你将如何实现Tomcat 5.5中腌密码 [英] How would you implement salted passwords in Tomcat 5.5

问题描述

我的Web应用程序依赖于容器管理的安全，我想知道是否有可能在所有使用盐渍密码。至于我可以告诉大家这是很容易，只需配置JDBC数据源或为境界消化密码存储在数据库中，但没有办法盐添加到这些摘要。

My web application is relying on container-managed security and I'm wondering if it's possible to use salted passwords at all. As far as I can tell it's easy enough to store digested passwords in a database by just configuring a JDBC or DataSource Realm, but there's no way to add a salt to those digest.

有什么建议？

编辑：看来我只需要问问题之前，想多一些; - ）

it seems I just need to think some more before asking questions ;-)

这只是一个选择谁在做摘要计算（客户端或服务器）的问题，并相应地配置Tomcat。

It's just a matter of choosing who's doing the digest calculation (client or server) and configure Tomcat accordingly.

推荐答案

如果您正在创建和存储摘要您可以创建和盐储存在同一时间。

If you're creating and storing the digests you can create and store the salts at the same time.

您AUTH表包含
....
pwdDigest VARCHAR（64）， - 或者int256如果你有一个
hashSalt Int64的，
....

Your auth table would contain .... pwdDigest varchar(64), -- or int256 if you have one hashSalt int64, ....

然后根据不同的身份验证协议，你使用时，你得到的客户端加密的用户名你要么发送hashSalt到客户端或使用它，如果你在清晰接收它散列密码。

Then depending on the auth protocol you're using you either send the hashSalt to the client when you get the username for client side encryption or use it to hash the password if you receive it in clear.

我不熟悉你所谈论的数据库访问技术，所以我道歉，如果我错过了点过于简单的答案。

I'm not familiar with the database access technologies you're talking about, so I apologise if I've missed the point and oversimplified the answer.

这篇关于你将如何实现Tomcat 5.5中腌密码的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！