Member Avatar for SagarSe7en

Hello All,

I am currently working on developing an authentication system. Below are the details:

This code inserts the details (username and password) to the database.

the password is hashed and stored in the db

package org.controller;

import java.io.IOException;
import java.io.PrintWriter;
import static java.lang.System.out;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.dao.DAO;

/**
 *
 * @author SAGARSE7EN
 */
public class loginServlet extends HttpServlet {

    /**
     * Processes requests for both HTTP <code>GET</code> and <code>POST</code>
     * methods.
     *
     * @param request servlet request
     * @param response servlet response
     * @throws ServletException if a servlet-specific error occurs
     * @throws IOException if an I/O error occurs
     */
    protected void processRequest(HttpServletRequest request, HttpServletResponse response)
            throws ServletException, IOException {
        response.setContentType("text/html;charset=UTF-8");

        try 

        {

            DAO dao = new DAO();

            dao.insertDetails(request.getParameter("userName"), request.getParameter("passWord"));

            out.println("Nice Sagar! It Worked");
        }

        catch (Exception e)

        {

            System.out.println(e);
        }
    }

    // <editor-fold defaultstate="collapsed" desc="HttpServlet methods. Click on the + sign on the left to edit the code.">
    /**
     * Handles the HTTP <code>GET</code> method.
     *
     * @param request servlet request
     * @param response servlet response
     * @throws ServletException if a servlet-specific error occurs
     * @throws IOException if an I/O error occurs
     */
    @Override
    protected void doGet(HttpServletRequest request, HttpServletResponse response)
            throws ServletException, IOException {
        processRequest(request, response);
    }

    /**
     * Handles the HTTP <code>POST</code> method.
     *
     * @param request servlet request
     * @param response servlet response
     * @throws ServletException if a servlet-specific error occurs
     * @throws IOException if an I/O error occurs
     */
    @Override
    protected void doPost(HttpServletRequest request, HttpServletResponse response)
            throws ServletException, IOException {
        processRequest(request, response);
    }

    /**
     * Returns a short description of the servlet.
     *
     * @return a String containing servlet description
     */
    @Override
    public String getServletInfo() {
        return "Short description";
    }// </editor-fold>

}

this method is what inserts the details into the database residing in DAO class

public void insertDetails(String userName , String passWord)

            throws Exception

    {

        try

        {


            Connection databaseConnector = connectToOracleDatabasse();

            PreparedStatement ps = null;

            String securePassword = SCryptUtil.scrypt(passWord, 16, 16, 16);

            ps = databaseConnector.prepareStatement("insert into users (userName , passWord) values (?,?)");

            ps.setString(1, userName);

            ps.setString(2, securePassword);

            ps.executeUpdate();


        }

        catch(Exception e)

        {

            System.out.println(e);

        }
    }

this class is the scryptutil class in which the scrypt method encrypts the password received in plain text format

public static String scrypt(String passwd, int N, int r, int p) {
        try {
            byte[] salt = new byte[16];
            SecureRandom.getInstance("SHA1PRNG").nextBytes(salt);

            byte[] derived = SCrypt.scrypt(passwd.getBytes("UTF-8"), salt, N, r, p, 32);

            String params = Long.toString(log2(N) << 16L | r << 8 | p, 16);

            StringBuilder sb = new StringBuilder((salt.length + derived.length) * 2);
            sb.append("$s0$").append(params).append('$');
            sb.append(encode(salt)).append('$');
            sb.append(encode(derived));

            return sb.toString();
        } catch (UnsupportedEncodingException e) {
            throw new IllegalStateException("JVM doesn't support UTF-8?");
        } catch (GeneralSecurityException e) {
            throw new IllegalStateException("JVM doesn't support SHA1PRNG or HMAC_SHA256?");
        }
    }

overall, this is how the data is sent to the database at insertion time.

at login time, this is how i have coded. the servlet which performs the authentication:

package org.controller;

import java.io.IOException;
import java.io.PrintWriter;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.dao.DAO;
import org.security.*;

/**
 *
 * @author SAGARSE7EN
 */
public class authServlet extends HttpServlet {

    /**
     * Processes requests for both HTTP <code>GET</code> and <code>POST</code>
     * methods.
     *
     * @param request servlet request
     * @param response servlet response
     * @throws ServletException if a servlet-specific error occurs
     * @throws IOException if an I/O error occurs
     */
    protected void processRequest(HttpServletRequest request, HttpServletResponse response)
            throws ServletException, IOException {
        response.setContentType("text/html;charset=UTF-8");

        try (PrintWriter out = response.getWriter()) 

        {


            DAO dao = new DAO();

            //String passWord = request.getParameter("password");

            //String hashedPassword = SCryptUtil.scrypt(passWord, 16, 16, 16);

            if(dao.userLogin(request.getParameter("passWord")))
            {
                System.out.println("Nice Sagar. Cracked");
            }

            else

            {

                System.out.println("Try Again Sagar");
            }



        }

        catch(Exception e)

        {

            System.out.println(e);

        }
    }

    // <editor-fold defaultstate="collapsed" desc="HttpServlet methods. Click on the + sign on the left to edit the code.">
    /**
     * Handles the HTTP <code>GET</code> method.
     *
     * @param request servlet request
     * @param response servlet response
     * @throws ServletException if a servlet-specific error occurs
     * @throws IOException if an I/O error occurs
     */
    @Override
    protected void doGet(HttpServletRequest request, HttpServletResponse response)
            throws ServletException, IOException {
        processRequest(request, response);
    }

    /**
     * Handles the HTTP <code>POST</code> method.
     *
     * @param request servlet request
     * @param response servlet response
     * @throws ServletException if a servlet-specific error occurs
     * @throws IOException if an I/O error occurs
     */
    @Override
    protected void doPost(HttpServletRequest request, HttpServletResponse response)
            throws ServletException, IOException {
        processRequest(request, response);
    }

    /**
     * Returns a short description of the servlet.
     *
     * @return a String containing servlet description
     */
    @Override
    public String getServletInfo() {
        return "Short description";
    }// </editor-fold>

}

the method called by the authservlet from DAO class:

public boolean userLogin (String passWord)
            throws Exception
    {

        try

        {


            String hashPassword = SCryptUtil.scrypt(passWord, 16, 16, 16);

            System.out.println(hashPassword);

            //boolean matched = SCryptUtil.check(passWord, hashPassword);

            //System.out.println(matched);

            Connection sqlConnection = connectToOracleDatabasse();

            ResultSet authSet = null;

            PreparedStatement ps = null;

            String sqlQuery = "select * from users " + "where password = '" + hashPassword + "'";

            System.out.println(sqlQuery);

            ps = (PreparedStatement)sqlConnection.prepareStatement(sqlQuery);

            authSet = ps.executeQuery(sqlQuery);

            if (authSet.next())

            {

            closeConnection();

            return true;

            }

            {

            closeConnection();

            return false;
            }

However everytime i test the login, it always returns false.

Any assistance highly appreciated

  • 2 Contributors
  • 2 Replies
  • 373 Views
  • 4 Days Discussion Span
  • Latest Post Latest Post by SagarSe7en
Member Avatar for rubberman

For debugging purposes, output the hash stored in the database and that returned in userLogin(). If they are using a different salt value (based upon date/time by default perhaps), then the hashes may differ. Since I am unfamiliar with the SCryptUtil library I don't know for sure what it is doing. This is a common technique for password hash functions so that two users with the same password don't generate the same hash.

Member Avatar for SagarSe7en

Marking thread as solved as i manage to find where the issue was.

Edited by SagarSe7en because: Changes being made to previous post as unclear information was posted.
Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.