Struts2: how to store safety username and password from action to action

Question

In my login page I log in through username and password (that I get from a jsp page), then I check LDAP and if the credentials are correct, then I continue the browsing to other

Answer 1

Different passwords for different places

You should use different passwords for your web application and LDAP. Like now, an attacker that discovers the LDAP password automatically gains access to your application, and viceversa.

Force the user (that usually wants the same password everywhere because it's easy to remember) to choose a different password by checking its equality (against the LDAP one) when creating a new password in your webapp.

Never save passwords

You should not save users passwords anywhere, because anyone with database access would be able to retrieve all the passwords.

The correct way to go is not encryption, but one-way hashing (better with Salt, to prevent Rainbow Tables attacks):

1. hash the password when the user creates it, then save the result on db.
2. when the user logs in, hash the password he enters, then check the resultant hash against the hash in the database.
3. if the user forgets the password, reset it and ask him to pick a new one.

In Java one of the best implementations out there is jBCrypt, based on BCrypt.

Always prefer char[] to String for password handling

Because it's more safe for different reasons Jon Skeet said it :)