Secure Login

[Mick]

Hi everyone ...

What is the best way to implement and how to implement, a login page that is safe?

Encryption ... https ....

Does anyone know how to tell me a good material?

[victorhugomuniz]

It is not quite what you want .. this material is very comprehensive http://blogs.oracle.com/schan/newsItems ... s/security
https .. http://www.javafree.org/javabb/viewtopic.jbb?t=837
speak to you ...
What do you really want ???
porque https?

[Mick]

Well actually .. it does not have to be https ... it was just a hypothesis ...

I need to make a login screen ... but I do not want the password to be traveling freely. .. and I wanted to know what the best way to do ....

[victorhugomuniz]

now yes

there is one thing called realm .. is the best practice
http://www.oracle.com/technology/tech/j ... -JAAS.html
+ or- ... you will have a table of usuaries, will map it on your web.xml along with a realm filter, then it does everything for you ... kkkk .. will authenticate your user (encrypted), throw it in the session and you Available a session.getuserData () for you to use where you want

Said?!?!?!
Good Luck
Ps.: Then I want to see a terotial your posted here on the site about this .. Realm in OC4J ... Can I wait?

[Mick]

Humm ...

I will study more then ;;;
Now I walk half without time .. and I need to solve some things before ,,,, but can leave ... I'm sure I'll study it .. and if I can do bunitinhu .. I ride a tutorial yes. ..: D

[victorhugomuniz]

So Mick ...

I gave you Best practice but if you want something more urgent talks there that I try to give you an idea to solve your problem immediately

In my TCC I did something very simple .. Implementing a login screen and putting an object in the context, after consulting it in the bank and validated but I had no encryption ne


Anything we are there

[Mick]

Well it's like this ...

I'm with two projects ... one is simpler .. and it's what I'm with more urgency ... it has a maximum of 10 pages. ... and with I do not have much time .. I did something well manual even ... I do not know if it's the most correct way ... but I put a scriplet on the pages to check if the session had been started ... . and as I did a user registration and password .. before the password go pro bank, I encrypt her with an algorithm "sha - 1":

Select all

 
MessageDigest md = MessageDigest.getInstance("SHA-1");    
 
         BigInteger hash = new BigInteger(1, md.digest(password.getBytes("UTF-8")));    
 
         String password3 = hash.toString(16);  

]] Hence when the user types the password .. I encrypt her .. and compare ....

already another project ... is much bigger .. and in the long run .. . So I think it's going to give me time to give a better studied in realm ... that you suggested me ..

[victorhugomuniz]

scriptlet and a thing mta 'ugly' ... kkkk
but I confess that I already solved problems with it too
in the end ... there is time qa elegance should be left aside because it works is what It really matters

[Mick]

haha ... it's true .....: lol:

[Mick]

Hi Vitor ....

I Need Your Help Again !! ... hehe ..

I can not understand how this realm works ...
I even found an article that seems to be what I need:
http://technology.amis.nl/blog/?p=1462
But I can not understand what is the point where there is the union between the user who are There on my table in the bank and the application ... I saw that in JDeveloper has an option in:

Tools -> AdF Security Wizard ....

99] I define all these questions ... but so far I do not understand how he does to authenticate ... that is .. how I get the user and password that are there in the bank and I inform the application .. . ??

valeu ...

[victorhugomuniz]

good ... here we do the following ..

We have the securityfilter.java that makes the login validation
We have a file called security-mapping.xml that maps all Bank functions that check the user permissions and also the responsibleKEY liability defined in the EBS

and on web.xml In addition to registering the filter we set the local test settings (Developed Machine)

Select all

 
   <!-- registrar o filtro de seguranca --> 
    <filter> 
        <filter-name>Security Filter</filter-name> 
        <filter-class>br.com.br.shared.security.view.servlet.SecurityFilter</filter-class> 
        <init-param> 
            <param-name>securityManager.datasourceName</param-name> 
            <param-value>java:comp/env/jdbc/SecurityManagerDS</param-value> 
        </init-param>         
        <init-param> 
            <param-name>securityManager.mappingResource</param-name> 
            <param-value>br/com/br/shared/security/security-mapping.xml</param-value> 
        </init-param> 
    </filter> 
    <filter-mapping> 
        <filter-name>Security Filter</filter-name> 
        <url-pattern>*.jsp</url-pattern> 
        <dispatcher>FORWARD</dispatcher> 
        <dispatcher>REQUEST</dispatcher> 
    </filter-mapping> 
 
   <!-- configuracao para teste local – INICIO --> 
   <!-- não deve existir no OC4J com SSO  --> 
   <security-constraint>  
        <web-resource-collection> 
            <web-resource-name>all</web-resource-name> 
            <url-pattern>*.jsp</url-pattern> 
        </web-resource-collection> 
        <auth-constraint>  
            <role-name>admin</role-name> 
        </auth-constraint> 
    </security-constraint> 
    <security-role>  
        <role-name>admin</role-name> 
    </security-role> 
   <!-- configuracao para teste local – FIM --> 

[victorhugomuniz]

Look what I found ... see if you can help you http://www.javaworld.com/javaforums/sho ... ed&sb=5&o=

[Mick]

Victor ... I do not know if I'm on the right track .. !!!
Correct me if I eat wrong !!! ...

I edited JDeveloper 'login-config.xml' and I added an 'Application-Policy', such as which is in the example of the link you gave me ..

Select all

 
</application-policy> 
     <application-policy name="example"> 
	<authentication> 
	<login-module code="org.jboss.security.ClientLoginModule" flag="required"> 
	</login-module> 
	<login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" 
		flag="required"> 
	<module-option name="managedConnectionFactoryName"> 
	jboss.jca:service=LocalTxCM,name=SybaseDB 
	</module-option> 
	<module-option name="dsJndiName"> 
	java:/SybaseDB 
	</module-option> 
	<module-option name="principalsQuery"> 
	Select senha from login where login =? 
	</module-option> 
   	<module-option name="rolesQuery"> 
	Select Role 'Roles', RoleGroup 'RoleGroups' from Roles where PrincipalID =? 
	</module-option>  
	</login-module> 
	</authentication> 
</application-policy> 

But from what I understood ... I need to do a 'loginModule', and reference This 'policy' through a logincontext ... right? ...

And then? .. How do I refer to this policy inside the jdeveloper? ...

Correct me if I have the wrong way !!

and once again valeu .. for attention and patience !!

[victorhugomuniz]

Select all

3. jboss-web.xml 
Create a file jboss-web.xml and place the following code 
 
<?xml version="1.0" encoding="UTF-8"?> 
<jboss-web> 
<security-domain>java:/jaas/example2</security-domain> 
</jboss-web> 
 
example2 is the name of the security domain which we specified in application policy of login-config.xml 
Copy this file in your applications WEB-INF folder

The article and to JBoss and you use the OC4J NE ...

I honestly do not know how you go do this no ..

Here we use the filter as I spoke above

Good luck