1

So I am attempting to make a simple chat messenger in Eclipse. At the moment I am stumped on how to compare the users login details against those stored in a database table. I have an 'askName()' method that takes a username and password, and this needs to use my 'authenticate' method to check details stored in a Login table in the database.

I have been searching here and all over online, and have found a lot of code which has been useful for getting ideas. However I have been banging my head against this for a while and am still very new to programming, any help would be greatly appreciated!

So at the moment inside the Client class I have these login methods:

public void askName()
{
    // get the clients name
    boolean b = true;
    // loop in case they enter a null name - aint nobody got time for that
    while(b == true)
    {
        out.println("What is your name?");
        String name = null;
        try {
            name = in.readLine();
        } catch (IOException e) {
            System.out.println("Can't read name");
        }           
        out.println("What is your password?");
        String password = null;
        try {
            password = in.readLine();
        } catch (IOException e) {
            System.out.println("Can't read password");
        }           
        if(name != null && password != null)
        {
            if(Authenticate(name, password))
            {
                this.username = name;
                b = false;
                out.println("Welcome " + this.username);
            } else {
                out.println("Invalid username/password combination!");
            }   
        }
        else
        {
            out.println("Please enter a valid username and password. Your name must contain at least one letter");
        }   
    }
}

private boolean Authenticate(String name, String password) { // added by Alex 18/03/14
    // Method to check the entered username/password is valid against the database

    // No database class at this point

    //Database database = new Database(); 

    return database.Authenticate(name, password);

}

I have managed to implement the database in class 'MyJDBC' and just need to figure out how to use my 'authenticate' method to check the details. I am using PostgreSQL. This is the current query I have made for checking login credentials "SELECT password FROM userlogin WHERE username ='"+name+"'" 

package jdbc;
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;

public class MyJDBC {
    public static void main(String args[]) {
        System.out.println("PostgreSQL JDBC Connection Testing");
        try {
            Class.forName("org.postgresql.Driver");
        } catch (ClassNotFoundException e) {
            System.out.println("Where is your PostgreSQL JDBC Driver? "
                    + "Include in your library path!");
            e.printStackTrace();
            return;
        }
        System.out.println("PostgreSQL JDBC Driver Registered!");
        Connection connection = null;
        Statement stmt = null;
        try {
            connection = DriverManager.getConnection(
"jdbc:postgresql://dbteach2.cs.bham.ac.uk:5432/user",
"username",
"password");
            stmt = connection.createStatement();
            ResultSet rs = stmt.executeQuery( "SELECT password FROM userlogin WHERE username ='"+name+"'");
            while (rs.next()) {
                String Username = rs.getString("Username");
                String Password = rs.getString("Password");
                int sid = rs.getInt("sid");
                System.out.println("Username = " + Username);
                System.out.println("Password = " + Password);
                System.out.println("sid = " + sid);
                System.out.println();
            }
            rs.close();
            stmt.close();
            connection.close();
        } catch (SQLException e) {
            System.out.println("Connection Failed! Check output console");
            e.printStackTrace();
            return;
        }
    }}

I am not asking anyone to do my code, but some advice on what I could do/what I am doing wrong would be appreciated. If you would like to see the rest of my code to try it out please say so.

kimbleoffice
  • 11
  • 1
  • 3
  • First of all password should always be hashed with a salt (eg using something like PBKDF2 or bcrypt), and not be stored in plaintext. – Mark Rotteveel Mar 20 '14 at 15:16
  • That is a good point, thanks. At the moment I just want to get the authentication working so am just using stored user details in the table. Once this is working I will work on improving the details such as sending and storing the password securely. – kimbleoffice Mar 20 '14 at 15:21
  • 1
    You should design and develop with security in mind from the start, not hack it in afterwards. – Mark Rotteveel Mar 20 '14 at 15:27
  • Okay, my bad. I am new to programming and this is my first actual project - I will bare this in mind! – kimbleoffice Mar 20 '14 at 15:43
  • Who else wants to create an account and join chatting with kimbleoffice? -Little Bobby Tables _(ok that was just a heads-up for that little sneaky SQL injection bug in OP's code :D)_ – hegez Aug 15 '18 at 12:38

2 Answers2

2

In practice you clearly should not use clear text passwords, you should hash and salt them. Then apply the same hash and salt to the entered passwort and match them like I will descibe below. Pretty straight forward.

As you asked to know the basic process, here it is:
Retrieve the password for your userlogin, userlogin should be unique so there will only be one tuple in the ResultSet. If there's no row retrieved for that username, the user doesnt exist --> throw an Exception.

Next is to match your retrieved password with the one the user entered via retrievedPw.equals(userEnteredPw). If it returns true, log the user in as his credentials are correct.

If it comes to salting I myself struggled with the word a bit ago, so you may want to read This disucssion on salting best practices.

Community
  • 1
  • 1
Zhedar
  • 3,480
  • 1
  • 21
  • 44
0

My suggestions:

  • add hashed password in the database for security reason
  • use prepared statements to avoid SQL injection attacks
  • add proper closing of resources to avoid headache on production
nablaone
  • 26
  • 3