3

Okay, so I have most of the pieces, but I can't seem to put them together properly. I'm basically trying to protect database data with a simple authentication process (maybe with a GUI) to ensure that the correct people are viewing the data. Right now I'm using UnboundID to handle the actual authentication, although I am open to other methods such as JAAS. Here is the method that I wrote for that (the bypass is for testing purposes):

public static boolean authenticate(String username, String password) {
    if (username == null || password == null) {
        return false;
    }

    if (username.equals("bypass") && password.equals("bypass")) {
        return true;
    }

    try {
        LDAPConnection conn = new LDAPConnection(AUTH_URL,AUTH_PORT);
        BindRequest request = new SimpleBindRequest(username,password);
        BindResult result = conn.bind(request);
        return result.getResultCode().equals(ResultCode.SUCCESS);
    } catch (LDAPException ex) {
        ex.printStackTrace();
        return false;
    }
}

This code is obviously dangerous due to the fact that the password is being inputted as plaintext. I did some digging and discovered that I should be using something like SSL for the actual request to protect the password. This raised another question: if I'm sending the request via SSL, don't I still need to somehow supply the password in plaintext form before I send the request? Isn't this dangerous? I'm surprised something like password authentication isn't done by a simple API since so many applications need to be secure. I'm very new to this stuff and would appreciate some guidance. Thanks!

Niko
  • 984
  • 1
  • 7
  • 15

2 Answers2

1

Use TLS everywhere including your LDAP connection. As long as you follow good TLS connection practices your connection is safe. -jim

jwilleke
  • 10,467
  • 1
  • 30
  • 51
  • Hm, well I suppose using TLS would raise the same question as using SSL. At some point, the user will have to supply a password. I'm a bit confused on how they do so; how can I have them input a password without storing or referencing the plaintext password? – Niko Jun 19 '15 at 12:54
0

You could use Stormpath's Servlet Plugin to authenticate your users. You only need to follow these very simple steps to create your ready to use Web Application.

You can also take the example Servlet App (completely Open Source) as the foundations for your Web App.

You will get:

  1. Out of the box complete Web Application
  2. Complete User Management: user authentication, user management, user storage, workflows, etc.
  3. API Management
  4. Hassle free world-class Security
  5. Frequent free updates

In summary, the workflow will be like this. You will redirect your users to the Login page (or Registration for them to sign up first). Once your user is properly authenticated (via login) you can get your own code executed via the Next URI or the SuccessfulAuthenticationRequestEvent.

Disclaimer, I am an active Stormpath contributor.

mario
  • 1,154
  • 8
  • 13