My web application is relying on container-managed security and I'm wondering if it's possible to use salted passwords at all. As far as I can tell it's easy enough to store digested passwords in a database by just configuring a JDBC or DataSource Realm, but there's no way to add a salt to those digest.
我的Web应用程序依赖于容器管理的安全性,我想知道是否可以使用salted密码。据我所知,只需配置JDBC或DataSource Realm就可以很容易地将消化的密码存储在数据库中,但是没有办法在这些摘要中添加盐。
Any suggestions?
Edit: it seems I just need to think some more before asking questions ;-)
编辑:看来我只需要在提出问题之前再思考一下;-)
It's just a matter of choosing who's doing the digest calculation (client or server) and configure Tomcat accordingly.
这只是选择谁在进行摘要计算(客户端或服务器)并相应地配置Tomcat的问题。
3 个解决方案
#1
2
If you're creating and storing the digests you can create and store the salts at the same time.
如果您正在创建和存储摘要,则可以同时创建和存储盐。
Your auth table would contain .... pwdDigest varchar(64), -- or int256 if you have one hashSalt int64, ....
你的auth表将包含.... pwdDigest varchar(64), - 或int256如果你有一个hashSalt int64,....
Then depending on the auth protocol you're using you either send the hashSalt to the client when you get the username for client side encryption or use it to hash the password if you receive it in clear.
然后,根据您使用的auth协议,当您获得客户端加密的用户名时,将hashSalt发送到客户端,或者如果您明确收到密码,则使用它来散列密码。
I'm not familiar with the database access technologies you're talking about, so I apologise if I've missed the point and oversimplified the answer.
我不熟悉你所谈论的数据库访问技术,所以如果我错过了这一点并且过于简化了答案,我会道歉。
#2
2
Tomcat 5.5 and 6.0 don't support salted passwords in JDBCRealms and DataSourceRealms. It's a known bug, and the suggested patch seems to work fine, but it wasn't accepted yet.
Tomcat 5.5和6.0不支持JDBCRealms和DataSourceRealms中的salted密码。这是一个已知的错误,建议的补丁似乎工作正常,但它尚未被接受。
If you don't want to apply the patch you can at least use it as an implementation example:
如果您不想应用补丁,至少可以将其用作实现示例:
Bug 45871 - Support for salted and digested patches in DataSourceRealm
错误45871 - 支持DataSourceRealm中的盐渍和消化补丁
#3
0
Passord-based encryption in JCE uses salt as per PKCS#5. See http://java.sun.com/j2se/1.4.2/docs/guide/security/jce/JCERefGuide.html#PBEEx for an example.
JCE中基于Passord的加密根据PKCS#5使用salt。有关示例,请参见http://java.sun.com/j2se/1.4.2/docs/guide/security/jce/JCERefGuide.html#PBEEx。
#1
2
If you're creating and storing the digests you can create and store the salts at the same time.
如果您正在创建和存储摘要,则可以同时创建和存储盐。
Your auth table would contain .... pwdDigest varchar(64), -- or int256 if you have one hashSalt int64, ....
你的auth表将包含.... pwdDigest varchar(64), - 或int256如果你有一个hashSalt int64,....
Then depending on the auth protocol you're using you either send the hashSalt to the client when you get the username for client side encryption or use it to hash the password if you receive it in clear.
然后,根据您使用的auth协议,当您获得客户端加密的用户名时,将hashSalt发送到客户端,或者如果您明确收到密码,则使用它来散列密码。
I'm not familiar with the database access technologies you're talking about, so I apologise if I've missed the point and oversimplified the answer.
我不熟悉你所谈论的数据库访问技术,所以如果我错过了这一点并且过于简化了答案,我会道歉。
#2
2
Tomcat 5.5 and 6.0 don't support salted passwords in JDBCRealms and DataSourceRealms. It's a known bug, and the suggested patch seems to work fine, but it wasn't accepted yet.
Tomcat 5.5和6.0不支持JDBCRealms和DataSourceRealms中的salted密码。这是一个已知的错误,建议的补丁似乎工作正常,但它尚未被接受。
If you don't want to apply the patch you can at least use it as an implementation example:
如果您不想应用补丁,至少可以将其用作实现示例:
Bug 45871 - Support for salted and digested patches in DataSourceRealm
错误45871 - 支持DataSourceRealm中的盐渍和消化补丁
#3
0
Passord-based encryption in JCE uses salt as per PKCS#5. See http://java.sun.com/j2se/1.4.2/docs/guide/security/jce/JCERefGuide.html#PBEEx for an example.
JCE中基于Passord的加密根据PKCS#5使用salt。有关示例,请参见http://java.sun.com/j2se/1.4.2/docs/guide/security/jce/JCERefGuide.html#PBEEx。