Hello,
i had the same task and I did the following:
- my loginAction starts a method loginService. My service method calls
the dao (for example userDAO) to get the encrypted password, which is
saved in the database. Now my service method calls a method to encrypt
the form given password (i take the password, concat it with a salt
value and build a 64Bit encoded SHA-1 Hash). Then I check if the
encrypted form password is similar to the encrypted password in the user
database.
Greetz
some code:
public class LoginService {
public LoginService() {
}
public Employee getUserCredentials(String username) {
Employee user;
EmployeeDAO dao = new EmployeeDAO();
ArrayList userlist = (ArrayList) dao.findByWinlogonname(username);
if (userlist.size() == 0) {
try {
userlist = (ArrayList) dao.findByPersonnelnumber(new Long(
username));
if (userlist.size() == 0) {
return null;
} else {
user = (Employee) userlist.get(0);
return user;
}
} catch (NumberFormatException e) {
return null;
}
} else {
user = (Employee) userlist.get(0);
return user;
}
}
public int authenticate(String formUsername, String formPassword) {
Employee user;
user = new Employee();
user = this.getUserCredentials(formUsername);
if (user != null) {
String formPasswordHash = PasswordHash.generate64BaseHashcode(
formPassword, user.getSaltvalue());
System.out.println("HASH: "+formPasswordHash);
if (user.getPasswordhash().compareTo(formPasswordHash) == 0) {
return 1;
} else {
return -1;
}
} else {
return 1;
}
}
}
public class PasswordHash {
public PasswordHash() {
}
public static String generateSaltValue(){
BigInteger saltInt = new BigInteger(128,new Random());
String saltStr = saltInt.toString();
return saltStr;
}
public static String generate64BaseHashcode(String password, String
saltValue) {
String hashValue = null;
String pwWithSalt = saltValue.concat(password);
try {
// Saltwert einbauen - siehe Unix-Passwortverwaltung
MessageDigest md = MessageDigest.getInstance("SHA");
md.update(pwWithSalt.getBytes("UTF-8"));
byte[] pwWithSaltRAW = md.digest();
hashValue = new BASE64Encoder().encode(pwWithSaltRAW);
return hashValue;
} catch (java.security.NoSuchAlgorithmException nsae) {
System.err.println(nsae.toString()
+ ": Konnte String nicht verschlüsseln!");
} catch (UnsupportedEncodingException e) {
e.printStackTrace();
}
return hashValue;
}
}
public class LoginAction extends Action {
public ActionForward execute(ActionMapping mapping, ActionForm form,
HttpServletRequest request, HttpServletResponse response) {
LoginForm lf = new LoginForm();
lf = (LoginForm) form;
LoginService userlogin = new LoginService();
int succeeded = userlogin.authenticate(lf.getUsername(), lf
.getPassword());
Employee user;
if (succeeded == 1) {
user = userlogin.getUserCredentials(lf.getUsername());
HttpSession session = request.getSession();
session.setAttribute("username", user.getForename() + " "
+ user.getSurname());
session.setAttribute("employee", user);
return mapping.findForward("showhome");
} else {
ActionMessages errormessages = new ActionMessages();
errormessages.add(ActionMessages.GLOBAL_MESSAGE, new
ActionMessage(
"loginform.errors.login"));
switch (succeeded) {
case -1:
errormessages.add(ActionMessages.GLOBAL_MESSAGE,
new
ActionMessage("loginform.errors.falsepassword"));
break;
case -2:
errormessages.add(ActionMessages.GLOBAL_MESSAGE,
new ActionMessage("loginform.errors.noentry"));
break;
}
saveMessages(request, errormessages);
lf.reset(mapping, request);
userlogin = null;
user = null;
return mapping.findForward("showlogin");
}
}
}
msg2ajay schrieb:
> hello friends,
> I am developing a struts+hibernate application which
> contains a login page. I am not sure of which tools or API's to use for
> logn
> Authentication and encription.
>
> Can any bady suggest me which is best for login Authentication and what way
> can i proceed for secured login for WebApplication.
>
> Ajay
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
