StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

POIs it possible to use container-managed authentication with password salting?
text
Body
copied!<p>I know how to set up vanilla container-managed security that uses form authentication and uses digested passwords (say, SHA-256). Something like this:</p> <h3>web.xml</h3> <pre><code><login-config> <auth-method>FORM</auth-method> <realm-name>jdbc</realm-name> <form-login-config> <form-login-page>/login.jsf</form-login-page> <form-error-page>/login-error.jsf</form-error-page> </form-login-config> </login-config> </code></pre> <h3>login.xhtml</h3> <pre><code><form action="j_security_check"> <p><label> Username:<br/> <input type="text" name="j_username" /> </label></p> <p><label> Password:<br/> <input type="password" name="j_password" /> </label></p> <p> <button type="submit">Submit</button> </p> </form> </code></pre> <p>Pretty darn simple - but what I'd <em>really</em> like to be able to do is salt the password with a global salt and the username. Yes, I am aware that <a href="https://stackoverflow.com/questions/536584/non-random-salt-for-password-hashes/536756#536756">this isn't <strong>ideal</strong></a> but right now, I'm just building a proof-of-concept.</p> <p>Can the container (GlassFish 3, in this case) do this for me, or do I have to <a href="https://stackoverflow.com/questions/1470591/basic-security-in-jsf/1484398#1484398">write my own login filter</a>? I've done it before (for J2EE applications) but my gut tells me that there's got to be a tighter way to do it now that I'm using Java EE 6.</p>

Querying!

Guidance

An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload