J Boss在AS 7.1上加盐了DatabaseServerLoginModule
[英]JBoss salted DatabaseServerLoginModule on AS 7.1
问题描述
I'm trying to set up a secure login for my application. 
我正在尝试为我的应用程序设置安全登录名。
To achieve this I wanted to salt my hash and maybe use an iteration count. 为了实现这一点,我想给哈希加盐,并可能使用迭代计数。 The official forums don't seem to answer that so I was wondering how to get this to work if I want to stick to my security strategy. 官方论坛似乎没有回答这个问题,所以我想知道如果我想坚持自己的安全策略如何使它起作用。 Alternatively I could just leave salting, but I don't think this would be a good idea. 另外,我也可以放盐,但我认为这不是一个好主意。
So my question is: 所以我的问题是:
Are there any workarounds to achieve such secure storage here or what is the best practice to handle logins on JBoss AS nowadays? 这里是否有任何变通办法来实现这种安全存储,或者当今在JBoss AS上处理登录的最佳实践是什么?
1 个解决方案
解决方案1
0 已采纳 2014-04-22 18:22:17
Almost a year passed and when reviewing this code section I finally found a (maybe not decent, but working) solution: 差不多一年过去了,在回顾此代码部分时,我终于找到了一个(也许不算体面,但可行的)解决方案:
Don't let the DatabaseLoginModule hash your passwords, hash and salt them yourself. 不要让DatabaseLoginModule散列您的密码,自己散列和加盐。
In my application I use the login mechanisms provided by Servlet 3.0: HttpServletRequest.login(userLogin, pass); 在我的应用程序中,我使用Servlet 3.0提供的登录机制: HttpServletRequest.login(userLogin, pass);
The crucial point I missed is that you can hash and salt the plain password manually just before the login() -call. 我错过的关键点是,您可以在login() call之前手动哈希和添加普通密码。 The LoginModule will then match the hashes with those saved in the database. 然后, LoginModule将使哈希与数据库中保存的哈希匹配。
Maybe that's not the solution I originally wanted, but it doesn't add any unnecessary complexity. 也许这不是我最初想要的解决方案,但它不会增加任何不必要的复杂性。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.