3

Right now I am using j security check and md5 to authenticate my jsp pages. I would like to salt the password before I store it into the database. Due to restricted access at school, I do not have rights to create a trigger to inject some salt. Is there any other way to do this?

here is my realm:

<Realm 
    className="org.apache.catalina.realm.JDBCRealm" 
    driverName="com.mysql.jdbc.Driver" 
    connectionURL="jdbc:mysql://someurl"
    connectionName="name" 
    connectionPassword="password" 
    userTable="name.users" 
    userNameCol="user_name" 
    userCredCol="user_password" 
    userRoleTable="name.users"
    roleNameCol="role"
    digest="MD5"
    />
erickson
  • 265,237
  • 58
  • 395
  • 493
segFault
  • 1,228
  • 2
  • 18
  • 41
  • What do you mean you are using `j_security_check`? You mean you are using container managed authentication? What server are you using? How is authentication configured for this application? – erickson Mar 29 '12 at 01:57
  • I am making a jsp app and using a glassfish v.7 server running it. So i set up my login pages whose actions are j_security_check and then I placed security constraints around my servlets. – segFault Mar 29 '12 at 02:29
  • Can you configure the "realm" that is used for your application? Or do you at least know what realm is in use? – erickson Mar 29 '12 at 03:18
  • I added the realm to original question. – segFault Mar 29 '12 at 03:22
  • Okay, did you mean Tomcat 7.0, or Glassfish? – erickson Mar 29 '12 at 03:32
  • It is a little odd that the folks at Tomcat did not consider salts or iterations which are both pretty commonplace. – VH-NZZ May 26 '14 at 17:10

2 Answers2

1

Quickly said : "No, you can't. At least, not Simply"

In fact, digests are handled by public static final Digest(String credentials, String algorithm,String encoding) method in org.apache.catalina.realm.RealmBase class from which your JDBCRealm class inherits. This Digest method calls directly MessageDigest instance which can be used only with "MD5", "SHA-1" and "MD2" I think. So, you can't do anything to your password before or after applying your MD5 algortihm

But, you can implement a provider to have the algorithm you want. But I warn you, that's not so simple.

And by the way, I'd personnally prefer to have a SHA-1 hashed password than a MD5 one, even if it's salted :-)

Grooveek
  • 10,046
  • 1
  • 27
  • 37
  • The salted digest should return different values for the same password. Hence, the standard implementation of the JDBCRealm cannot work, because it compares results of the `digest` function during authn. – kan Apr 04 '12 at 12:20
1

I think that the only way is to make own implementation of few functions (overriding JDBCRealm's methods) such as authenticate.

kan
  • 28,279
  • 7
  • 71
  • 101