0

The following is my code for login function. I save the password as MD5 but inside the url after logged in it shows the full word instead of showing MD5. I'm still very new to Java EE and any help I can get will be very much appreciated.

<%@ page contentType="text/html; charset=utf-8" language="java" import="java.sql.*" errorPage="" %>
<!DOCTYPE HTML>
<html>
    <head>
        <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
        <title>Login Page</title>
    </head>

    <body>
        <form name="form1" method="GET" action="LoginServlet" onsubmit="return checkForm()">
            <table width="80%" border="0" cellspacing="2" cellpadding="2" align="center" class="firsttbl">
                <tr>
                    <td><%@ include file="banner.jsp" %></td>
                </tr>
                <tr>
                    <td><table width="40%" bordercolor="#0099FF" border="1" cellspacing="0" cellpadding="0" align="center">
                            <tr>
                                <td><table width="100%" border="0" cellspacing="2" cellpadding="4">
                                        <tr>
                                            <td width="35%">&nbsp;</td>
                                            <td width="3%">&nbsp;</td>
                                            <td width="62%">&nbsp;</td>
                                        </tr>
                                        <tr>
                                            <td colspan="3" align="center"><b>User Login Page</b></td>
                                        </tr>
                                        <tr>
                                            <td>&nbsp;</td>
                                            <td>&nbsp;</td>
                                            <td>&nbsp;</td>
                                        </tr>
                                        <tr>
                                            <td align="right">Username</td>
                                            <td>:</td>
                                            <td><input type="text" name="Username" size="25" class="textbox" ></td>
                                        </tr>
                                        <tr>
                                            <td align="right">Password</td>
                                            <td>:</td>
                                            <td><input type="password" name="Password" size="25" class="textbox"></td>
                                        </tr>
                                        <tr>
                                            <td>&nbsp;</td>
                                            <td>&nbsp;</td>
                                            <td>&nbsp;</td>
                                        </tr>
                                        <tr>
                                            <td colspan="3" align="center"><!--<input type="hidden" name="actionID" value="LoginServlet" /> --><input type="submit" name="Login" value="Login"></td>
                                        </tr>
                                        <tr>
                                            <td>&nbsp;</td>
                                            <td>&nbsp;</td>
                                            <td>&nbsp;</td>
                                        </tr>
                                    </table></td>
                            </tr>
                        </table></td>
                </tr>
                <tr>
                    <td><%@ include file="footer.jsp" %></td>
                </tr>
            </table>
            <script type="text/javascript">
                function checkForm(){
                    if(document.form1.Username.value == ""){
                        alert("Please enter Username.");
                        return false;
                    }
                    if(document.form1.Password.value == ""){
                        alert("Please enter password.");
                        return false;
                    }
                    else{
                        return true;
                    }
                }
            </script>
        </form>
    </body>
</html>
import java.io.*;
import javax.servlet.*;
import javax.servlet.http.*;

public class Relay extends HttpServlet {

    @Override
    protected void doGet(HttpServletRequest request,
            HttpServletResponse response)
            throws ServletException, java.io.IOException {
        processRequest(request, response);
    }

    @Override
    protected void doPost(HttpServletRequest request,
            HttpServletResponse response)
            throws ServletException, IOException {
        processRequest(request, response);
    }

    public void processRequest(HttpServletRequest request, HttpServletResponse response)
            throws ServletException, IOException {
        String command = request.getParameter("actionID");
        RequestDispatcher view = request.getRequestDispatcher(command);
        view.forward(request, response);
    }
}
import dbFunctions.ITReportDB;
import dbFunctions.ITReport_DBConn;
import java.io.*;
import java.math.BigInteger;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.sql.*;

import java.util.logging.Level;
import java.util.logging.Logger;
import javax.servlet.*;
import javax.servlet.http.*;
import javax.swing.JOptionPane;

public class LoginServlet extends HttpServlet {

    @Override
    public void doGet(HttpServletRequest request, HttpServletResponse response)
            throws ServletException, IOException {
        response.setContentType("text/html");
        PrintWriter out = response.getWriter();

        try {
            ITReportDB reportDB = ITReport_DBConn.getITReportDB();

            boolean check = false;
            boolean checkStaff = false;

            String pwd;
            String PwdS = request.getParameter("Password");
            char[] Pwd = PwdS.toCharArray();
            String Password = "";
            for (int i = 0; i < Pwd.length; i++) {
                Password += Pwd[i];
            }
            MessageDigest m = MessageDigest.getInstance("MD5");
            m.update(Password.getBytes(), 0, Password.length());
            pwd = new BigInteger(1, m.digest()).toString(16);
            while (pwd.length() < 32) {
                pwd = "0" + pwd;
            }

            check = reportDB.checkLogin(request.getParameter("Username"), pwd);
            checkStaff = reportDB.checkLoginStaff(request.getParameter("Username"), pwd);
            if (check) {
                //Set the Session
                HttpSession session = request.getSession(true);
                session.setMaxInactiveInterval(120); //Timeout in seconds
                session.setAttribute("Username", request.getParameter("Username")); //User Type

                RequestDispatcher view = request.getRequestDispatcher("management_login.jsp");
                view.forward(request, response);

            } else if (checkStaff) {
                HttpSession session = request.getSession(true);
                session.setMaxInactiveInterval(180000); //Timeout in seconds
                session.setAttribute("Username", request.getParameter("Username")); //User Type

                RequestDispatcher view = request.getRequestDispatcher("staff_login.jsp");
                view.forward(request, response);

            } else {
                //out.println("<br/>You have entered wrong user name or password. Click <a href=index>here</a> to try again.<br/><br/>");
                JOptionPane.showMessageDialog(null, "Incorrect username or password!");
                RequestDispatcher view = request.getRequestDispatcher("index.jsp");
                view.forward(request, response);
            }

        } catch (ClassNotFoundException cnfe) {
            System.out.println(cnfe);
        } catch (SQLException sqle) {
            System.out.println(sqle);
        } catch (NoSuchAlgorithmException ex) {
            Logger.getLogger(LoginServlet.class.getName()).log(Level.SEVERE, null, ex);
        }
        out.close();
    }
}
public boolean checkLogin(String username, String pwd)
            throws ClassNotFoundException, SQLException {
        boolean check = false;
        
        try {
            Statement myStatement = getConnection();
            String writeString = "SELECT * FROM management_login_details WHERE Username ='" + username + "' and Password = '" + pwd + "'";
//            System.out.println(writeString);
            ResultSet results = myStatement.executeQuery(writeString);
            if (results.next()) {
                check = true;
            }
            closeConnection();
        } catch (ClassNotFoundException cnfe) {
            System.out.println(cnfe);
            throw cnfe;
        } catch (SQLException sqle) {
            System.out.println(sqle);
            throw sqle;
        }
        
        return check;
    }
boolean checkLogin(String username, String pwd)
            throws ClassNotFoundException, SQLException;
2
Contributors
2
Replies
3
Views
5 Years
Discussion Span
Last Post by pote86
1

The encryption takes place in the servlet not when you submit the page. You pass the password the user entered from the gui, so the password at the url is unencrypted. It goes to the servlet where you do the encryption.

There is no way to avoid that. (Actually there is but it is needless).
What people do is use:

<form name="form1" method="POST" action="LoginServlet" onsubmit="return checkForm()">

method="POST"

0

Thanks a lot .... :D I changed to 'post' and my problem solved.

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.