Glassfish 3.1.2的JDBCRealm有一个新的密码加密算法字段。它是为了什么? [英] Glassfish 3.1.2's JDBCRealm has a new Password Encryption Algorithm field. What is it for?
问题描述
我对摘要算法和密码加密感兴趣算法属性(这是它们在管理控制台中的显示方式)。
第二个是Glassfish 3.1.2的新增功能,据我所知。
我有查阅官方的Glassfish 3.1.1文档,但它没有解决新的属性,也没有真正解释第一个属性用于什么。
有一个文档错误,它引用了一个错误号(13363269),它必须指向一个已经失效的错误系统,因为我找不到它引用的错误。这个幻象错误大概详细说明了密码加密算法属性的用途,但是似乎失去了时间的微妙。
从命令行中,该属性被命名为(不可思议的): digestrealm-password-enc-algorithm 。它看起来像将住在 digest-algorithm 属性旁边。
我试图读取源代码,但是 JDBCRealm.java 文件似乎丢失了,尽管我无疑只是在看错地点。我找到的以前的副本不会在任何地方引用该属性。
这两个属性有什么用处?我有一种朦胧的感觉,请确保如果我使用领域以纯文本密码登录,我可以以某种方式将散列和比较操作委托给领域,当然,前提是用于存储原始密码的哈希以及用于传入密码的哈希计算得出
该手册还指出,如果我想使用摘要式身份验证,那么应该指定 jdbcDigestRealm JAAS上下文。如果我不想使用摘要式身份验证,那么我应该指定 jdbcRealm JAAS上下文。在我看来,这看起来像另一个地方,我有效地指定了哪些哈希算法涉及。
预先感谢任何指针。
我写了关于这个(相关问题)这里 - Glassfish 3.1.2 JDBCRealm配置。
总之,密码加密字段看起来不像在所有的方面都是强制性的 - 所以只需将密码存储为SHA 256哈希就可以工作。
The Glassfish JDBC realm features several different properties you can set.
I am interested in the Digest Algorithm and Password Encryption Algorithm properties (that's how they show up in the admin console).
The second one is new as of Glassfish 3.1.2 as near as I can tell.
I have consulted the official Glassfish 3.1.1 documentation but it does not address the new property, and does not really explain what the first property is used for.
There is a documentation bug that references a bug number (13363269) that must point to a defunct bug system because I can't find the bug to which it refers. This phantom bug presumably details what the Password Encryption Algorithm property is for, but alas seems to be lost to the mists of time.
From the command line, the property is named (improbably): digestrealm-password-enc-algorithm. It looks like this will live on next to the digest-algorithm property.
I attempted to read the source code, but the JDBCRealm.java file appears to be missing although I am doubtlessly simply looking in the wrong place. A prior copy that I found does not reference the property anywhere.
What are these two properties for? I have a hazy sense that together they ensure that if I use the realm to login with a plaintext password I can somehow delegate the hashing-and-comparing operations to the realm, provided of course that the hashes used to store the original password and the hashes used on the incoming password were calculated the same way.
The manual also indicates that if I want to use digest authentication that I should be specifying the jdbcDigestRealm JAAS context. If I don't want to use digest authentication, then I should be specifying the jdbcRealm JAAS context. To my eyes, this looks like yet another place where I am effectively specifying what kinds of hashing algorithms are involved.
Thanks in advance for any pointers.
I wrote about this (related issue) here - Glassfish 3.1.2 JDBCRealm configuration.
In short, the password encryption field does not seem to be mandatory at all anymore - so just storing passwords as SHA 256 hashes should work well enough.
这篇关于Glassfish 3.1.2的JDBCRealm有一个新的密码加密算法字段。它是为了什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
