I have a Java web service and a Java web client making use of this service. One of the functions is to create a new user account. My two concerns are:
- How will I send the user’s password securely from the client.
- How will I store the user’s password securely on the server.
How can I achieve these? I know the theory basically behind security, security algorithms etc but can anyone give me some advice on how I should go about in coding? Could anyone point me to some good (and if possible not complicated) examples to follow since I found some examples on the Internet very contorted?
Thanks a lot and regards,
Krt_Malta
Typically, if you are concerned about the password being transmitted in the clear from the web client to the service, you would run the service through SSL.
On the back-end, I do not ever store the password in the clear, hashing it before storing it. Make sure to use salts. When the user logs in at a later date, I hash the password they submitted, and then compare the hashed value with the previously stored hashed value. If they match, then the user has authenticated. In my case there’s more to it than this (with remember me features, etc.), but that it the guts of it.
I use the Apache Shiro framework to help with much of this. It is fairly lightweight and doesn’t require a web-environment, but will work with one as well. It integrates with Spring and other solutions as well, but again, this is not required. Probably worth checking out.