I'm trying to set up a secure login for my application.
To achieve this I wanted to salt my hash and maybe use an iteration count.
The official forums don't seem to answer that so I was wondering how to get this to work if I want to stick to my security strategy. Alternatively I could just leave salting, but I don't think this would be a good idea.
So my question is:
Are there any workarounds to achieve such secure storage here or what is the best practice to handle logins on JBoss AS nowadays?
问问题
320 次
1 回答
0
Almost a year passed and when reviewing this code section I finally found a (maybe not decent, but working) solution:
Don't let the DatabaseLoginModule hash your passwords, hash and salt them yourself.
In my application I use the login mechanisms provided by Servlet 3.0:
HttpServletRequest.login(userLogin, pass);
The crucial point I missed is that you can hash and salt the plain password manually just before the login()-call. The LoginModule will then match the hashes with those saved in the database.
Maybe that's not the solution I originally wanted, but it doesn't add any unnecessary complexity.
于 2014-04-22T18:22:17.590 回答