JBoss salted DatabaseServerLoginModule on AS 7.1
Question
I'm trying to set up a secure login for my application.
To achieve this I wanted to salt my hash and maybe use an iteration count. The official forums don't seem to answer that so I was wondering how to get this to work if I want to stick to my security strategy. Alternatively I could just leave salting, but I don't think this would be a good idea.
So my question is:
Are there any workarounds to achieve such secure storage here or what is the best practice to handle logins on JBoss AS nowadays?
1 answers
solution1
0 ACCPTED 2014-04-22 18:22:17
Almost a year passed and when reviewing this code section I finally found a (maybe not decent, but working) solution:
Don't let the DatabaseLoginModule hash your passwords, hash and salt them yourself.
In my application I use the login mechanisms provided by Servlet 3.0: HttpServletRequest.login(userLogin, pass);
The crucial point I missed is that you can hash and salt the plain password manually just before the login() -call. The LoginModule will then match the hashes with those saved in the database.
Maybe that's not the solution I originally wanted, but it doesn't add any unnecessary complexity.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.