Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Is it possible to use container-managed authentication with password salting?

Tags:

java

jsf

jakarta-ee

jsf-2

jaspic

I know how to set up vanilla container-managed security that uses form authentication and uses digested passwords (say, SHA-256). Something like this:

web.xml

<login-config>
    <auth-method>FORM</auth-method>
    <realm-name>jdbc</realm-name>
    <form-login-config>
        <form-login-page>/login.jsf</form-login-page>
        <form-error-page>/login-error.jsf</form-error-page>
    </form-login-config>
</login-config>

login.xhtml

<form action="j_security_check">
    <p><label>
        Username:<br/>
        <input type="text" name="j_username" />
    </label></p>
    <p><label>
        Password:<br/>
        <input type="password" name="j_password" />
    </label></p>
    <p>
        <button type="submit">Submit</button>
    </p>
</form>

Pretty darn simple - but what I'd really like to be able to do is salt the password with a global salt and the username. Yes, I am aware that this isn't ideal but right now, I'm just building a proof-of-concept.

Can the container (GlassFish 3, in this case) do this for me, or do I have to write my own login filter? I've done it before (for J2EE applications) but my gut tells me that there's got to be a tighter way to do it now that I'm using Java EE 6.

like image 851
Matt Ball Avatar asked Oct 25 '22 00:10

Matt Ball

1 Answers

I get the feeling you're looking for a quick (& potentially dirty?) way to modify the build-in authentication provider.

The proper way to go is to implement your own Java Authentication Service Provider for the new JASPIC API (JSR-196). It is more laborious, but this method lets you roll your implementation any way you like it, and it should be compatible with any Java EE 6 application server.

For a basic authentication scheme with password salting, implementing such a provider should be pretty straightforward. You will have to think about managing users and passwords, but one solution could be to let your provider re-use the users defined in the Glassfish authentication realms, so that you only have to manage the custom salted passwords yourself.

There's a nice tutorial for WebSphere, which you should be able to adapt for Glassfish here.

like image 119
Kim Burgaard Avatar answered Nov 15 '22 00:11

Kim Burgaard
Sign in to Comment

Related questions

Deploying to Weblogic Managed Servers
Hibernate HQL Query : How to properly use ANY function in where clause?
Closing open XML tags with regex
What java android files should I not upload to my SVN Server?
Autoboxing/widening occurs in Short a=3 but not in Float a=3;
How should I reset a JPA-controlled database before every test?
Problem executing a batch file in a Java application
Perform daily action at a specific time based on user's local time zone
Log4j | Updating the Log Level for the Appender
Generating JAXB classes with custom class names
GWT StackPanel limitation?
Decoding a Java/JSON Map into an F# object
How to get TTL of a UDP packet in Java?
Custom conversion specifiers in java
convert from scriptlet to JSF managed bean problem
Execute Java main method from within a Java desktop app in a different JVM
Selenium hangs instantiating FirefoxDriver

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!