Welcome, Guest
Username: Password: Remember me

TOPIC: password check in java

password check in java 3 years 7 months ago #54268

  • robeppef
  • robeppef's Avatar
  • OFFLINE
  • Fresh Lemon
  • Posts: 5
  • Karma: 0
Hello,
i am working on a small java tool as a corporate extension for the evaluation of limesurvey-surveys.
After starting it, the program should check the user credentials. Therefore it has to compare the passwords.

I found out, that limesurvey hashes the password with the help of SHA256 and the result is stored in a BLOB field.

I am hashing the typed password with the attached method first and then i am selecting the String- converted- password-object from the database, but they are never equal, even though the typed password is correct.

I attached the SHA256 method and the DB method too:
 
 
//the method, I hash the typed password:
private String getSHA2(String str) {
	MessageDigest md;
	try {
		md = MessageDigest.getInstance("SHA-256");
		md.update(str.getBytes());
			byte byteData[] = md.digest();
			// convert the byte to hex format method 1
		StringBuffer sb = new StringBuffer();
		for (int i = 0; i < byteData.length; i++) {
			sb.append(Integer.toString((byteData[i] & 0xff) + 0x100, 16)
					.substring(1));
		}
		return sb.toString();
	} catch (NoSuchAlgorithmException e) {
		// TODO Auto-generated catch block
		e.printStackTrace();
	}
	return null;
}
 
 
.
.
.
 
//the method to check the hashed pw against the password, saved in the Database
public static int checkPW(String username, String pw) {
		try {
			open_static_Connection();
			PreparedStatement sqlGetUserPW = static_con
					.prepareStatement(select_user_id);
			sqlGetUserPW.setString(1, username);
 
			ResultSet rsUser = sqlGetUserPW.executeQuery();
 
			while (rsUser.next()) {
				java.sql.Clob obj = rsUser.getClob("password");
				String str = obj.getSubString(1, (int) obj.length());
				System.out.println("str " + str);
 
				if (pw.equals(str)) {
					return rsUser.getInt("uid");
				} else
					return -1;
			}
		} catch (SQLException e) {
			e.printStackTrace();
		}
		return -1;
	}
 
 
 


Can someone help?
Thanks a lot.

File Attachment:

File Name: code.txt
File Size: 1334
The administrator has disabled public write access.

Re: password check in java 3 years 6 months ago #54817

  • robeppef
  • robeppef's Avatar
  • OFFLINE
  • Fresh Lemon
  • Posts: 5
  • Karma: 0
Hello, does really no one know the anser?
The login is essential for my tool :-(
The administrator has disabled public write access.

Re: password check in java 3 years 6 months ago #54824

  • Mazi
  • Mazi's Avatar
  • OFFLINE
  • LimeSurvey Team
  • Posts: 5300
  • Thank you received: 291
  • Karma: 247
I think this should better be asked at a Java forum. It's not really Limesurvey specific because you already know how Limesurvey stores passwords.
Only guess I can make is that the result of a SHA256 hash is different at PHP/Java, but that would be strange.

Best regards/Beste Grüße,
Dr. Marcel Minke
(Limesurvey Head of Support)
Need Help? We offer professional Limesurvey support
Contact: marcel.minke(at)limesurvey.org'"
The administrator has disabled public write access.
Moderators: ITEd
Time to create page: 0.182 seconds
Donation Image