1.6.jar

in my build path
 
Swastik Dey
Master Rancher
Posts: 2249
20
Android Java ME Eclipse IDE Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
For any web app it should be under WEB-INF\lib, does it appear there?
 
Gayathri Gayu
Ranch Foreman
Posts: 316
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Yes. mysql-connector-java-5.1.6.jar inside my  WEB-INF\libs folder only
 
Swastik Dey
Master Rancher
Posts: 2249
20
Android Java ME Eclipse IDE Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You are still getting same error.
 
Gayathri Gayu
Ranch Foreman
Posts: 316
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
yes I am still getting same error.

Exception

java.lang.NullPointerException
com.mvc.dao.RegisterDao.registerUser(RegisterDao.java:25)
com.mvc.controller.RegisterServlet.doPost(RegisterServlet.java:34)
javax.servlet.http.HttpServlet.service(HttpServlet.java:660)
javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)

 
Gayathri Gayu
Ranch Foreman
Posts: 316
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I deleted the jar and download it again and placed in the lib folder. Now it works fine. thanks for the help.  

One more question. I did a lot in the old project with out any framework. That you already know. Can i able to convert those code like how i am doing now? Or should i start from scratch only?
 
Swastik Dey
Master Rancher
Posts: 2249
20
Android Java ME Eclipse IDE Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You should first learn how the frameworks work.
 
Gayathri Gayu
Ranch Foreman
Posts: 316
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
So right now i am using mvc framework right
 
Swastik Dey
Master Rancher
Posts: 2249
20
Android Java ME Eclipse IDE Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Sort of.  Your registration page is the view, RegistrationServlet is the controller, RegisterBean is the model, and RegisterDAO is a helper class.  There are also some predefined MVC frameworks like Spring where you need to lesser amount of codes, because many parts are handled by the framework itself.
 
Gayathri Gayu
Ranch Foreman
Posts: 316
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Do i need to install spring frame work in my eclipse ide?  
 
Gayathri Gayu
Ranch Foreman
Posts: 316
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Or whatever i have started right now is fine
 
Gayathri Gayu
Ranch Foreman
Posts: 316
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Also i gone through for login page. So few java files same like for registration its there. So how will i include those in the existing web.xml file?
 
Swastik Dey
Master Rancher
Posts: 2249
20
Android Java ME Eclipse IDE Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Gayathri Gayu wrote:Also i gone through for login page. So few java files same like for registration its there. So how will i include those in the existing web.xml file?



As per MVC you should be having only one Servlet controlling all requests, not multiple servlets.
 
Gayathri Gayu
Ranch Foreman
Posts: 316
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
So if I want to do login I have to edit in RegistrationServelt.java?
 
Swastik Dey
Master Rancher
Posts: 2249
20
Android Java ME Eclipse IDE Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Right.  But how will you identify what action to perform.  Login or Register or something else?
 
Gayathri Gayu
Ranch Foreman
Posts: 316
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Then what I have to? Because a login page will have more actions.
 
Swastik Dey
Master Rancher
Posts: 2249
20
Android Java ME Eclipse IDE Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Typically the predefined frameworks write the mapping in xml files.  But for the time being you can pass an attribute from your page itself and based on that attribute perform the desired action.
 
Gayathri Gayu
Ranch Foreman
Posts: 316
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Means I should add the following code in RegistrationServlet.java   Am i right?
 
Stephan van Hulst
Saloon Keeper
Posts: 10858
234
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The problem now is that your password is still saved in the database in plain text. You will want to configure your application to use the built-in Servlet authentication. To register users, you need to write a bit of custom software that depends on what servlet container you're using.

Are you using Tomcat? WildFly? Glassfish? Something else?
 
Gayathri Gayu
Ranch Foreman
Posts: 316
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I am using tomcat server.
 
Swastik Dey
Master Rancher
Posts: 2249
20
Android Java ME Eclipse IDE Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator




 
Gayathri Gayu
Ranch Foreman
Posts: 316
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The earlier code I posted was mvc.  Better I can use servlet right
https://www.javatpoint.com/creating-servlet-in-eclipse-ide. Just for clarification I am asking sorry if I am wrong.
 
Gayathri Gayu
Ranch Foreman
Posts: 316
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I thought I was using servlet when I was using jsp and html so I am confused.
 
Swastik Dey
Master Rancher
Posts: 2249
20
Android Java ME Eclipse IDE Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Gayathri Gayu wrote:I thought I was using servlet when I was using jsp and html so I am confused.



So, now is it clear now?  In the sample code that I posted, there is only one servlet handing different type of actions.   It would be even better if we could write the mappings in xml file instead of passing the hidden attribute value from the html/jsp pages, but you can learn that later, because that needs knowledge of xml parsing and reflection apis
 
Gayathri Gayu
Ranch Foreman
Posts: 316
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I will learn about XML parsing.
Instead mvc  can we use servlet
https://www.javatpoint.com/creating-servlet-in-eclipse-ide. Just for clarification I am asking sorry if I am wrong.
 
Swastik Dey
Master Rancher
Posts: 2249
20
Android Java ME Eclipse IDE Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You are still little confused.   Servlet itself is a part of MVC architecture.  It comes in the controller layer.  When you send a request from a html/jsp page(view) it comes to servlet (controller) it performs the logical operations here using DAO and model classes and returns the output to jsp (view).  

So the flow is

JSP/Html(view)->Servlet(Controller) Some operations using model and dao classes ->Jsp(View)
 
Saloon Keeper
Posts: 21306
140
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
We seem to have gone from a (horrible) scriptlet-based login page to a Spring MVC-based user registration servlet.  :confused:

Here's what a secure login page looks like:

My apologies for the formatting. Our forum code editor is doing things it shouldn't be doing to the table tags.

And here's what the login code looks like:
 
Ranch Hand
Posts: 66
4
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Stephan van Hulst wrote:

Kristina Hansen wrote:I guess in this case it should be sufficient to hash the input yourself.


Why? What makes it sufficient?

Also: Hash vs Encryption depend on usecase. There's no point in encryption when the credentials just stored and used to compare.


I don't see how encryption plays any role here. The user wants to access some resource or service using a password.


Well - the thread ran a bit haywire since my last post - but it's already mentioned what I got in the first place wich, in my view, you didn't:
OP DON'T want to use some credentials to log in to some external service and hence need the credentials in clear - but just want to build a normal login page storing user credentials in a database.
Why it's sufficient to hash the password yourself: Server don't need to know users password in clear text - but only has to compare what the user sends with what's stored.

So, very basic (and secure in that usecase) flows this:
- user register with self chosen password
- user chosen password gets salted and hashed and stored along the salt in database
- when user wants to login the send password is salted, hashed, and the output is checked against whats stored in the database - if they equal it's assumed the given password is correct and the user has proven knowledge of the secret

There's no need for PBKDF2 or encryption at all.

Sorry to sound harsh (well, that's a general issue with this forum here - anyone is way to polite and enforces this as someones life would depend on it) - but you obvious didn't got this until recently when OP posted code and it was obvious what OP tries to implement. I told you 6 hours that for what OP tries to do it in fact is sufficient to just take the user input and hash it yourself - cause it's just stored for comparison on a later login attempt. And I bet this very forum here does exactly THAT - try to tell the admins the need to store user passwords with proper encryption - want to see thier reply.

In addition: When ENCRYPTING user credentials you somewhere have to store the key accessible for a login - otherwise this whole mess just doesn'T work - and I guess you know that storing encrypted data along with the key is as safe as not encrypting at all. That's what hash functions for and how logins should work: not to verify the secret but only the prove the user makes about knowledge of the secret - somple challenge-response ... oh, btw, that's how CHAP works - wich is used for DSL world wide ... would that be the case if it would be so insecure as you say? I have doubts about your way of looking at this topic ...
 
Tim Holloway
Saloon Keeper
Posts: 21306
140
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Sorry. But you absolutely positively DON'T want to handle password encryption on the client side. Repeating a third time, this makes it entirely too easy for a Bad Person to get hold of a password, and even encrypted passwords can be exploited. The only reasonably safe way to send passwords from a client to a server is via Transport Layer Security (SSL). In which case, encrypting the password on the client side is a waste of time, effort, and complexity.

In addition, if you put encryption logic on the client, you are surrendering vital information on sort of encryption is being used as well as any salts, keys, or other priming and configuring data might be used. You may think that having the password in clear text on the client is questionable, but it's there anyway, since the login page DOM already has the unencrypted password in it.

I/We should make it clear that encryption on the server side isn't to secure the server, it's to secure the server's credential store - the database, LDAP server, or whatever data retrieval mechanism is being used to hold the valid userid/password data. And if you use JEE standard security, the actual server authentication code is professionally-designed to keep exposure to the plaintext password coming in from the login form to a minimum.

Many databases don't need external logic to store hashed or encrypted passwords. For example, in MySQL, there are several different built-in SQL functions that can handle that process in a statement like "INSERT INTO users(userid, password) VALUES(?,PASSWD(?))".

The point being that a SELECT * FROM USERS won't return clear-text passwords, thus anyone trying to login under someone else's identity is going to have to look elsewhere to steal credentials.
 
What are your superhero powers? Go ahead and try them on this tiny ad:
Sauce Labs - World's Largest Continuous Testing Cloud for Websites and Mobile Apps
https://coderanch.com/t/722574/Sauce-Labs-World-Largest-Continuous
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!