JSF : How to change value of jsf input before sending request (to encrypt password)

Question

I'm trying to implement the really good answer of FriendlyCryptoNeighbor here and I'm quite new to all jsf stuff.

In order to encrypt the password (like RSA_With_Public_Key(SHA256(password))) client side, I would like to override the <h:input to call an encryption function in javascript. But I can't manage to find a way to do this.

The problem is that I have a bean bound to the input value ... In a RESTful server it will be easy to encrypt and make the request from javascript but there, I'm not sure how all of this works.

-- UPDATE 1

For the moment, I execute a javascript script on click on the commandButton, which update a hidden field where my bean is bound.

Why you want to create the sha in the client? Why not in jsf bean? — Aviad, Jun 01 '14 at 18:10
Because it's not to encrypt it to store it in database. I want to certificate to the client that I can't read his password. And some reason I mention in the under post like sniffing and other stuff over http session and cookie. Thx again for your answer ;) — Thomas Leduc, Jun 02 '14 at 11:04

score 0 · Accepted Answer · answered Jun 01 '14 at 18:17

I am not sure why you want to do it on client and not in the bean itself..

But in jsf you can use Converter to convert you input.. Look at this example.

It is very easy to do

http://www.mkyong.com/jsf2/custom-converter-in-jsf-2-0/

I took the important things here..

First thing is the page..

<h:inputText id="bookmarkURL" value="#{user.bookmarkURL}" 
        size="20" required="true" label="Bookmark URL">
        <f:converter converterId="com.mkyong.URLConverter" />
    </h:inputText>

Than you need to build the converter

@FacesConverter("com.mkyong.URLConverter")
public class URLConverter implements Converter{

@Override
public Object getAsObject(FacesContext context, UIComponent component,
    String value) {

    String HTTP = "http://";
    StringBuilder url = new StringBuilder();

    //if not start with http://, then add it
    if(!value.startsWith(HTTP, 0)){
        url.append(HTTP);
    }
    url.append(value);

    //use Apache common URL validator to validate URL
    UrlValidator urlValidator = new UrlValidator();
    //if URL is invalid
    if(!urlValidator.isValid(url.toString())){

        FacesMessage msg = 
            new FacesMessage("URL Conversion error.", 
                    "Invalid URL format.");
        msg.setSeverity(FacesMessage.SEVERITY_ERROR);
        throw new ConverterException(msg);
    }

    URLBookmark urlBookmark = new URLBookmark(url.toString());

    return urlBookmark;
}

@Override
public String getAsString(FacesContext context, UIComponent component,
        Object value) {

    return value.toString();

}

}

Hope that helps..

Thanks a lot, I want to change it client side because I don't want to use SSL and I don't want to send it in plain-text. It's the exact answer I was looking for. — Thomas Leduc, Jun 02 '14 at 09:49
Because SSL certificate isn't free, because I want to know exactly what I'm doing and after I want a token base authentification (like OAuth of Amazon) that is more powerful that a simple https and because it's a school project, I want it to be educative. — Thomas Leduc, Jun 02 '14 at 11:02
The problem is.. If you create the hash function in the client it can be reversed easily.. You can use this thing to encrypt also.. check this out: http://www.jcryption.org/ Good luck :) — Aviad, Jun 02 '14 at 11:16
Thanks for the link, I think I will have a look inside the javascript code. But I juste want to do it myself and of course, it's not a simple hash. It's based on RSA, SHA256 and a shared salt. — Thomas Leduc, Jun 03 '14 at 17:45

JSF : How to change value of jsf input before sending request (to encrypt password)

1 Answers1