是否可以使用密码腌制的容器管理身份验证？ [英] Is it possible to use container-managed authentication with password salting?

问题描述

我知道如何设置使用表单身份验证并使用消化密码（例如，SHA-256）的vanilla容器管理安全性。这样的事情：

I know how to set up vanilla container-managed security that uses form authentication and uses digested passwords (say, SHA-256). Something like this:

<login-config>
    <auth-method>FORM</auth-method>
    <realm-name>jdbc</realm-name>
    <form-login-config>
        <form-login-page>/login.jsf</form-login-page>
        <form-error-page>/login-error.jsf</form-error-page>
    </form-login-config>
</login-config>

login.xhtml

login.xhtml

<form action="j_security_check">
    <p><label>
        Username:<br/>
        <input type="text" name="j_username" />
    </label></p>
    <p><label>
        Password:<br/>
        <input type="password" name="j_password" />
    </label></p>
    <p>
        <button type="submit">Submit</button>
    </p>
</form>

相当简单 - 但我真的喜欢能够要做的是用全局盐和用户名加密密码。是的，我知道这不是理想 但是现在，我只是在构建一个概念验证。

Pretty darn simple - but what I'd really like to be able to do is salt the password with a global salt and the username. Yes, I am aware that this isn't ideal but right now, I'm just building a proof-of-concept.

容器（在这种情况下是GlassFish 3）可以做到这一点对我来说，还是我必须编写我自己的登录过滤器？我之前已经完成了（对于J2EE应用程序）但我的直觉告诉我，现在我必须采用更严格的方法来使用Java EE 6.

Can the container (GlassFish 3, in this case) do this for me, or do I have to write my own login filter? I've done it before (for J2EE applications) but my gut tells me that there's got to be a tighter way to do it now that I'm using Java EE 6.

推荐答案

我觉得你正在寻找一种快速（并且可能很脏？）的方式来修改内置身份验证提供程序。

I get the feeling you're looking for a quick (& potentially dirty?) way to modify the build-in authentication provider.

正确的方法是为新的JASPIC API实现自己的Java身份验证服务提供程序（ JSR-196 ）。它更费力，但是这种方法可以让你以任何你喜欢的方式实现它，并且它应该与任何Java EE 6应用服务器兼容。

The proper way to go is to implement your own Java Authentication Service Provider for the new JASPIC API (JSR-196). It is more laborious, but this method lets you roll your implementation any way you like it, and it should be compatible with any Java EE 6 application server.

对于一个基本的使用密码salting的身份验证方案，实现这样的提供程序应该非常简单。您将不得不考虑管理用户和密码，但一种解决方案可能是让您的提供商重新使用Glassfish身份验证领域中定义的用户，这样您只需自己管理自定义盐渍密码。

For a basic authentication scheme with password salting, implementing such a provider should be pretty straightforward. You will have to think about managing users and passwords, but one solution could be to let your provider re-use the users defined in the Glassfish authentication realms, so that you only have to manage the custom salted passwords yourself.

有一个很好的WebSphere教程，你应该能够适应Glassfish 这里。

There's a nice tutorial for WebSphere, which you should be able to adapt for Glassfish here.

这篇关于是否可以使用密码腌制的容器管理身份验证？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！