Geek Answers Handbook

Best way to authenticate a user using MySQL (Open to other offers)?

I am creating a web-based login system and for this I use MySQL as my backend, JSPS and Servlets for functionality, also using the jasypt 1.8 library to encrypt passwords so that I can store them in MySQL later.

My question is: is there anything wrong with the following code (security related, best practices, etc.):

protected boolean verifyUser(String user, String pass) throws SQLException, ClassNotFoundException, InstantiationException, IllegalAccessException { StrongPasswordEncryptor passwordEncryptor = new StrongPasswordEncryptor(); Connection conn = null; String userName = "****"; String password = "****"; String url = "jdbc:mysql://localhost:3306/DB"; ResultSet rs = null; try { Class.forName("com.mysql.jdbc.Driver").newInstance(); conn = DriverManager.getConnection(url, userName, password); System.out.println("Database connection established"); PreparedStatement stmt = null; stmt = conn.prepareStatement("SELECT * FROM DB.LOGINS WHERE USER = ?"); stmt.setString(1, user); rs = stmt.executeQuery(); if(!rs.next()){ return false; } if(passwordEncryptor.checkPassword(pass, rs.getString("Password"))){ return true; } conn.close(); } catch (Exception e) { } return false; }

I don’t know if it’s right to get the user out of the database and then compare it with the password provided (i.e., I think the best way would be to get information from the database using the username and password, and not just the first one). Unfortunately, I cannot do this because I cannot generate the key, because there is no way in the library that can do this (and I could not find the algorithm in the documentation for generating the key).

I do this because the library I use has a built-in random salt generator that is stored inside the line created after encryption (using sha-256 for this, if that matters ...) and the checkPassword () method is the only thing able to generate a key that is exactly the same as the one stored in the database (which has already passed the encryption process).

In any case, if you have any experience in creating login systems or you know a lot of security recommendations, I would like you to tell me that your experience is related to such problems if you have not found a suitable solution.

Thank you for your time.

+4
source share
3 answers

Jasypt definitely lets you do this password check, so the code that checks the password is fine.

The main comment I have is that there are two things in this method.

  • Getting sql connection
  • print a connection message on the console
  • getting user
  • check that it is not null
  • password verification using internal StrongPasswordEncryptor

The value of everything in this method is hardcoded

To make it better, I would:

  • use Log4j registration system
  • separate the connection configuration somewhere else (property file ...)
  • end up using a connection pool (here is one example for MySQL
  • don't have enpty locks, throw an exception, or at least log it, so you know what happens.
  • also, if you want to change the Jasypt parameters , you must make a password encryption mechanism outside this method.

Anyway, just a few things to make it more modular.

Now in production systems, most people will prefer to use a framework such as Apache Shiro , so that they can easily change the authentication mechanism, as well as easily configure roles and groups.

Voila. Hope this answer shed light.

+1
source

Given that the username is unique in the system, your decision to read user information and compare the password hash is in order and widely used. No security risk is involved as long as all processing is done on the server side.

However, if you want to use this code in a practical application, you should not create a connection every time, but consider using connection pools such as apache commons dbcp, which further simplifies development;)

0
source

also uses jasypt 1.8 library for password encryption

You SHOULD NOT encrypt passwords. You must unilaterally use them and compare hashes. You should not provide anything that can be interpreted legally as a way to get to know someone else. Otherwise, you lose legal unpaid transactions, and this is serious enough to get you out of business. You need to seek advice on this matter, this is really serious.

0
source

More articles:


All Articles