堆栈内存溢出
  简体   繁体   English

是否可以使用密码腌制的容器管理身份验证?

[英]Is it possible to use container-managed authentication with password salting?

 原文  2010-12-10 21:18:08       java/ jsf/ java-ee/ jsf-2/ jaspic

问题描述

I know how to set up vanilla container-managed security that uses form authentication and uses digested passwords (say, SHA-256). 我知道如何设置使用表单身份验证并使用消化密码(例如,SHA-256)的vanilla容器管理安全性。 Something like this: 像这样的东西:

web.xml web.xml中 

<login-config>
    <auth-method>FORM</auth-method>
    <realm-name>jdbc</realm-name>
    <form-login-config>
        <form-login-page>/login.jsf</form-login-page>
        <form-error-page>/login-error.jsf</form-error-page>
    </form-login-config>
</login-config>

login.xhtml login.xhtml 

<form action="j_security_check">
    <p><label>
        Username:<br/>
        <input type="text" name="j_username" />
    </label></p>
    <p><label>
        Password:<br/>
        <input type="password" name="j_password" />
    </label></p>
    <p>
        <button type="submit">Submit</button>
    </p>
</form>

Pretty darn simple - but what I'd really like to be able to do is salt the password with a global salt and the username. 非常简单 - 但我真正希望能够做的是用全局盐和用户名加密密码。 Yes, I am aware that this isn't ideal but right now, I'm just building a proof-of-concept. 是的,我知道这并不理想,但现在,我只是在构建一个概念验证。

Can the container (GlassFish 3, in this case) do this for me, or do I have to write my own login filter ? 容器(GlassFish 3,在这种情况下)可以为我做这个,还是我必须编写自己的登录过滤器 I've done it before (for J2EE applications) but my gut tells me that there's got to be a tighter way to do it now that I'm using Java EE 6. 我之前已经完成了(对于J2EE应用程序),但我的直觉告诉我,现在我必须采用更严格的方法来使用Java EE 6。

1 个解决方案

解决方案1
 3  2010-12-16 23:14:31

I get the feeling you're looking for a quick (& potentially dirty?) way to modify the build-in authentication provider. 我觉得你正在寻找一种快速(可能是脏的)方式来修改内置身份验证提供程序。

The proper way to go is to implement your own Java Authentication Service Provider for the new JASPIC API ( JSR-196 ). 正确的方法是为新的JASPIC API( JSR-196 )实现自己的Java身份验证服务提供程序。 It is more laborious, but this method lets you roll your implementation any way you like it, and it should be compatible with any Java EE 6 application server. 它更费力,但是这种方法允许您以您喜欢的方式滚动实现,并且它应该与任何Java EE 6应用程序服务器兼容。

For a basic authentication scheme with password salting, implementing such a provider should be pretty straightforward. 对于使用密码salting的基本身份验证方案,实现此类提供程序应该非常简单。 You will have to think about managing users and passwords, but one solution could be to let your provider re-use the users defined in the Glassfish authentication realms, so that you only have to manage the custom salted passwords yourself. 您将不得不考虑管理用户和密码,但一种解决方案可能是让您的提供商重新使用Glassfish身份验证领域中定义的用户,这样您只需自己管理自定义盐渍密码。

There's a nice tutorial for WebSphere, which you should be able to adapt for Glassfish here . 有一个很好的WebSphere教程,你应该可以在这里适应Glassfish。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 容器管理的交易 - Container-Managed Transactions 在Java EE中重新运行失败的容器管理的事务 - Rerunning failed Container-Managed transactions in Java EE JAX-WS中的容器管理事务,weblogic - Container-managed transaction in JAX-WS, weblogic 如何在执行长任务之前完成容器管理的事务? - How to finish a container-managed transaction before running a long task? 容器管理的EntityManager:单个持久性单元的多个管理器? - Container-managed EntityManager: multiple managers for single persistence unit? 不推荐使用Camel .beanRef-现在如何在Java DSL路由中访问容器管理的bean? - Camel .beanRef deprecated - how now to access container-managed beans in Java DSL route? JEE7:EJB和CDI bean是否支持容器管理的事务? - JEE7: Do EJB and CDI beans support container-managed transactions? .NET 4.0是否具有类似于Java的容器管理事务的功能? - Does .NET 4.0 have something similar to Container-Managed Transactions from Java? 使用Spring 3安全性对密码进行加密 - Salting a password with spring 3 security 我应该在Java中使用jBcrypt或PBKDF2进行密码加密吗? - Should I use jBcrypt or PBKDF2 for password salting in Java?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM