How to programatically encrypt/decrypt plain text credentials in JSP?

Question

As as part of my daily routine, I have the misfortune of administering an ancient, once \"just internal\" JSP web application that relies on the following authentication schema:

Answer 1

It is hard to understand the exact scheme you are thinking about but I assume the password is coming in from a request and you want to calculate the MD5 hash in a JSP that the request is being sent to. After that you can compare it to the pre-computed MD5 version. You could even be more secure if it isn't being done with https and use a javascript MD5 library to hash the password before submitting it.

You can MD5 a string in java like this:

try
{
  String digestInput = "queen";

  MessageDigest messageDigest = MessageDigest.getInstance("MD5");
  messageDigest.update(digestInput.getBytes());

  BASE64Encoder base64Encoder = new BASE64Encoder();
  String digestString = base64Encoder.encode(messageDigest.digest());

  // digestString now contains the md5 hashed password
}
catch (Exception e)
{
  // do some type of logging here
}

Answer 2

First of all you should move that logic from jsp to a separate class.

Second, you shouldn't keep plain text password anywhere in the code. Use some kind of one way hash function (md5, sha1, ...) and keep only password hashes.

When checking for user password, first hash it and then compare hashes.