MCPcopy Index your code
hub / github.com/OWASP/SecurityShepherd / authUser

Method authUser

src/main/java/dbProcs/Getter.java:67–160  ·  view source on GitHub ↗

This method hashes the user submitted password and sends it to the database. The database does the rest of the work, including Brute Force prevention. @param userName The submitted user name to be used in authentication process @param password The submitted password in plain text to be used in authe

(String ApplicationRoot, String userName, String password)

Source from the content-addressed store, hash-verified

65 */
66
67 public static String[] authUser (String ApplicationRoot, String userName, String password)
68 {
69 String[] result = null;
70 log.debug("$$$ Getter.authUser $$$");
71 log.debug("userName = " + userName);
72
73 boolean userFound = false;
74 boolean goOn = false;
75 Connection conn = Database.getCoreConnection(ApplicationRoot);
76 try
77 {
78 //See if user Exists
79 CallableStatement callstmt = conn.prepareCall("call userFind(?)");
80 log.debug("Gathering userFind ResultSet");
81 callstmt.setString(1, userName);
82 ResultSet userFind = callstmt.executeQuery();
83 log.debug("Opening Result Set from userFind");
84 try
85 {
86 userFind.next();
87 log.debug("User Found"); //User found if a row is in the database, this line will not work if the result set is empty
88 userFound = true;
89 }
90 catch(Exception e)
91 {
92 log.debug("User did not exist");
93 userFound = false;
94 }
95 if(userFound)
96 {
97 //Authenticate User
98 callstmt = conn.prepareCall("call authUser(?, ?)");
99 log.debug("Gathering authUser ResultSet");
100 callstmt.setString(1, userName);
101 callstmt.setString(2, password);
102 ResultSet loginAttempt = callstmt.executeQuery();
103 log.debug("Opening Result Set from authUser");
104 try
105 {
106 loginAttempt.next();
107 goOn = true; //Valid password for user submitted
108 }
109 catch (SQLException e)
110 {
111 //... Outer Catch has preference to this one for some reason... This code is never reached!
112 // But I'll leave it here just in case. That includes the else block if goOn is false
113 log.debug("Incorrect Credentials");
114 goOn = false;
115 }
116 if(goOn)
117 {
118 //ResultSet Not Empty => Credentials Correct
119 result = new String[5];
120 result[0] = loginAttempt.getString(1); //Id
121 result[1] = loginAttempt.getString(2); //userName
122 result[2] = loginAttempt.getString(3); //role
123 result[4] = loginAttempt.getString(6); //classId
124 if (loginAttempt.getBoolean(5)) //Checking for temp password flag, if true, index View will prompt to change

Calls 2

getCoreConnectionMethod · 0.95
closeConnectionMethod · 0.95