0
private void login() throws UserException, NoSuchAlgorithmException, InvalidKeySpecException {
    System.out.println("=== Log in ===");
    while (true) {
        System.out.println("Enter your login \nor Enter EXIT for return to main menu ->");
        String inputLogin = this.sc.nextLine();
        if ("EXIT".equalsIgnoreCase(inputLogin)) {
            break;
        }
        try {
            User user = userImpl.read(inputLogin);
            if (user.getLogin() == null) {
                System.err.println("Username incorrect.");
            } else {
                System.out.println("Enter your password \n or Enter EXIT for return to main menu ->");
                String inputPassword = this.sc.nextLine();
                user = userImpl.readPassword(inputPassword);
                if (!user.getPassword().equals(generateStrongPasswordHash(inputPassword)) || "EXIT".equalsIgnoreCase(inputPassword)) {
                    System.err.println("Password incorrect");
                    continue;
                }
                System.out.println("Log in successfully✔✔✔");
            }
        } catch (UserException | NoSuchAlgorithmException | InvalidKeySpecException e) {
            e.printStackTrace();
        }
    }
}

I'm trying to realise a console program Cinema with using JDBC (MySQL). After using the login method I get this Exception. How do I realise authorization on the console app? User User

khelwood
  • 55,782
  • 14
  • 81
  • 108
Anna
  • 1
  • 1
  • 1

1 Answers1

0

It's seems like user.getPassword() is returning null. Therefore I would suggest that you check for user.getPassword() === null before checking if user.getPassword().equals(generateStrongPasswordHash(inputPassword)).

private void login() throws UserException, NoSuchAlgorithmException, InvalidKeySpecException {
    System.out.println("=== Log in ===");

    while (true) {
        System.out.println("Enter your login \nor Enter EXIT for return to main menu ->");
        String inputLogin = this.sc.nextLine();

        if ("EXIT".equalsIgnoreCase(inputLogin)) {
            break;
        }

        try {
            User user = userImpl.read(inputLogin);

            if (user.getLogin() == null) {
                System.err.println("Username incorrect.");
            } else {
                System.out.println("Enter your password \n or Enter EXIT for return to main menu ->");
                String inputPassword = this.sc.nextLine();
                user = userImpl.readPassword(inputPassword);

                if (user.getPassword() === null || !user.getPassword().equals(generateStrongPasswordHash(inputPassword)) || "EXIT".equalsIgnoreCase(inputPassword)) {
                    System.err.println("Password incorrect");
                    continue;
                }

                System.out.println("Log in successfully✔✔✔");
            }
        } catch (UserException | NoSuchAlgorithmException | InvalidKeySpecException e) {
             e.printStackTrace();
        }
    }
}
Gregor
  • 164
  • 1
  • 9
  • The error message says that `user.getPassword()` is null, not `user`. – khelwood Dec 18 '21 at 16:00
  • You're right. I will adjust my answer. – Gregor Dec 18 '21 at 16:05
  • I tried to use your method, but now it says "Password incorrect", even though I entered valid password – Anna Dec 18 '21 at 16:17
  • I don't know your `User` class implementation therefore I cannot tell what `getPassword()` is doing. – Gregor Dec 18 '21 at 17:07
  • @Gregor Without password hashing everything works, but with hashing it doesn’t – Anna Dec 18 '21 at 17:30
  • Actually I think that your code is quite unsave, because first you try to find a user that matches the passed user name, after that you try to find a user that matches the passed password, totally unrelated to the passed user name. You should rather try to find a user that matches the user name **AND** the password at the same time. Also you should not output if the user name or the password is incorrect. The only thing that counts is that the passed credentials do not match. For me your currently implementation is a security vulnerability. – Gregor Dec 19 '21 at 19:17