I'm trying to implement a login feature in my project. In order to make it "secure" I whant to try to use the user system provided by phpmyadmin (my tool to manage my databases) rather than login in with the root user and then store usernames and passwords in a table and verify them etc.
I tried to add a new user in phpmyadmin and then I looked the SQL code that represented the code to add a new user :
CREATE USER 'username_test'#'localhost' IDENTIFIED WITH mysql_native_password AS '***';
GRANT SELECT ON *.* TO 'username_test'#'localhost' REQUIRE NONE WITH MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0;
GRANT ALL PRIVILEGES ON `restaurant_app`.* TO 'username_test'#'localhost';
So my goal was to use this SQL to register-login users in my app. But I can't figure out how to provide the password, I don't fully understand the first part of this command. More over, I would like you to tell me if using the phpmyadmin user feature is a good idea or if I should use the classic way to do this : connect to the database using (user:"root", passwd:"") and look into my own table containing all the users logins ?
No, it is not a good idea. You can use bcrypt to store hashed passwords instead of plain text passwords. In the bacend you would hash the password that comes from the front-end and compare that value with the one in the database.
You can read this post to see some examples.
Related
So we are running a opensource pos project named "chromispos" based on unicenta. Sadly we have lost the database root password and we would like to retrieve it. The database runs locally with wampp in MySQL. I know the fact it is possible to change the database password for the root user but since we cannot change the password again in the POS software it will not connect anymore.
Is there anyway I can retrieve the password? This is the source file of the en/decryption:
https://github.com/micolous/Openbravo/blob/master/src-pos/com/openbravo/pos/forms/AppViewConnection.java
The hash to be decrypted:
crypt:6FF1981268FBCD0CBB9DB2A39005780D
The root password will be stored somewhere in chromispos if that is still operational.
Alternately create a new database user with the same access level and use this as the user root access. After starting with skip-grant-tables, copy the root user row from mysql.user changing the username and password columns.
I created python script that sends notifications when result declared but I want to make website that takes data of student email id and store in database.
Now here problem is that I don't know django framework so it takes time to make website.
Java, database connection, Data insertion,
Servelet calling easily do that by me.
Want to know way that java html css takes input from user and stores in database and then python program retrieves that data.
Hope you understand my question.
If you know python, I think Django might be a good choice for you. Django itself attempts to support as many features as possible on the backend. You only need to configure the database parameters in settings.py and Django ORM can automate the transfer of data stored in tables into objects. You don't have to implement the features yourself and it saves you tons of time.
Django has its own ModelForm class. It maps to the Models(eg. Student), it is quite easy to submit your Student info and store it in db.
# settings.py
DATABASES = {
'default': {
'ENGINE': 'django.db.backends.mysql',
'OPTIONS': {
'read_default_file': '/path/to/my.cnf',
},
}
}
# my.cnf
[client]
database = NAME
user = USER
password = PASSWORD
default-character-set = utf8
If you insist using Java to implement the database backend, for sure you can share it with python. Some choices like JDBC, Hibernate and Mybatis.
Yes you can share the DB, you'll have to install the corresponding dependencies for connecting python to the DB as well as for Java. I've done this with postgresql, mysql and mssql
I've create an application LOGIN/REGISTER with this tutorial.
My problem is, if I put nothing on the register view of my app (name, username, age, password), it create an user on my table with nothing inside (just a number on "user_id" column) and I can sign in with nothing in "username" and "password" on the login view of my app.
And all my LOGIN/REGISTER android app becomes useless...
If you don't understand what I say, you can try my app.
For information, I've change some element to not give you all access to my app :
In "LoginRequest.class", I have change my website by xxx at this line :
private static final String LOGIN_REQUEST_URL ="http://xxxx.net/Login.php";
In "RegisterRequest.class", I have change my website by xxx at this line :
private static final String REGISTER_REQUEST_URL ="http://xxxx.net/Register.php";
In "Login.php", I have change my information at this line :
$con = mysqli_connect("mysql10.000host.com", "axxxxxxx_user", "passwordZ", "ayyyyyyy_data");
In "Register.php", I have change my information at this line :
$con = mysqli_connect("mysql10.000host.com", "axxxxxxx_user", "passwordZ", "ayyyyyyy_data");
Thank you for your help.
The only thing you need to do is validations
Put validation while registering and login. Don't call API if username, password and other fields are blank.
You need to check if user is entering a proper email-id , password should be more then 6 characters with combination of number and special character like stuff.
And in your server side do write procedures to validate the username or passwords.
You can also use an ORM which can protect you from injections.
Simple regex to vaid email-id would be
/^(?!(?:(?:\x22?\x5C[\x00-\x7E]\x22?)|(?:\x22?[^\x5C\x22]\x22?)){255,})(?!(?:(?:\x22?\x5C[\x00-\x7E]\x22?)|(?:\x22?[^\x5C\x22]\x22?)){65,}#)(?:(?:[\x21\x23-\x27\x2A\x2B\x2D\x2F-\x39\x3D\x3F\x5E-\x7E]+)|(?:\x22(?:[\x01-\x08\x0B\x0C\x0E-\x1F\x21\x23-\x5B\x5D-\x7F]|(?:\x5C[\x00-\x7F]))*\x22))(?:\.(?:(?:[\x21\x23-\x27\x2A\x2B\x2D\x2F-\x39\x3D\x3F\x5E-\x7E]+)|(?:\x22(?:[\x01-\x08\x0B\x0C\x0E-\x1F\x21\x23-\x5B\x5D-\x7F]|(?:\x5C[\x00-\x7F]))*\x22)))*#(?:(?:(?!.*[^.]{64,})(?:(?:(?:xn--)?[a-z0-9]+(?:-[a-z0-9]+)*\.){1,126}){1,}(?:(?:[a-z][a-z0-9]*)|(?:(?:xn--)[a-z0-9]+))(?:-[a-z0-9]+)*)|(?:\[(?:(?:IPv6:(?:(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){7})|(?:(?!(?:.*[a-f0-9][:\]]){7,})(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){0,5})?::(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){0,5})?)))|(?:(?:IPv6:(?:(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){5}:)|(?:(?!(?:.*[a-f0-9]:){5,})(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){0,3})?::(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){0,3}:)?)))?(?:(?:25[0-5])|(?:2[0-4][0-9])|(?:1[0-9]{2})|(?:[1-9]?[0-9]))(?:\.(?:(?:25[0-5])|(?:2[0-4][0-9])|(?:1[0-9]{2})|(?:[1-9]?[0-9]))){3}))\]))$/iD
I have encrypted password and stored into mysql table,actually couple of table are there to store different user credentials but column name(PASSWORD) is same in all tables.
There are so many scenario's are there in my project to connect different servers with user credentials.So My requirement is rather than decrypt password in all places(after select statement), need to decrypt in a common area ,it could be Listener or some thing.
When PASSWORD column find in select statement need to decrypt password.
please suggest how to achieve?
Thanks,
Raj
Hi I have read Glassfish 3.1.2's JDBCRealm has a new Password Encryption Algorithm field. What is it for? and googled for similar topics but it seems no definitive answer has been published.
In short, I have a jdbc realm working in glassfish 3, when I upgrade to 3.1.2, same configuration does not work. According to the previous thread, I have set the JaasContext to jdbcDigestRealm (in addition to jdbcRealm which also does not work), set the Digest Algorithm to MD5 (I used MD5 in v 3 and it worked). For Password Encryption Algorithm I tried 'blank', and 'hex', both do not work.
Could someone please tell me how I should configure. My credentials table is based on mysql with MD5 hashed passwords according to http://jugojava.blogspot.hk/2011/02/jdbc-security-realm-with-glassfish-and.html.
I succeed to make it works with the following settings. I add a few comments with my current (mis)understanding.
JAASContext = "jdbcRealm" => The value must be set according to file 'glassfish3/glassfish/domains/domain1/config/login.conf'. By default, the class 'com.sun.enterprise.security.auth.login.JDBCLoginModule' (which implement the JDBCrealm) is configured under "jdbcRealm". There is another login module configured under "jdbcDigestRealm". This one is not part of the current topic.
JNDI = "..." => I put there the name of a datasource that already
exists for the database of my application.
UserTable = "MY_SCHEMA.usertable" => The 'full qualified name' of the
database table.
UserNameColumn = "userid" => column name where you store the user
name
PasswordColumn = "password" => column name where you store the (hash
of the) user passsword.
GroupTable = "MY_SCHEMA.grouptable" => The 'full qualified name' of
the database table.
GroupTableUserNameColumn = "" => no clue about the usage of this...
GroupNameColumn = "groupid" => column name where you store the user
name
AssignGroups = "" => As far as I understand the GF code, this is a way to assign a list of groups to every user registered in the realm. It's kind of hard-coding. More or less every realm available on GlassFish (could) make use of this property.
DatabaseUser = "" => As I understood, you need this if you aren't
using the JNDI (the second parameter).
DatabasePassword = "" => As I understood, you need this if you aren't
using the JNDI (the second parameter).
DigestAlgorithm = "SHA-256" => 'MD5', 'SHA-1' or 'SHA-256'. 'SHA-256'
is the default. Let's take 'SHA-256'.
PasswordEncryptionAlgorithm = "AES" => The digest algorithm is applied to the password before storing the password. The new password encryption is an added layer of security which allows the "hash" (the string after the DA has been applied to the password) to be encrypted. In this way, if an attacker retrieves the passwords from the database they are encrypted and hashed. It's highly unlikely that such data would be useful to an attacker.
Encoding = "Hex" => You have the choice between 'Hex' or 'Base64'.
Hex was convenient for me.
Charset = "" => As my database does not have an 'exotic' charset, I
do not think I need to set something smart there. I leave it blank
and it works.
Hope it will help.
PS: If somebody have a link to REAL documentation (not the official one which is completly useless at this moment), please, put a link here.
I spent a while today playing with this (Java EE 7, Glassfish 4 on Ubuntu 12.04). As it turns out, most of the fields on the Realm Page are not needed. The following fields were the only ones that are needed to establish a successful connection to the database.
Realm Name - Any name, as long as you use the same name in web.xml
JAAS Context - Any Name
JNDI - Any Name (I used jdbc/DB Name)
User Table - Table which contains all the users
User Name column - Column in the users table which contains your user-names
Password - Column which contains hashed passwords (SHA 256)
Group Table - Table which contains groups
Group Name Column - Column in the groups table which contain group names
I left everything else blank. My database password column had the password hashed using SHA 256.
I tested this by filling in random text in the 'Password Encryption' field and saving it. Redeployed my application and restarted Glassfish 4. Still worked. This means that the field, while still present is not being read anymore.
P.S - The real documentation as mentioned in the first answer is still quite poor.
First things first. What is your log output?
What are the symptoms of your "not working problem"?
Did basic-authentication pop-up window occurred?
Did you get
No login module configured for jdbcDigestRealm
or other error message?
change security log level if don't have any log output from unsuccessful login attempt.
I have two variations to the jdbcRealm issue. The first existed from a domain that was created using GF 3.1.1 which continued to work after updating the GF server to the 3.1.2.2 release. I then created a new domain on this server. The new domain was configured using the jdbcRealm. All of the parameters were the same for the 3.1.1 configuration except for the "Password Encryption Algorithm" which didn't exist under the 3.1.1 configuration screen. When I tried to login using my Web Application I was constantly getting the "jdbcrealm.invaliduserreason[#]" error in the log file.
The only way that I was able to resolve and to successfully login to my application was by adding the AES to the "Password Encryption Algorithm" field. I saved the change and restarted the server and once again I am able to successfully authenticate users from the jdbcRealm connection.
There is a somewhat more detailed guide here -> http://is.gd/Jx6Gnp