Home > Archive > Java Security > June 2005 > newbie - jsp forms
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
newbie - jsp forms
|
|
|
| Hi,
I have the following code. Here the client is requested to enter
the username and password, and foward them to a new jsp page.
<form action="CheckStatus.jsp" method="get">
<p><H2>Enter your username and password and press Submit</H2></p>
<H3>
<p>Username: <input type="Text" name="username"></p>
<p>Password: <input type="Password" name="password"></p>
</H3>
<p>
<input type="Submit" value="Submit">
<input type="Reset" value="Reset">
</p>
</form>
Is this secure for the username and password? If not how can I make
it better?
Thanks in Advance
| |
| Bill Harrelson 2004-12-23, 4:08 pm |
| It's pretty insecure.
First of all you are using the method "get" which means that the parametera are passed as part of the query string.
This means that the username and password will show up, in the clear, in the webserver logs.
Switch to method = post, the parameters don't show up as part of the query string.
Next, make sure that this page is _only_ accessed via SSL. Make this page a jsp, and add some java
code at the top to ensure that the request is secure (eg. if (request.isSecure()).
Do the same for CheckStatus.jsp. If it's not, don't honor the request.
I don't know what webserver you're using, but if it's Tomcat, it's worth having a look at their
login stuff. They have protected servlets that create secure sessions, single-sign-on capabilities, etc.
Bill
Xarky wrote:
> Hi,
> I have the following code. Here the client is requested to enter
> the username and password, and foward them to a new jsp page.
>
> <form action="CheckStatus.jsp" method="get">
> <p><H2>Enter your username and password and press Submit</H2></p>
> <H3>
> <p>Username: <input type="Text" name="username"></p>
> <p>Password: <input type="Password" name="password"></p>
> </H3>
> <p>
> <input type="Submit" value="Submit">
> <input type="Reset" value="Reset">
> </p>
> </form>
>
> Is this secure for the username and password? If not how can I make
> it better?
>
>
> Thanks in Advance
| |
| Dave Milne 2005-06-05, 3:58 pm |
| Couple of points:
a) You want to be using declarative security ; i.e. calling your AppServers
form based login servlet
( in WebSphere this is j_security_check). You specify which URLs require
authentication, and the AppServer traps a call to that URL and presents the
user with the login page you specifed. On success, the user gets the page
they were after.
Here's a tutorial ( search for "Form Based Login" or "Form Based
Authentication" on the net)
http://java.sun.com/webservices/doc.../Security5.html
b) You want to call that over Https. If not, you want to do an MD5 hash of
the password with another string and POST that instead. Serverside, you do
the same operation with the real password. If the MD5 hashes are the same,
the user typed in the correct password. You will obviously have to write or
find an MD5 javascript.
Dave Milne
"Xarky" <bernardpace@yahoo.com> wrote in message
news:bc42e1a.0412212318.3ba9263@posting.google.com...
> Hi,
> I have the following code. Here the client is requested to enter
> the username and password, and foward them to a new jsp page.
>
> <form action="CheckStatus.jsp" method="get">
> <p><H2>Enter your username and password and press Submit</H2></p>
> <H3>
> <p>Username: <input type="Text" name="username"></p>
> <p>Password: <input type="Password" name="password"></p>
> </H3>
> <p>
> <input type="Submit" value="Submit">
> <input type="Reset" value="Reset">
> </p>
> </form>
>
> Is this secure for the username and password? If not how can I make
> it better?
>
>
> Thanks in Advance
|
|
|
|
|