How to programatically encrypt/decrypt plain text credentials in JSP?

Question

As as part of my daily routine, I have the misfortune of administering an ancient, once \"just internal\" JSP web application that relies on the following authentication schema:

Answer 1

First of all you should move that logic from jsp to a separate class.

Second, you shouldn't keep plain text password anywhere in the code. Use some kind of one way hash function (md5, sha1, ...) and keep only password hashes.

When checking for user password, first hash it and then compare hashes.