Keeping track of authenticated users

Following this approach, we can store the username in the HTTP session when a user is successfully authenticated. We can also check whether the user has been authenticated by checking whether a value exists in the HTTP session. This can be implemented as follows:

public class AuthService {

    private static final String USERNAME_ATTRIBUTE = "username";

    public static boolean authenticate(
            String username, String password) {

        boolean authentic = "admin".equals(username) &&
                "admin".equals(password);
 
        if (authentic) {
            VaadinSession.getCurrent().setAttribute(
                    USERNAME_ATTRIBUTE, username);
        }

        return authentic;
    }

    public static boolean isAuthenticated() {
        return VaadinSession.getCurrent().getAttribute(
                USERNAME_ATTRIBUTE) != null;
    }
}

There are a few things to notice here. First, for simplicity in this example, the code checks whether username and password are both equal to the string "admin". In a real application, this should query a database or delegate to any other authentication process. For example, if you have a class that provides functionality to query user data, the Boolean check could look something like the following:

User existingUser = userRepository.findByUsernameAndPassword(
        username, password);
boolean authentic = existingUser != null;
Never store passwords in a way that they can be retrieved. In other words, always store salted hashes of passwords instead of the password itself. This can protect not only your users but also yourself! If you store a password as a hash of it, you can be sure that nobody, including you, can get to know the real password. If the database is compromised, at least the passwords are going to be garbage. Suppose you have a hash method that uses SHA or any other secure algorithm. When setting a password, you can save an entity with something like the following:
user.setPassword(hash(theActualPassword));
In order to check whether a password is correct (for example, during authentication), you can compare the hash of the given password with the value stored in the database. Something like the following:
  • String stored = user.getPassword();
  • String hash = hash(attemptedPassword);
  • if (stored.equals(hash) {...}

Second, the AuthService class has Vaadin stuff in it. Service classes should be decoupled from the presentation technology, but in our case, that's okay, since there's not much chance of us changing the web framework! And that's usually the case in real-life applications anyway. Additionally, reusing this class out of the context of a Vaadin application doesn't seem very likely, but if it becomes necessary, you can decouple it from Vaadin by directly using the HTTP session.

If your application allows third-party developers to add new functionality to your application and it exposes the HTTP session, developers might be able to impersonate a user if they know their username. Since the only condition for declaring a user as authenticated is to have an entry in the HTTP session with the corresponding username as its key, a malicious developer could add such a username and invoke other functionality on their behalf. In such cases, consider symmetrically encrypting the key (username) or even using an alternative storage mechanism for the HTTP session.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset