Re: what login securityencription are good for struts...?
hi, its a very nice example which u have sent but i have a doubt that as u are using salt(generation) adding to the encripting code that will be fine for registeration but what ab the login time how you are going to decript the data base code? and authenticate... and one more thing is are u using Hibernate? once again thanQ msg2ajay wrote: hello friends, I am developing a struts+hibernate application which contains a login page. I am not sure of which tools or API's to use for logn Authentication and encription. Can any bady suggest me which is best for login Authentication and what way can i proceed for secured login for WebApplication. Ajay -- View this message in context: http://www.nabble.com/what-login-security-encription-are-good-for-struts...--tf4795666.html#a13722357 Sent from the Struts - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: what login securityencription are good for struts...?
its a very nice example which u have sent but i have a doubt that as u are using salt(generation) adding to the encripting code that will be fine for registeration but what ab the login time how you are going to decript the data base code? You do not need to decrypt - you just operate on the encrypted hash. (encode the given password at login time and match it against the hash in db) You will have no chance to get the clear text password again. and authenticate... and one more thing is are u using Hibernate? Struts2 does not help you when it comes to authorization and authentication. You have some possibilities: In an enterprise environments you might want to use the container based security just like in a normal webapp.. there is a RolesInterceptor for struts that you can use. Otherwise you have to build a custom security implementation. Or use something like ACEGI that offers a security framework but depends on spring. The point is: struts2 does not offer security out of the box. Piero - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: what login securityencription are good for struts...?
Hi, A salt value is a random value that will combinated with a password, so both can be encrypted encrypt(salt+password) = hash Please read: http://en.wikipedia.org/wiki/Salt_%28cryptography%29 You don't have to decrypt any passwords. Yes, 'I am using hibernate to read/write on my database. Greetings msg2ajay schrieb: hi, its a very nice example which u have sent but i have a doubt that as u are using salt(generation) adding to the encripting code that will be fine for registeration but what ab the login time how you are going to decript the data base code? and authenticate... and one more thing is are u using Hibernate? once again thanQ msg2ajay wrote: hello friends, I am developing a struts+hibernate application which contains a login page. I am not sure of which tools or API's to use for logn Authentication and encription. Can any bady suggest me which is best for login Authentication and what way can i proceed for secured login for WebApplication. Ajay - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: what login securityencription are good for struts...?
msg2ajay wrote: hello friends, I am developing a struts+hibernate application which contains a login page. I am not sure of which tools or API's to use for logn Authentication and encription. Can any bady suggest me which is best for login Authentication and what way can i proceed for secured login for WebApplication. Acegi, hands down. We did auth by hand for years and just made the switch to Acegi. Should have done it a long, long time ago. Acegi does require Spring but that's a huge plus, not a minus. If you're new to both Spring and Acegi you are facing a significant learning curve. I can only say: climb the curve, you'll be very happy you did. - Gary - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
what login securityencription are good for struts...?
hello friends, I am developing a struts+hibernate application which contains a login page. I am not sure of which tools or API's to use for logn Authentication and encription. Can any bady suggest me which is best for login Authentication and what way can i proceed for secured login for WebApplication. Ajay -- View this message in context: http://www.nabble.com/what-login-security-encription-are-good-for-struts...--tf4795666.html#a13719503 Sent from the Struts - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: what login securityencription are good for struts...?
Hello, i had the same task and I did the following: - my loginAction starts a method loginService. My service method calls the dao (for example userDAO) to get the encrypted password, which is saved in the database. Now my service method calls a method to encrypt the form given password (i take the password, concat it with a salt value and build a 64Bit encoded SHA-1 Hash). Then I check if the encrypted form password is similar to the encrypted password in the user database. Greetz some code: public class LoginService { public LoginService() { } public Employee getUserCredentials(String username) { Employee user; EmployeeDAO dao = new EmployeeDAO(); ArrayList userlist = (ArrayList) dao.findByWinlogonname(username); if (userlist.size() == 0) { try { userlist = (ArrayList) dao.findByPersonnelnumber(new Long( username)); if (userlist.size() == 0) { return null; } else { user = (Employee) userlist.get(0); return user; } } catch (NumberFormatException e) { return null; } } else { user = (Employee) userlist.get(0); return user; } } public int authenticate(String formUsername, String formPassword) { Employee user; user = new Employee(); user = this.getUserCredentials(formUsername); if (user != null) { String formPasswordHash = PasswordHash.generate64BaseHashcode( formPassword, user.getSaltvalue()); System.out.println(HASH: +formPasswordHash); if (user.getPasswordhash().compareTo(formPasswordHash) == 0) { return 1; } else { return -1; } } else { return 1; } } } public class PasswordHash { public PasswordHash() { } public static String generateSaltValue(){ BigInteger saltInt = new BigInteger(128,new Random()); String saltStr = saltInt.toString(); return saltStr; } public static String generate64BaseHashcode(String password, String saltValue) { String hashValue = null; String pwWithSalt = saltValue.concat(password); try { // Saltwert einbauen - siehe Unix-Passwortverwaltung MessageDigest md = MessageDigest.getInstance(SHA); md.update(pwWithSalt.getBytes(UTF-8)); byte[] pwWithSaltRAW = md.digest(); hashValue = new BASE64Encoder().encode(pwWithSaltRAW); return hashValue; } catch (java.security.NoSuchAlgorithmException nsae) { System.err.println(nsae.toString() + : Konnte String nicht verschlüsseln!); } catch (UnsupportedEncodingException e) { e.printStackTrace(); } return hashValue; } } public class LoginAction extends Action { public ActionForward execute(ActionMapping mapping, ActionForm form, HttpServletRequest request, HttpServletResponse response) { LoginForm lf = new LoginForm(); lf = (LoginForm) form; LoginService userlogin = new LoginService(); int succeeded = userlogin.authenticate(lf.getUsername(), lf .getPassword()); Employee user; if (succeeded == 1) { user = userlogin.getUserCredentials(lf.getUsername()); HttpSession session = request.getSession(); session.setAttribute(username, user.getForename() + + user.getSurname()); session.setAttribute(employee, user); return mapping.findForward(showhome); } else { ActionMessages errormessages = new ActionMessages(); errormessages.add(ActionMessages.GLOBAL_MESSAGE, new ActionMessage( loginform.errors.login)); switch (succeeded) { case -1: errormessages.add(ActionMessages.GLOBAL_MESSAGE, new ActionMessage(loginform.errors.falsepassword)); break; case -2: errormessages.add(ActionMessages.GLOBAL_MESSAGE, new ActionMessage(loginform.errors.noentry)); break; } saveMessages(request, errormessages); lf.reset(mapping, request); userlogin = null; user = null; return mapping.findForward(showlogin); } } } msg2ajay schrieb: hello friends, I am developing a struts+hibernate application which contains a login page. I am not sure of which tools or API's to use for logn Authentication and encription. Can any bady suggest me which