|
Ryan,
I did something like this in my current project. The currently supported
authentication forms do not support this, but I needed it. Since my
application UI is Java Applet based, I was able to use the message digest API's
in Java 2 to do this. What I did is this:
- Modified all of my pages that I need to protect to
see if the user is logged in and if not, forward the request to a Login JSP
page, keeping track of the original request destination.
- Created a Login JSP page which contained a Login
applet. The Login applet provides an area for the user to enter the
username and password. I use this along with the session ID for the
session and compute the digest hash. The digest hash, username, and
session ID is passed to a Login servlet using HTTP POST.
- Created a Login servlet which receives a digest hash,
username, and session ID in its POST handler. The session ID is
validated against the current session. The username is used to lookup
the user authentication information is a database and retrieves the user's
password. I then compute the digest hash using the supplied username,
session ID and the password lookup. If this hash is the same as the one
passed in the POST message, then the user is authenticated and logged in and
redirected to the orignal request destination.
I
probably could have implemented an Interceptor or such to do this, but I was
fairly new to Tomcat and this seemed the easiest way and as a side benefit it is
not Tomcat specific. The only real downside is having to protect each page
individually.
If you
are not using an applet on the client side, you could still compute an MD5 hash
in Javascript and do something similar.
Hope
this helps
Brett
Hello,
I want to be able to use the
MessageDigest class to make a secure login to a jsp page.
Ultimately, I want the user to
interact with a form and submit data entries into a mySQL database. This type
of thing is very new to me and I was wondering if anyone could lead me to any
good resources.
thanx
-ryan
|
