Home/ Questions/Q 6106785
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-23T14:07:00+00:00

In my web app which uses servlets and hibernate. I need to authenticate a

  • 0

In my web app which uses servlets and hibernate. I need to authenticate a Customer who enters a password.

If he is already in database, I need to check if his password matches that of the record in db.For a new Customer, I want to take a password and create a record for him.
I tried to do it this way for the scenarios.

Existing Customer enters an emailAddress and password

String email = req.getParameter("emailAddress");
String password = req.getParameter("password");
Customer cust = dao.findByEmailAddress(email);

Now, how do I check if this cust object is associated with a password and that matches what the user entered? Manning’s hibernate book example stores password as a String in Customer class. Is this a good idea? How will this be stored in database?

When using hibernate, how can this be handled? I have heard people mentioning about storing passwords as hash. But I am not very sure how I can do this in my app.

Can someone tell me how I can tackle this?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You have to decide how to store passwords. If you store them as a String in a Hibernate entity, they will be stored in a varchar in database, in clear text. Anyone having access to the database will thus be able to see them. Authenticating in this case consists in comparing the sent password with the one in database.

    There are two other possibilities

    The first one consists in encrypting them with a secret key before storing them in database. But this secret key will have to be stored somewhere in order for your application to decrypt them and compare the decrypted password with the one sent by the user. But it could at least reduce the visibility of the password only to the persons having acces to the application deployment directory. Authenticating in this case consists in decrypting the password stored in database with the secret key, and compare it with the password sent by the user. If they are equal, then the user sent the correct password.

    The last possibility would be to use a one-way hash algorithm (like SHA-1, for example), also known as message digest algorithm. This way, there is no need for a secret key, and it would be very hard (read : nearly impossible) for anyone to get access to the password (if the password is salted). The drawback of this solution is that if a user looses his password, you won’t be able to send him. The only possibility is to reset him to a new value, send this new password to the user and ask him to choose a new one. Authenticating the user, in this case, consists in hashing the password he sends and comparing with the hash stored in database.

    Read http://en.wikipedia.org/wiki/Salt_(cryptography) for more detailed explanations.

    • 0