• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Liutauras Vilda
  • Bear Bibeault
  • Junilu Lacar
  • Martin Vashko
Sheriffs:
  • Jeanne Boyarsky
  • Tim Cooke
  • Knute Snortum
Saloon Keepers:
  • Ron McLeod
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
Bartenders:
  • Scott Selikoff
  • salvin francis
  • Piet Souris

Password Encryption in JSP

 
Master Rancher
Posts: 4370
47
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Stephan hasn't talked about encrypting anything.
Both PBKDF2 and bcrypt are pre-packaged hashing functions that handle all the salting etc you could want.
There's no need to roll-your-own, and it's advisable not to in real environments.

But, of course, as Tim says, it's also advisable not to roll-your-own security for a Java web app.
 
Saloon Keeper
Posts: 10858
234
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Here's an example that works with Tomcat:

context.xml:

web.xml:

Three servlets:



The user repository:

And the secret:
 
Ranch Foreman
Posts: 316
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks for the help @Swastik Dey . I am trying to redirect to the home page if the user already exist in database. Following is my code. I want to redirect in the else case. But is it possible to redirect. Now its in same register page displaying the error message Oops.. Username already exist..! I am trying to add a link along with error message go back to home. Is this possible?

 
Master Rancher
Posts: 2249
20
Android Java ME Eclipse IDE Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Of course possible Gayatri



homepage.html will be replaced by your actual filename.
 
Dave Tolls
Master Rancher
Posts: 4370
47
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Does that actually work?
You're preparing a statement that has no parameters (you are concatenating in the email, which is a big no-no), and then trying to use that with a completely different SQL query in the update, somehow.

Edit: And you also seem to be completely ignoring the advice given by the likes of Stephan over setting up a proper login/registration architecture.
 
Swastik Dey
Master Rancher
Posts: 2249
20
Android Java ME Eclipse IDE Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Although your flow is going bit wrong.  You should first check whether user exists with given email id or not, if not then insert else show error.  This is your code with some changes.

 
Stephan van Hulst
Saloon Keeper
Posts: 10858
234
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I'm not a big fan of using a separate query to check whether an entry already exists in the database. It will lead to bugs if you don't set up transactions correctly, and it will lead to contention if you do. Enforce unique key constraints inside the database. Then you can either handle the SQLException when a duplicate already exists, or you can use the IGNORE keyword and check how many rows where inserted by the query.

Also make sure you properly close the connections, statements AND result sets, for leaking any of them may land you in trouble. Take a look at the UserRepository class I wrote above to see how to close them all properly.

Finally, don't mix your presentation layer with your persistence layer. Why should the database access code know that the front-end is written in HTML?
 
Gayathri Gayu
Ranch Foreman
Posts: 316
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The code works fine. Thanks for the help. When browsing in search of sending mails, in asp dotnet dotnet i found for verifying the email address before login and also for reset the password. Now with the sendmail.java i can just able to send mail to the user. But i want to attach the absolute path so that with the link the registered user can validate their email and login with the link.
 
Swastik Dey
Master Rancher
Posts: 2249
20
Android Java ME Eclipse IDE Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Didn't get you very clearly.
 
Gayathri Gayu
Ranch Foreman
Posts: 316
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Sending mails code. But here i can send just the confirmation that the userid is being created. I want to send the absolute path in link so that the registered user will get mail notification to activate their id before accessing login page.
 
Swastik Dey
Master Rancher
Posts: 2249
20
Android Java ME Eclipse IDE Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Absolute path of your page, right?
 
Gayathri Gayu
Ranch Foreman
Posts: 316
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Yes for where the link will redirect to login page or reset password page.
 
Swastik Dey
Master Rancher
Posts: 2249
20
Android Java ME Eclipse IDE Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Append the link with the message that you are sending.
 
Gayathri Gayu
Ranch Foreman
Posts: 316
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Means i have to add the absolute path

Is this correct? Anyway as of now that is my link address. And how will i make the link accessible only once.
 
Swastik Dey
Master Rancher
Posts: 2249
20
Android Java ME Eclipse IDE Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Try with own email and see what you are getting, and why do you want login page link accessible only once?
 
Gayathri Gayu
Ranch Foreman
Posts: 316
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
No i thought i can verify their mail-id king of account verification before accessing the login page. They should not use the link again and again right.
 
Swastik Dey
Master Rancher
Posts: 2249
20
Android Java ME Eclipse IDE Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Login should be allowed as many as times user wants.  What about the output of the code?
 
Gayathri Gayu
Ranch Foreman
Posts: 316
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Yes the output for sending registration mails gives me the link to login. But what about forgot password link. It can not be accessible more than once right.
 
Swastik Dey
Master Rancher
Posts: 2249
20
Android Java ME Eclipse IDE Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
And does the login link work?
 
Gayathri Gayu
Ranch Foreman
Posts: 316
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
As the forgot password ask the user to register their mail id and it will check in the data base. If the user found it will send a link to rest password.
 
Gayathri Gayu
Ranch Foreman
Posts: 316
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Yest the login link works.
 
Swastik Dey
Master Rancher
Posts: 2249
20
Android Java ME Eclipse IDE Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Gayathri Gayu wrote:As the forgot password ask the user to register their mail id and it will check in the data base. If the user found it will send a link to rest password.



So what's the problem here?  Validate the user, if valid send the link.
 
Gayathri Gayu
Ranch Foreman
Posts: 316
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
So before sending mail i can validate user.

For forgot password I tried our forum's link twice and got the following mails to reset my password

Someone, probably you, made a password recovery request from Big Moose Saloon account.
Please use the following URL to complete the password recovery. You will be sent
to a page asking your email address and the new password.

https://coderanch.com/forums/user/recoverPassword/a847177581eba10b67b4ced1ba172cf5



Someone, probably you, made a password recovery request from Big Moose Saloon account.
Please use the following URL to complete the password recovery. You will be sent
to a page asking your email address and the new password.

https://coderanch.com/forums/user/recoverPassword/b1ad4d031395ab72da93e2ab6216ce48


here both the links are different. I want to send link like this and once the password is reset the link should not be accessible.
 
Swastik Dey
Master Rancher
Posts: 2249
20
Android Java ME Eclipse IDE Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I am not sure, how they are doing it.  Different people can have different approaches.  One strategy could be add another field in your users table as PASSWORD_UPDATED boolean.  When the user registers for the first time mark it as false.  Once the user updates his/her password mark it as true.  If the user again tries to reset password you check that password_updated field is true you won't allow to update.  Set it false again only when you are sending another mail to reset password.

This is just my thought, there might be better approaches.
 
Gayathri Gayu
Ranch Foreman
Posts: 316
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The above code is for password encryption. How will i call this java file in my register form. Or should i call this file when the server inserts the data in database? Is the code looks fine for secure password .
 
Stephan van Hulst
Saloon Keeper
Posts: 10858
234
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The best way to use that code is to throw it away. Not only does it not live up to modern security standards, it doesn't even implement ancient security standards properly. The author of that code has no idea what the point of a salt is.

I gave you a complete example that does exactly what you want. Why are you ignoring my advice?
 
Gayathri Gayu
Ranch Foreman
Posts: 316
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I am not ignoring your advice @Stephan van Hulst. Just now I started working with your code. In-between I got the code which i pasted in last post that's why asked your suggestion. Also it seems like I have to modify my entire project too. That's the reason.
 
Stephan van Hulst
Saloon Keeper
Posts: 10858
234
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
After the user has verified their e-mail address, you can use the nonce field in the Users table to implement password resetting. Let us know if you need help with that.
 
Gayathri Gayu
Ranch Foreman
Posts: 316
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Here is where I am inserting user while registering. Now where should i add the nonce field? Please help me.
 
Stephan van Hulst
Saloon Keeper
Posts: 10858
234
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Have you already tried running my example? It's all in there.
 
Gayathri Gayu
Ranch Foreman
Posts: 316
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
No I haven't tried your example. As I want to implement in my code I would like to know where should I add the nonce field in the Users table to implement password resetting?
 
Stephan van Hulst
Saloon Keeper
Posts: 10858
234
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You can either have a column in the user table that contains the nonce, or you can add a new table called something like PasswordResets that contains user ID and nonce.

You can also use this table to verify a user's e-mail by initially assigning an unknown password to them and mailing a password reset link instead of a verification link.
 
Gayathri Gayu
Ranch Foreman
Posts: 316
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
As of now i have created table with following fields. So should i add the PasswordResets field next to password field? How will I achieve You can also use this table to verify a user's e-mail by initially assigning an unknown password to them and mailing a password reset link instead of a verification link.
 
Saloon Keeper
Posts: 5911
152
Android Mac OS X Firefox Browser VI Editor Tomcat Server Safari
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Gayathri Gayu wrote:No I haven't tried your example.


It would be a good idea to do that, though. For starters, it would help you understand what all the parts are. Once you understand how it all works, it'll be much easier to incorporate it into your application. What's more, I think you should delete all you have done so far, and start from scratch with a proper solution based on Stephan's example.
 
Stephan van Hulst
Saloon Keeper
Posts: 10858
234
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Gayathri Gayu wrote:As of now i have created table with following fields


Why can e-mail addresses only be 30 characters long? Valid addresses may contain up to 254 characters. And why don't you support unicode?

So should i add the PasswordResets field next to password field?


No, you add a nonce column or a PasswordResets table. If you add a column, the order doesn't matter as applications shouldn't depend on it anyway.

How will I achieve You can also use this table to verify a user's e-mail by initially assigning an unknown password to them and mailing a password reset link instead of a verification link.


Take a look at the example I wrote. Instead of assigning a 'verified' role to the user after verifying the e-mail and nonce, you serve the user a page where they can enter a new password.
 
Gayathri Gayu
Ranch Foreman
Posts: 316
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The password is stored in database like

10171272fc03e05d96c967c88b6b181f

when i try to login it is not accepting the password but the encrypted one. Should I need to convert the encrypted password back to string?
 
Stephan van Hulst
Saloon Keeper
Posts: 10858
234
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
No. You use the servlet container's built in credential handler.
 
Gayathri Gayu
Ranch Foreman
Posts: 316
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Means? How will I use use the servlet container's built in credential handler.?
 
Stephan van Hulst
Saloon Keeper
Posts: 10858
234
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
By looking at the example I gave you.
 
If you two don't stop this rough-housing somebody is going to end up crying. Sit down and read this tiny ad:
Java file APIs (DOC, XLS, PDF, and many more)
https://products.aspose.com/total/java
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!