I think most people are making a mountain out of a mole hill on this
one. Some basic validation checks should be done on the user name and
password to make sure they don't contain any illegal characters (ex.
punctuation or spaces) and the password is somewhat secure (longer than x
and a mixture of #'s and characters). After that, using a prepared
statement to verify that it in the database is the way to do
authentication. Use of a separate file to me seems to be unnecessary and
adds an extra level of complexity. If users are constantly being added,
the file will have to be continuously be updated. This is why a database
is used to store the info. As far as security goes, if you don't want to
have the password in cleartext in the db, then you should hash it first(MD5
works well for this) and store the hash. You then hash the password that
is entered by the user and compare that with the hash in the database. If
you do it this way, however, you won't be able to recover the user's
password in case they forget it. You will only be able to set it to a
known value and force them to change it the first time they log in. Of
course, to be secure, a SSL connection should be used when user's submit
the login information.
Regards,
Richard
At 02:41 PM 11/15/2001 -0500, you wrote:
>Well the benefit would be that there would be no way to "fool" the
>database.. If you enter in garbage as the username.. it would never be able
>to find the user.
>If you enter a valid username.. it would only return you a single password
>to match.. And since it is a String compare using Java.. one would hope that
>you cant fool the .equals() of Java.
>
>Using Bob's loophole.. you would get:
>SELECT password FROM user WHERE username='x' OR 1=1 --'
>you will get a list of all passwords.
>But since you know that each username is associated with only one password.
>You are not using a while( rs.next() ) type of validation
>your using if( rs.next() ) if( rs.getString(1).equals("password from user")
>)
>In effect.. matching only one password
>
>I'm cringing waiting for Bob to prove me wrong. :-P
>-Tim
>
>-----Original Message-----
>From: Praveen Potineni [mailto:[EMAIL PROTECTED]]
>Sent: Thursday, November 15, 2001 2:32 PM
>To: [EMAIL PROTECTED]
>Subject: Re: Login Authentication against database...
>
>
>Chen i am just curious as to what advantage/significance will it be to do
>passwd comparision outside the database. I'm working on that issue right
>now. So wanted to know that in detail. Can you brief on the concept a bit.
>
>Also celeste can you provide some code snippets of how u handle JSP and XML
>together to handle user athentication.
>
>Thanks in advance
>Praveen
>
>----- Original Message -----
>From: "Chen, Gin" <[EMAIL PROTECTED]>
>To: <[EMAIL PROTECTED]>
>Sent: Thursday, November 15, 2001 2:23 PM
>Subject: Re: Login Authentication against database...
>
>
> > Thanks a great idea Celeste.
> >
> > Another approach may be to do the password comparison outside the
>database.
> > So you say.. SELECT password FROM users WHERE username="user";
> > And then do a password.equals("enteredpassword");
> > -Tim
> >
> > -----Original Message-----
> > From: Haseltine, Celeste [mailto:[EMAIL PROTECTED]]
> > Sent: Thursday, November 15, 2001 2:06 PM
> > To: [EMAIL PROTECTED]
> > Subject: Re: Login Authentication against database...
> >
> >
> > Joe,
> >
> > When my user's log-in, I capture their username and compare that name to
> > those I have in an XML table on the server. If the name exists in the XML
> > table, and is still classified as Active, I then make a connection to my
> > database, and verify the password, along with obtaining other info I need
> > for access into different areas of our site. Every time a new user is
>added
> > to the database, I run a script that updates my XML file on the server.
>The
> > XML table is located in a different directory on our site than the actual
> > JSP/HTML pages, and has limited information. Therefore, if someone did
>get
> > their hands on it, they still could not log into our site.
> >
> > This allows me to do a "first verification" of the user, and then
>rejecting
> > the user if appropriate, without even opening a connection or pulling a
> > thread from the connection pool to my database. I have one JSP that
> > verifies the user exists in the XML table, before either handing off the
> > user to another JSP for verification against the database, or redirection
>to
> > a login error page.
> >
> > Celeste
> >
> > -----Original Message-----
> > From: Joe Cheng [mailto:[EMAIL PROTECTED]]
> > Sent: Thursday, November 15, 2001 11:33 AM
> > To: [EMAIL PROTECTED]
> > Subject: Re: Login Authentication against database...
> >
> >
> > Celeste,
> >
> > what's a "more secure" means? now you've got me curious.
> >
> > and Bob wasn't pointing out a loophole, just calling attention to the
> > non-escaped values in the SQL statement below.
> >
> > -jmc
> >
> >
>===========================================================================
> > To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff
> > JSP-INTEREST".
> > For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST
> > DIGEST".
> > Some relevant FAQs on JSP/Servlets can be found at:
> >
> > http://archives.java.sun.com/jsp-interest.html
> > http://java.sun.com/products/jsp/faq.html
> > http://www.esperanto.org.nz/jsp/jspfaq.jsp
> > http://www.jguru.com/faq/index.jsp
> > http://www.jspinsider.com
> >
> >
>===========================================================================
> > To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff
> > JSP-INTEREST".
> > For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST
> > DIGEST".
> > Some relevant FAQs on JSP/Servlets can be found at:
> >
> > http://archives.java.sun.com/jsp-interest.html
> > http://java.sun.com/products/jsp/faq.html
> > http://www.esperanto.org.nz/jsp/jspfaq.jsp
> > http://www.jguru.com/faq/index.jsp
> > http://www.jspinsider.com
> >
> >
>===========================================================================
> > To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff
>JSP-INTEREST".
> > For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST
>DIGEST".
> > Some relevant FAQs on JSP/Servlets can be found at:
> >
> > http://archives.java.sun.com/jsp-interest.html
> > http://java.sun.com/products/jsp/faq.html
> > http://www.esperanto.org.nz/jsp/jspfaq.jsp
> > http://www.jguru.com/faq/index.jsp
> > http://www.jspinsider.com
> >
>
>===========================================================================
>To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff
>JSP-INTEREST".
>For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST
>DIGEST".
>Some relevant FAQs on JSP/Servlets can be found at:
>
> http://archives.java.sun.com/jsp-interest.html
> http://java.sun.com/products/jsp/faq.html
> http://www.esperanto.org.nz/jsp/jspfaq.jsp
> http://www.jguru.com/faq/index.jsp
> http://www.jspinsider.com
>
>===========================================================================
>To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff
>JSP-INTEREST".
>For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST DIGEST".
>Some relevant FAQs on JSP/Servlets can be found at:
>
> http://archives.java.sun.com/jsp-interest.html
> http://java.sun.com/products/jsp/faq.html
> http://www.esperanto.org.nz/jsp/jspfaq.jsp
> http://www.jguru.com/faq/index.jsp
> http://www.jspinsider.com
===========================================================================
To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST".
For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST DIGEST".
Some relevant FAQs on JSP/Servlets can be found at:
http://archives.java.sun.com/jsp-interest.html
http://java.sun.com/products/jsp/faq.html
http://www.esperanto.org.nz/jsp/jspfaq.jsp
http://www.jguru.com/faq/index.jsp
http://www.jspinsider.com
