是否可以使用容器管理的身份验证和密码加盐?
我知道如何设置使用表单身份验证并使用摘要密码(例如 SHA-256)的普通容器管理安全性。像这样的东西:
web.xml
<login-config>
<auth-method>FORM</auth-method>
<realm-name>jdbc</realm-name>
<form-login-config>
<form-login-page>/login.jsf</form-login-page>
<form-error-page>/login-error.jsf</form-error-page>
</form-login-config>
</login-config>
login.xhtml
<form action="j_security_check">
<p><label>
Username:<br/>
<input type="text" name="j_username" />
</label></p>
<p><label>
Password:<br/>
<input type="password" name="j_password" />
</label></p>
<p>
<button type="submit">Submit</button>
</p>
</form>
非常简单 - 但我真正想要能够做的是用全局盐和用户名对密码加盐。是的,我知道这不是理想 但现在,我只是在构建一个概念验证。
容器(在本例中为 GlassFish 3)可以为我执行此操作,还是我必须 编写我自己的登录过滤器?我以前已经这样做过(对于 J2EE 应用程序),但我的直觉告诉我,既然我正在使用 Java EE 6,就必须有一种更严格的方法来做到这一点。
I know how to set up vanilla container-managed security that uses form authentication and uses digested passwords (say, SHA-256). Something like this:
web.xml
<login-config>
<auth-method>FORM</auth-method>
<realm-name>jdbc</realm-name>
<form-login-config>
<form-login-page>/login.jsf</form-login-page>
<form-error-page>/login-error.jsf</form-error-page>
</form-login-config>
</login-config>
login.xhtml
<form action="j_security_check">
<p><label>
Username:<br/>
<input type="text" name="j_username" />
</label></p>
<p><label>
Password:<br/>
<input type="password" name="j_password" />
</label></p>
<p>
<button type="submit">Submit</button>
</p>
</form>
Pretty darn simple - but what I'd really like to be able to do is salt the password with a global salt and the username. Yes, I am aware that this isn't ideal but right now, I'm just building a proof-of-concept.
Can the container (GlassFish 3, in this case) do this for me, or do I have to write my own login filter? I've done it before (for J2EE applications) but my gut tells me that there's got to be a tighter way to do it now that I'm using Java EE 6.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
我感觉您正在寻找一种快速(并且可能很脏?)的方法来修改内置身份验证提供程序。
正确的方法是为新的 JASPIC API 实现您自己的 Java 身份验证服务提供程序 (JSR-196)。它比较费力,但这种方法允许您以任何您喜欢的方式滚动实现,并且它应该与任何 Java EE 6 应用程序服务器兼容。
对于带有密码加盐的基本身份验证方案,实现这样的提供程序应该非常简单。您必须考虑管理用户和密码,但一种解决方案可能是让您的提供商重复使用 Glassfish 身份验证领域中定义的用户,这样您只需自己管理自定义加盐密码。
有一个关于 WebSphere 的很好的教程,您应该能够适应 Glassfish 此处。
I get the feeling you're looking for a quick (& potentially dirty?) way to modify the build-in authentication provider.
The proper way to go is to implement your own Java Authentication Service Provider for the new JASPIC API (JSR-196). It is more laborious, but this method lets you roll your implementation any way you like it, and it should be compatible with any Java EE 6 application server.
For a basic authentication scheme with password salting, implementing such a provider should be pretty straightforward. You will have to think about managing users and passwords, but one solution could be to let your provider re-use the users defined in the Glassfish authentication realms, so that you only have to manage the custom salted passwords yourself.
There's a nice tutorial for WebSphere, which you should be able to adapt for Glassfish here.