Re: Login Authentication against database...

Richard Yee Thu, 15 Nov 2001 13:05:33 -0800

Ketharinath,
Since a database is being used to store some of the user information, I
would expect that a connection pool is also being used. Therefore, the db
connection should already be established and it should take very little
time executiing the query.   More often than not, I would expect users of
the site to enter the correct user name.  In that case, the XML lookup
would be a waste of time. Also, depending on the # of users, the processing
of the XML file could take up some of the server and CPU cycles and memory
too.  If a large number of new users are added, then a lot of time would be
spent regenerating the XML file each time a user is added and also
reparsing the file by the authentication servlet.


I don't think using a XML file to mirror data in a database is a 'best
practice' approach to solving the task of authentication.

-Richard



At 02:50 PM 11/15/2001 -0600, you wrote:
>Richard,
>
>I agree with you. But the point with XML file is to avoid unnecessary
>connection and query to the database. Your proposition is clear and plain,
>the correct no complex method.
>
>Also, in most(if not all) of the sites and application avoid all other
>characters other than alphabets(upper and lower cases) and numbers. So,
>general validation should do. We can add extra level of validation to be
>performed in the case of special characters like"'" etc. That should solve
>the problem straightforward.
>
>
>----- Original Message -----
>From: "Richard Yee" <[EMAIL PROTECTED]>
>To: <[EMAIL PROTECTED]>
>Sent: Thursday, November 15, 2001 2:01 PM
>Subject: Re: Login Authentication against database...
>
>
> > I think most people are making a mountain out of a mole hill on this
> > one.  Some basic validation checks should be done on the user name and
> > password to make sure they don't contain any illegal characters (ex.
> > punctuation or spaces) and the password is somewhat secure (longer than  x
> > and a mixture of #'s and characters).  After that, using a prepared
> > statement to verify that it in the database is the way to do
> > authentication.  Use of a separate file to me seems to be unnecessary and
> > adds an extra level of complexity.  If users are constantly being added,
> > the file will have to be continuously be updated.  This is why a database
> > is used to store the info.  As far as security goes, if you don't want to
> > have the password in cleartext in the db, then you should hash it
>first(MD5
> > works well for this) and store the hash.  You then hash the password that
> > is entered by the user and compare that with the hash in the database.  If
> > you do it this way, however, you won't be able to recover the user's
> > password in case they forget it.  You will only be able to set it to a
> > known value and force them to change it the first time they log in.  Of
> > course, to be secure, a SSL connection should be used when user's submit
> > the login information.
> >
> > Regards,
> >
> > Richard
> >
> >
> > At 02:41 PM 11/15/2001 -0500, you wrote:
> > >Well the benefit would be that there would be no way to "fool" the
> > >database.. If you enter in garbage as the username.. it would never be
>able
> > >to find the user.
> > >If you enter a valid username.. it would only return you a single
>password
> > >to match.. And since it is a String compare using Java.. one would hope
>that
> > >you cant fool the .equals() of Java.
> > >
> > >Using Bob's loophole.. you would get:
> > >SELECT password FROM user WHERE username='x' OR 1=1 --'
> > >you will get a list of all passwords.
> > >But since you know that each username is associated with only one
>password.
> > >You are not using a while( rs.next() ) type of validation
> > >your using if( rs.next() ) if( rs.getString(1).equals("password from
>user")
> > >)
> > >In effect.. matching only one password
> > >
> > >I'm cringing waiting for Bob to prove me wrong. :-P
> > >-Tim
> > >
> > >-----Original Message-----
> > >From: Praveen Potineni [mailto:[EMAIL PROTECTED]]
> > >Sent: Thursday, November 15, 2001 2:32 PM
> > >To: [EMAIL PROTECTED]
> > >Subject: Re: Login Authentication against database...
> > >
> > >
> > >Chen i am just curious as to what advantage/significance will it be to do
> > >passwd comparision outside the database. I'm working on that issue right
> > >now. So wanted to know that in detail. Can you brief on the concept a
>bit.
> > >
> > >Also celeste can you provide some code snippets of how u handle JSP and
>XML
> > >together to handle user athentication.
> > >
> > >Thanks in advance
> > >Praveen
> > >
> > >----- Original Message -----
> > >From: "Chen, Gin" <[EMAIL PROTECTED]>
> > >To: <[EMAIL PROTECTED]>
> > >Sent: Thursday, November 15, 2001 2:23 PM
> > >Subject: Re: Login Authentication against database...
> > >
> > >
> > > > Thanks a great idea Celeste.
> > > >
> > > > Another approach may be to do the password comparison outside the
> > >database.
> > > > So you say.. SELECT password FROM users WHERE username="user";
> > > > And then do a password.equals("enteredpassword");
> > > > -Tim
> > > >
> > > > -----Original Message-----
> > > > From: Haseltine, Celeste [mailto:[EMAIL PROTECTED]]
> > > > Sent: Thursday, November 15, 2001 2:06 PM
> > > > To: [EMAIL PROTECTED]
> > > > Subject: Re: Login Authentication against database...
> > > >
> > > >
> > > > Joe,
> > > >
> > > > When my user's log-in, I capture their username and compare that name
>to
> > > > those I have in an XML table on the server.  If the name exists in the
>XML
> > > > table, and is still classified as Active, I then make a connection to
>my
> > > > database, and verify the password, along with obtaining other info I
>need
> > > > for access into different areas of our site.  Every time a new user is
> > >added
> > > > to the database, I run a script that updates my XML file on the
>server.
> > >The
> > > > XML table is located in a different directory on our site than the
>actual
> > > > JSP/HTML pages, and has limited information.  Therefore, if someone
>did
> > >get
> > > > their hands on it, they still could not log into our site.
> > > >
> > > > This allows me to do a "first verification" of the user, and then
> > >rejecting
> > > > the user if appropriate, without even opening a connection or pulling
>a
> > > > thread from the connection pool to my database.  I have one JSP that
> > > > verifies the user exists in the XML table, before either handing off
>the
> > > > user to another JSP for verification against the database, or
>redirection
> > >to
> > > > a login error page.
> > > >
> > > > Celeste
> > > >
> > > > -----Original Message-----
> > > > From: Joe Cheng [mailto:[EMAIL PROTECTED]]
> > > > Sent: Thursday, November 15, 2001 11:33 AM
> > > > To: [EMAIL PROTECTED]
> > > > Subject: Re: Login Authentication against database...
> > > >
> > > >
> > > > Celeste,
> > > >
> > > > what's a "more secure" means?  now you've got me curious.
> > > >
> > > > and Bob wasn't pointing out a loophole, just calling attention to the
> > > > non-escaped values in the SQL statement below.
> > > >
> > > > -jmc
> > > >
> > > >
> >
> >===========================================================================
> > > > To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff
> > > > JSP-INTEREST".
> > > > For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST
> > > > DIGEST".
> > > > Some relevant FAQs on JSP/Servlets can be found at:
> > > >
> > > >  http://archives.java.sun.com/jsp-interest.html
> > > >  http://java.sun.com/products/jsp/faq.html
> > > >  http://www.esperanto.org.nz/jsp/jspfaq.jsp
> > > >  http://www.jguru.com/faq/index.jsp
> > > >  http://www.jspinsider.com
> > > >
> > > >
> >
> >===========================================================================
> > > > To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff
> > > > JSP-INTEREST".
> > > > For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST
> > > > DIGEST".
> > > > Some relevant FAQs on JSP/Servlets can be found at:
> > > >
> > > >  http://archives.java.sun.com/jsp-interest.html
> > > >  http://java.sun.com/products/jsp/faq.html
> > > >  http://www.esperanto.org.nz/jsp/jspfaq.jsp
> > > >  http://www.jguru.com/faq/index.jsp
> > > >  http://www.jspinsider.com
> > > >
> > > >
> >
> >===========================================================================
> > > > To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff
> > >JSP-INTEREST".
> > > > For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST
> > >DIGEST".
> > > > Some relevant FAQs on JSP/Servlets can be found at:
> > > >
> > > >  http://archives.java.sun.com/jsp-interest.html
> > > >  http://java.sun.com/products/jsp/faq.html
> > > >  http://www.esperanto.org.nz/jsp/jspfaq.jsp
> > > >  http://www.jguru.com/faq/index.jsp
> > > >  http://www.jspinsider.com
> > > >
> > >
> >
> >===========================================================================
> > >To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff
> > >JSP-INTEREST".
> > >For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST
> > >DIGEST".
> > >Some relevant FAQs on JSP/Servlets can be found at:
> > >
> > >  http://archives.java.sun.com/jsp-interest.html
> > >  http://java.sun.com/products/jsp/faq.html
> > >  http://www.esperanto.org.nz/jsp/jspfaq.jsp
> > >  http://www.jguru.com/faq/index.jsp
> > >  http://www.jspinsider.com
> > >
> >
> >===========================================================================
> > >To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff
> > >JSP-INTEREST".
> > >For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST
>DIGEST".
> > >Some relevant FAQs on JSP/Servlets can be found at:
> > >
> > >  http://archives.java.sun.com/jsp-interest.html
> > >  http://java.sun.com/products/jsp/faq.html
> > >  http://www.esperanto.org.nz/jsp/jspfaq.jsp
> > >  http://www.jguru.com/faq/index.jsp
> > >  http://www.jspinsider.com
> >
> >
>===========================================================================
> > To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff
>JSP-INTEREST".
> > For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST
>DIGEST".
> > Some relevant FAQs on JSP/Servlets can be found at:
> >
> >  http://archives.java.sun.com/jsp-interest.html
> >  http://java.sun.com/products/jsp/faq.html
> >  http://www.esperanto.org.nz/jsp/jspfaq.jsp
> >  http://www.jguru.com/faq/index.jsp
> >  http://www.jspinsider.com
> >
>
>===========================================================================
>To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff
>JSP-INTEREST".
>For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST DIGEST".
>Some relevant FAQs on JSP/Servlets can be found at:
>
>  http://archives.java.sun.com/jsp-interest.html
>  http://java.sun.com/products/jsp/faq.html
>  http://www.esperanto.org.nz/jsp/jspfaq.jsp
>  http://www.jguru.com/faq/index.jsp
>  http://www.jspinsider.com

===========================================================================
To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST".
For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST DIGEST".
Some relevant FAQs on JSP/Servlets can be found at:

 http://archives.java.sun.com/jsp-interest.html
 http://java.sun.com/products/jsp/faq.html
 http://www.esperanto.org.nz/jsp/jspfaq.jsp
 http://www.jguru.com/faq/index.jsp
 http://www.jspinsider.com

Re: Login Authentication against database...

Reply via email to