Win a copy of Programmer's Guide to Java SE 8 Oracle Certified Associate (OCA) this week in the OCAJP forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Encrypt form POST data before calling servlet through JSP

 
Nikhil Lanjewar
Greenhorn
Posts: 15
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

What I'm trying to achieve here is a login form that takes username and password as input and submits it to a servlet. The servlet then calls a backend API to authenticate and returns success/error result. Right now, everything's working fine but for the fact that the servlet receives username/password pair as plain text.

I believe the above method is insecure and a password can be retrieved by simply sniffing the servlet call and extracting it's POST data. I want to encrypt the username and password to some standard format (Base64, WSSE, etc) before sending it to the servlet. I can easily decode the encrypted parameters thereafter.

Is there a way to achieve this?

--
Nikhil
 
Deepak Bala
Bartender
Posts: 6663
5
Firefox Browser Linux MyEclipse IDE
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Base64 is encoding not encryption. WS security cannot apply to a servlet. Pass your data via HTTP over SSL. Install a certificate on your web or app server
 
Ulf Dittmer
Rancher
Posts: 42968
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
That's what SSL is for. I advise against trying to roll your own encryption scheme using JavaScript; the resulting solution is extremely unlikely to be more secure than that.

(As an aside, Base64 is an encoding, not a cipher; it provides no security.)

Edit: ... which, as I now see, is pretty much what Deepak said.
 
Nikhil Lanjewar
Greenhorn
Posts: 15
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks for the replies Ulf and Deepak...really appreciate that!
SSL is the best way to achieve security...can't agree more... would certainly have a word with the guy who takes care of the server.

I'm still wondering if there's a way in which I can pass a Base64 encoded string to my servlet instead of pain text. I just figured out, the backend APIs need the string to be that way and I'll have to encode the username/password on the servlet before calling APIs. So why not have it encoded before it reached the servlet itself and the servlet would simply make a call to backend APIs without bothering about Base64? I just want to avoid plain text flowing towards my webapp.
 
Ulf Dittmer
Rancher
Posts: 42968
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Basic Authentication uses Base64, but -as said before- it doesn't provide any meaningful security.
 
Biswa R Nayak
Greenhorn
Posts: 8
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Implement Applet/Swing, and do your encryption there before calling servlet.
Or use encryption using javascript :: which is not robust.
- I do not see any other way of encryption before going to server side, unless SSL is used.
 
Nikhil Lanjewar
Greenhorn
Posts: 15
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Okay...
So how can I use Basic Authentication on my JSP?

The overall flow would be:

1. User opens a login page
2. User enters data in input fields
3. User clicks on Submit button
4. Servlet call is initiated with Base 64 encoded string as it's POST parameter

How can I modify my JSP to achieve the above? Here's how my JSP snippet looks like:



I'm a newbie to JSPs, hence finding it difficult to hit the exact thing. It'd be great if anyone could please point me to some solution or even post a modified version of my code snippet.
 
Nikhil Lanjewar
Greenhorn
Posts: 15
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Some addendum in reply to Biswa's post:

The pages I'm trying to design are to be consumed on Mobile devices as a WAP site. Due to the shortcoming of Mobile Browsers, I won't be using Javascript or Swing. Just want a JSP in this case which shall provide a simple HTML code to the browser.
 
Ulf Dittmer
Rancher
Posts: 42968
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Basic authentication, like form authentication, is configured in the web.xml file, but it looks as if you're using neither, but have rolled your own login system based on forms. In that case SSL is the way to go.
 
Nikhil Lanjewar
Greenhorn
Posts: 15
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
All right then... I'd better have things running through SSL.

True I'm not using any of the authentication systems if web.xml configurations are the ones Ulf was talking about. I need a custom login page since I need to pass this information to a third-party API.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic