Crypting the user password

by Michela Frigerio
4,301 views Published on May 17, 2013
Applies to: All versions
Table of contents

Introduction

People have a habit of using the same password over and over, and so hashing the password in the database it is a best practice that you should use to protect this information from attacks. In fact, if the database of your Web application is accidentally compromised, your organization will not be the one that makes the user's other accounts compromised. Even though people should not use the same passwords for different accounts, they do. This article explains how you can encrypt passwords using WebRatio Platform.

How to encrypt the password

If you want to crypt the user password in the database you can follow these steps:

  1. Select the "password" attribute in the Domain Model that you want to crypt.
  2. Move to its Properties View and select the Mapping tab.
  3. Select a cipher algorithm in the Crypt Algorithm property, in this case you can find these options:
    • DES3 Unicode.
    • Nullable DES3 Unicode.
    • DES3.
    • PBKDF2WithHmacSHA1 (we recommend using this strong password hashing).

How to create a custom crypting algorithm

If you want to add new algorithms, you can set it in the Runtime section in the Preferences window.

Let's suppose that you want to include the MD5 algorithm in the crypt algorithm list. You have to create a Class implementing your own algorithm and then make it available in the Crypt Algorithm drop down property. You can follow these steps to accomplish this task:

  1. Create a Java Project which contains the class implementing the CryptAlgorithm interface:
  • Select File > New > Project... > Java Project from the main menu. Type a name for the project and press on the Finish button.
  • Create a package inside the new Java Project giving it a name of your choice.
  • Select File > New > Class from the main menu to add the "MD5CryptImplementation" Class in the package.
  • Write in the class the java code like the following:
package com.webratio.rtx.core;
import java.security.MessageDigest;
import com.webratio.rtx.CryptAlgorithm;

/**
 * The MD5 CryptAlgorithm.
 */
public class MD5CryptImplementation implements CryptAlgorithm {

    public String encrypt(String clearTextString) {
        String cryptedString = null;
        try {
            MessageDigest digest = MessageDigest.getInstance("MD5");
            digest.reset();
            digest.update(clearTextString.getBytes("UTF-8"));
            byte[] cryptedBytes = digest.digest();
            StringBuffer buf = new StringBuffer();
            for (int i = 0; i < cryptedBytes.length; i++) {
                buf.append(Integer.toHexString(0xFF & cryptedBytes[i]));
            }
            cryptedString = buf.toString();
        } catch (Exception e) {
        }
        return cryptedString;
    }

}
  1. You can correct the reported errors in the Class, by moving to the Package Explorer and right-clicking on the Java Project, choose the Build Path > Add Libraries.. command. In the opening dialog, choose the WebRatio Library option. Press the Next button and then check the "WebRatio Runtime Framework" and the "WebRatio Struts Extension" options. Press the Finish button.
  1. Right-click on the Java Project and choose the Export > expand the Java floder > JAR File option. Press the Next button and choose the destination folder. Usually the destination folder is the WebContent/WEB-INF/lib directory of your Web Project. In this way every time you generate the Web Project you have also the last version of the "MD5CryptImplementation" Class.
  2. Add the MD5 algorithm to the WebRatio Crypt Algorithms set:
  • Select Window > Preferences from the main menu. Expande the WebRatio node, select the Runtime section and press New... to add a new algorithm.
  • Specify the Algorithm name (e.g., "MD5") and the Class name (e.g., "com.webratio.rtx.core.MD5CryptImplementation"). Then press the confirm button.

  1. The MD5 algorithm can be used for crypt a password. The Crypt Algorithm property of the "password" type attribute should show the MD5 menu item.

How to check if the user password is valid

Suppose that you want to ask to the user to renew his password, you have to check if the old password is valid (equal to the stored version) and in the positive case store the new one.

You can prepare a Groovy script and add this code:

#input String password
String cryptedPassword = com.webratio.rtx.core.CryptHelper.getCryptAlgorithm("com.webratio.rtx.core.NullableDES3UnicodeCryptImplementation").encrypt(password);

In this way the cryptedPassword there will be crypt version of the password entered by the user and you can compare it with the value retrieved from the database. If the cipher algorithm is different you have to change it; you can choose among the crypt algorithms available in the Runtime section of the Preferences Window.