在Glassfish 3.0安全领域中使用bcrypt
[英]Using bcrypt in a Glassfish 3.0 security realm
问题描述
I'm currently in the process of changing the password handling in a web application from unsalted MD5 to bcrypt. 
我目前正在将Web应用程序中的密码处理从未加盐的MD5更改为bcrypt。 It's a standard JSF application, running on Glassfish 3.0.1. 这是一个标准的JSF应用程序,在Glassfish 3.0.1上运行。
Using jBCrypt made creating and storing the hashes pretty easy. 使用jBCrypt使创建和存储哈希变得非常容易。 But now I don't know how to use bcrypt in the actual authentication when the user logs in. Since it's JSF, the login is being triggered using the HttpServletRequest#login method and the rest is being handled by the Java EE stack and Glassfish. 但是现在我不知道用户登录时如何在实际身份验证中使用bcrypt。由于它是JSF,因此使用HttpServletRequest#login方法触发登录,其余的则由Java EE堆栈和Glassfish处理。
Simply setting the security realms digest algorithm to "none" and then hashing the password before passing it the login method wouldn't work, because I don't have the generated salt jBCrypt originally used when creating the hash. 只需将安全领域摘要算法设置为“ none”,然后在通过密码之前对密码进行哈希处理,则登录方法将不起作用,因为我没有生成哈希时最初使用的生成的盐jBCrypt。 I've also though about providing a custom security realm implementation, but that seems a lot work for such a small change. 我也提供了一个自定义的安全领域实现,但是对于这么小的更改,这似乎是很多工作。
Is there a simpler solution? 有没有更简单的解决方案? Or has someone already implemented similar security realm? 还是已经有人实现了类似的安全领域?
1 个解决方案
解决方案1
0 2012-01-14 13:36:30
实现登录模块就足够了,并将身份验证委派给基础领域。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.