Using bcrypt in a Glassfish 3.0 security realm
I'm currently in the process of changing the password handling in a web application from unsalted MD5 to bcrypt. It's a standard JSF application, running on Glassfish 3.0.1.
Using jBCrypt made creating and storing the hashes pretty easy. But now I don't know how to use bcrypt in the actual authentication when the user logs in. Since it's JSF, the login is being triggered using the HttpServletRequest#login method and the rest is being handled by the Java EE stack and Glassfish.
Simply setting the security realms digest algorithm to "none" and then hashing the password before passing it the login method wouldn't work, because I don't have the generated salt jBCrypt originally used when creating the hash. I've also though about providing a custom security realm implementation, but that seems a lot work for such a small change.
Is there a simpler solution? Or has someone already implemented similar security realm?
实现登录模块应该足够了,并将身份验证委托给底层领域。
链接地址: http://www.djcxy.com/p/49112.html