Win a copy of Programmer's Guide to Java SE 8 Oracle Certified Associate (OCA) this week in the OCAJP forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Call a javascript function from Java

 
lekurwale amol
Ranch Hand
Posts: 55
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,
I am using a password hashing mechanism wherein using some liabrary written in javascript.
It basically encrypts the password and sends it to the server.
Now, on the server, if I need to check if password is right, I need to decrypt it.
The decryption liabrary is not available. So I need to call the same javascript liabrary from java, supplying the db password.
Then I can compare.

My question : Is there any way to call a javascript function from a simple java class, and if it is, provide the snippet/code to do so.

Note : I am using "http://pajhome.org.uk/crypt/md5/" JS function to encrypt. I did not find any java decrypter over there.

Regards,
Amol
 
Henry Wong
author
Marshal
Pie
Posts: 21357
84
C++ Chrome Eclipse IDE Firefox Browser Java jQuery Linux VI Editor Windows
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

First of all, MD5 is *not* an encryption library -- as you may have noticed, there is no way to "decrypt" it. Also, it didn't take a password (or keys) which encryption requires.


You have two options. You can use the scripting API to run the same Javascript that did the MD5, or you can use the MD5 that is built into the Java API. I would recommend that you do the later.

Henry
 
lekurwale amol
Ranch Hand
Posts: 55
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Henry Wong wrote:
First of all, MD5 is *not* an encryption library -- as you may have noticed, there is no way to "decrypt" it. Also, it didn't take a password (or keys) which encryption requires.


Hi Henry,
Thanks for your prompt reply. My requirement is : when user enters password in browser, I need to hash/encrypt it before sending to server. On server, I need to decrypt it. So, I am in search of a liabrary, where the 'encryption' is written in javascript and 'decryption' in java. Would be grateful if you provide a reference to such a kind of stuff.

Regards,
Amol
 
Henry Wong
author
Marshal
Pie
Posts: 21357
84
C++ Chrome Eclipse IDE Firefox Browser Java jQuery Linux VI Editor Windows
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
lekurwale amol wrote:
Hi Henry,
Thanks for your prompt reply. My requirement is : when user enters password in browser, I need to hash/encrypt it before sending to server. On server, I need to decrypt it. So, I am in search of a liabrary, where the 'encryption' is written in javascript and 'decryption' in java. Would be grateful if you provide a reference to such a kind of stuff.

Regards,
Amol


The correct solution is to not decrypt it -- meaning have the java side take a MD5 hash (of the correct password), and compare the two hashes.

Henry
 
Jesper de Jong
Java Cowboy
Saloon Keeper
Pie
Posts: 15435
41
Android IntelliJ IDE Java Scala Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
lekurwale amol wrote:My requirement is : when user enters password in browser, I need to hash/encrypt it before sending to server. On server, I need to decrypt it.

No, you don't, that's not how MD5 hash codes work. MD5 is a one-way algorithm: you can use it to calculate a hash value over some data. It is not possible to get the original data back from the hash value. So it is impossible to "decrypt" this - it's not an encryption algorithm as Henry explained, so the words "encrypt" and "decrypt" do not even apply here. Hashing and encryption are two totally different things.

How this normally works is that you have the hash codes of the passwords stored in a database somewhere, and you compare the hash code of the password that the user entered with the hash code in the database.

Note that calculating the hash code on the client side in JavaScript is not a secure solution by itself. Someone could easily send a fake request with a hashed password in it. You should at least use HTTPS instead of normal HTTP to make it more secure.
 
lekurwale amol
Ranch Hand
Posts: 55
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Jesper,
You were right. I was confused with encryption and hashing. I have now to choose RSA algorithm to encrypt and decrypt the data. I cannot store the hashed password at server. It has to be the decrypted one. I found a couple of sites providing the javascript to encode and also decode.
I need your comments on this :
1. As per the directions, it appears safe to use it as decryption is using a different key

Regards,
Amol
 
Henry Wong
author
Marshal
Pie
Posts: 21357
84
C++ Chrome Eclipse IDE Firefox Browser Java jQuery Linux VI Editor Windows
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Jesper Young wrote:
Note that calculating the hash code on the client side in JavaScript is not a secure solution by itself. Someone could easily send a fake request with a hashed password in it. You should at least use HTTPS instead of normal HTTP to make it more secure.


One option around this is to have the server send a salt (which could be based on the current time)... basically, the client must hash both the salt and the password. It won't be possible to fake a request, unless of course, the salt repeats.

Henry
 
Nevin kumar
Ranch Hand
Posts: 93
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Dear Amol,

You can get a hashing algorithm here http://www.webtoolkit.info/javascript/page/4 if required.As Henry suggested there is no reason to decryt the password,you can store the hashed password in the database directly and compare the same on login.The better way is always hashing and salting together.

regards,
Naveen

 
lekurwale amol
Ranch Hand
Posts: 55
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,
I agree that storing the encrypted one is better but my client requires to store the actual password in DB. So, now using a RSA algorithm to encrypt on client and decrypt it on server.
Any comments about the security of this algorithm is appreciated. I repeat, I am using SSL. My issue is onsubmit on form, on which browser tends to store. So, a javascript function before the browser starts 'storing/caching' which will encrypt is to be written.

Regards.
Amol
 
Jesper de Jong
Java Cowboy
Saloon Keeper
Pie
Posts: 15435
41
Android IntelliJ IDE Java Scala Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
lekurwale amol wrote:I agree that storing the encrypted one is better but my client requires to store the actual password in DB.

Storing actual passwords (in plain text?) in a database is a dubious idea (what if someone hacks into the database - then they can easily steal passwords) but OK...

You can do this with a hashing algorithm; you don't need real encryption / decryption algorithms (which are more complicated to use than hashing algorithms). You could do this (taking Henry's tip about using a salt into account):

1. The user goes to the login page. The server sends a "salt" (some random string of characters) along with the login page.
2. The user types in his username and password. The JavaScript on the page takes the password and the salt (append them together in a string) and calculates the hash value (using some hashing algorithm such as MD5).
3. The user presses the submit button. The server looks up the user and password in the database.
4. The server takes the password from the database and the salt and calculates the hash value.
5. The server compares the hash value received from the browser with what it has just calculated from the database. If the hash values are the same, the login is OK.

To make this work, the salt should be a random string that the server needs to remember for each user session.
 
lekurwale amol
Ranch Hand
Posts: 55
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Jesper,

We are using a webserivce call for password and userid verification. We cannot change that code (Ownership). So at the max, what we can do is to decrypt to original at server and send further.
I think we are deviating from the original query.

Now, I do have the javascript functions to encode and decode. Encoding is not an issue as it would be done at the client browser.
I need to call the decryption function, with input as the encrypted text and private key residing on server.
Please suggest an API for the same.

Regards,
Amol
 
lekurwale amol
Ranch Hand
Posts: 55
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Also, I found a couple of solutions using JSObject and Applets etc.
My requirement is a simple Java API to just evaluate a simple Javascript method taking String parameters and returing a String
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic