Using md5 and salt with j security check

Question

Using md5 and salt with j security check

I am currently using j security check and md5 to authenticate my jsp pages. I would like to salt the password before storing it in the database. Due to limited access at school, I do not have permission to create a trigger for salt injection. Is there any other way to do this?

here is my kingdom:

<Realm 
    className="org.apache.catalina.realm.JDBCRealm" 
    driverName="com.mysql.jdbc.Driver" 
    connectionURL="jdbc:mysql://someurl"
    connectionName="name" 
    connectionPassword="password" 
    userTable="name.users" 
    userNameCol="user_name" 
    userCredCol="user_password" 
    userRoleTable="name.users"
    roleNameCol="role"
    digest="MD5"
    />

+3

passwords tomcat salt j-security-check realm

segFault 26 Mar 12:01 pm

source to share

2 answers

I think the only way is to make your own implementation of multiple functions (overriding JDBCRealm methods) such as authenticate

.

+1

kan 04 Apr 12 at 12:44

source to share

Grooveek · Accepted Answer · 2012-04-04T10:26:11+0000

Quickly said, "No, you can't. At least not easy."

In fact, digests are processed by a method public static final Digest(String credentials, String algorithm,String encoding)

in the class org.apache.catalina.realm.RealmBase

from which your class inherits JDBCRealm

. This method Digest

calls directly the MessageDigest instance, which can only be used with "MD5", "SHA-1" and "MD2" I think. So you cannot do anything with your password before or after applying MD5 algortihm

But you can implement a provider to have the required algorithm. But I warn you that it is not so easy.

And by the way, I personally prefer to have a SHA-1 hashed password other than MD5, even if it's salty :-)

Using md5 and salt with j security check

More articles: