Hello, i had the same task and I did the following:
- my loginAction starts a method loginService. My service method calls the dao (for example userDAO) to get the encrypted password, which is saved in the database. Now my service method calls a method to encrypt the form given password (i take the password, concat it with a salt value and build a 64Bit encoded SHA-1 Hash). Then I check if the encrypted form password is similar to the encrypted password in the user database. Greetz some code: public class LoginService { public LoginService() { } public Employee getUserCredentials(String username) { Employee user; EmployeeDAO dao = new EmployeeDAO(); ArrayList userlist = (ArrayList) dao.findByWinlogonname(username); if (userlist.size() == 0) { try { userlist = (ArrayList) dao.findByPersonnelnumber(new Long( username)); if (userlist.size() == 0) { return null; } else { user = (Employee) userlist.get(0); return user; } } catch (NumberFormatException e) { return null; } } else { user = (Employee) userlist.get(0); return user; } } public int authenticate(String formUsername, String formPassword) { Employee user; user = new Employee(); user = this.getUserCredentials(formUsername); if (user != null) { String formPasswordHash = PasswordHash.generate64BaseHashcode( formPassword, user.getSaltvalue()); System.out.println("HASH: "+formPasswordHash); if (user.getPasswordhash().compareTo(formPasswordHash) == 0) { return 1; } else { return -1; } } else { return 1; } } } public class PasswordHash { public PasswordHash() { } public static String generateSaltValue(){ BigInteger saltInt = new BigInteger(128,new Random()); String saltStr = saltInt.toString(); return saltStr; } public static String generate64BaseHashcode(String password, String saltValue) { String hashValue = null; String pwWithSalt = saltValue.concat(password); try { // Saltwert einbauen - siehe Unix-Passwortverwaltung MessageDigest md = MessageDigest.getInstance("SHA"); md.update(pwWithSalt.getBytes("UTF-8")); byte[] pwWithSaltRAW = md.digest(); hashValue = new BASE64Encoder().encode(pwWithSaltRAW); return hashValue; } catch (java.security.NoSuchAlgorithmException nsae) { System.err.println(nsae.toString() + ": Konnte String nicht verschlüsseln!"); } catch (UnsupportedEncodingException e) { e.printStackTrace(); } return hashValue; } } public class LoginAction extends Action { public ActionForward execute(ActionMapping mapping, ActionForm form, HttpServletRequest request, HttpServletResponse response) { LoginForm lf = new LoginForm(); lf = (LoginForm) form; LoginService userlogin = new LoginService(); int succeeded = userlogin.authenticate(lf.getUsername(), lf .getPassword()); Employee user; if (succeeded == 1) { user = userlogin.getUserCredentials(lf.getUsername()); HttpSession session = request.getSession(); session.setAttribute("username", user.getForename() + " " + user.getSurname()); session.setAttribute("employee", user); return mapping.findForward("showhome"); } else { ActionMessages errormessages = new ActionMessages(); errormessages.add(ActionMessages.GLOBAL_MESSAGE, new ActionMessage( "loginform.errors.login")); switch (succeeded) { case -1: errormessages.add(ActionMessages.GLOBAL_MESSAGE, new ActionMessage("loginform.errors.falsepassword")); break; case -2: errormessages.add(ActionMessages.GLOBAL_MESSAGE, new ActionMessage("loginform.errors.noentry")); break; } saveMessages(request, errormessages); lf.reset(mapping, request); userlogin = null; user = null; return mapping.findForward("showlogin"); } } } msg2ajay schrieb: > hello friends, > I am developing a struts+hibernate application which > contains a login page. I am not sure of which tools or API's to use for > logn > Authentication and encription. > > Can any bady suggest me which is best for login Authentication and what way > can i proceed for secured login for WebApplication. > > Ajay >
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]