Implementation of Security in Java

Hi,
I have a Web Application developed using J2EE,Java and we want to go ahead and implement Security in our Web Application.
How do i go ahead on this ?? Please suggest/Advice regarding Security/Login Implementation in Java ???

Regards,
Deepak Lal

As pointed out in the other topic where you asked about this, security is not a feature that can be "implemented" after the fact like a feature, it is something that needs to be designed into a system from the start. The SecurityFaq mentions many of the things that can or should be done, and links to further reading on those.

Also, security is a huge subject with many facets. If you want to improve some of those, tell us *specifically* what you're trying to guard against.

Yeah i need to implement security feature for Login Module.where the password needs to be encrpyted format and stored in Backend database.The Security feature should be implemented in Java.

What are you trying to guard against? Is the password transferred all from the client to the server in a secure form? What do you have so far, and what difficulty are you facing implementing this?

Generally, passwords are not stored *encrypted*, they're stored *hashed* (or *digested*) using an algorithm like SHA-2. That way, nobody can retrieve them.

Ulf wrote :What are you trying to guard against? Is the password transferred all from the client to the server in a secure form? What do you have so far, and what difficulty are you facing implementing this? Generally, passwords are not stored *encrypted*, they're stored *hashed* (or *digested*) using an algorithm like SHA-2. That way, nobody can retrieve them.

My Comments ::
1> The password text field in the form is of type "password",but while storing in the database,it should be "hashed" or "digested" as you have told,Sorry i thought passwords are stored in encrypted format in the database,Thanks for correcting me....so how can i use this algorithm called SHA-2 and while authenticating the user with correct credentials,it should login successfully,Is it possible to achieve this using the SHA-2 algorithm which you are mentioning,could you provide me some links where SHA-2 algorithm is used in Java.

> I need a Forgot Password link also to be implemented so that when end user enters the appropriate email id,the password which is in "hashed" format in database should be "de-hashed(decrypted)" appropriately and should be mailed to the end user's email address..Can i implement this in Java,,,Please guide me Ulff..

Thanks for replying so soon...

Sorry if i have mistaken/confused with "hashed"/"encrypted" terminologies...

Regards,
Deepak Lal

Is it possible to achieve this using the SHA-2 algorithm which you are mentioning,could you provide me some links where SHA-2 algorithm is used in Java.

Here's how a password would be converted to something that can be stored securely. The Base64 class is part of the Apache Commons Codec library.
public static String getDigestedPassword (String password) { try { MessageDigest md5 = MessageDigest.getInstance("SHA-256"); String saltedPassword = "let's-add-some-salt-to-go-with-it-and-make-it-more-secure-"+password; byte[] digest = md5.digest(saltedPassword.getBytes("UTF-8")); return new String(Base64.encodeBase64(digest), "US-ASCII"); } catch (NoSuchAlgorithmException nsaex) { System.err.println("Could not create MessageDigest for SHA-256 ???"); } catch (UnsupportedEncodingException ueex) { System.err.println("Unsupported encoding US-ASCII ???"); } return null; }

I need a Forgot Password link also to be implemented so that when end user enters the appropriate email id,the password which is in "hashed" format in database should be "de-hashed(decrypted)" appropriately and should be mailed to the end user's email address.

That's not how secure systems are implemented. Passwords are NEVER sent via email. What's more, a hash is a one-way algorithm: once something is hashed, you can't get it back. The login authentication works by digesting the password the user entered, and then comparing that to the stored password.

Password retrieval being impossible, the application would provide a way for the password to be re-entered: The user would be sent a link to his email address to a page that allows him to enter a new password. The link is good for only a single time, and it expires automatically after no more than 24 hours.

Sorry if i have mistaken/confused with "hashed"/"encrypted" terminologies...

No need to be sorry, we're all learners.

Thanks Ulf for your outstanding replies.

I have few concerns still left in Security.

1> Please have a look at coderanch website itself where in case of password recovery section Lost Recovery page of Code Ranch Forum ,the end user is prompted for email address.I want to implement this feature.

2> Ulf's comments :: What's more, a hash is a one-way algorithm: once something is hashed, you can't get it back. The login authentication works by digesting the password the user entered, and then comparing that to the stored password. :: "Any suggestions on how can i go about comparing the digested user entered password and the stored password in database."

3> What is the difference between http:// and https:// and how can i implement https:// ( secured socket layer with 32 bit implementation in java)

Please help

Please have a look at coderanch website itself where in case of password recovery section Lost Recovery page of Code Ranch Forum ,the end user is prompted for email address.I want to implement this feature.

OK. What do you have so far, and where are you stuck making progress?

Any suggestions on how can i go about comparing the digested user entered password and the stored password in database.

Both being strings (or character arrays, depending on the details of your implementation), a comparison should be pretty straightforward, no?

What is the difference between http:// and https:// and how can i implement https:// ( secured socket layer with 32 bit implementation in java)

HTTPS is just HTTP over an SSL/TLS-secured connection. The details of how to SSL-enable a server are server-specific; for example, http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html describes how to do it for Tomcat.