我使用容器管理的身份验证和授权创建了一个 JSF Web 应用程序。我定义了安全约束、安全角色和 FORM 登录配置;我提供了下面的代码来说明我如何定义所有这些参数。一切正常;当用户尝试访问“受保护”网页时,系统会提示他们登录,如果成功则授予访问权限,如果失败则拒绝访问。由于密码以明文形式存储,因此当用户输入明文密码时,使用容器管理的身份验证功能登录也可以正常工作。
As you know, I cannot access/change/work-on the plain text passwords entered by the user using the FORM authentication method. But i want to hash+salt my passwords before saving, bu then the log in will not work since the users will enter plain text and the database will have a hashed+salted password. Is there a way to keep the container-managed authentication and authorization functionality and still hash+salt passwords, if not how can I? Since FORM authentication does not let me work with the password entered by the user, I can't hash+salt it before the comparison is made with the password saved in the database. If there's a book or blog I can read please direct me. I have looked intensively throughout the web and have not found an answer I understood.
<security-constraint>
<web-resource-collection>
<web-resource-name>Administrator Area</web-resource-name>
<url-pattern>/faces/administrator/*</url-pattern>
<url-pattern>/administrator/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>ADMINISTRATOR</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>ADMINISTRATOR</role-name>
</security-role>
The login config is as follows:
<login-config>
<auth-method>FORM</auth-method>
<realm-name>DataSourceRealm</realm-name>
<form-login-config>
<form-login-page>/faces/login.xhtml</form-login-page>
<form-error-page>/faces/login.xhtml</form-error-page>
</form-login-config>
</login-config>
The log in page is as follows:
<form id="log_in_form" method="post" action="j_security_check">
User name: <input type="text" name="j_username"/>
Password: <input type="password" name="j_password"/>
<input type="submit" value="Login"/>
</form>