glassfish
  1. glassfish
  2. GLASSFISH-1577

JDBCRealm should allow for salting hashed passwords

    Details

    • Type: Improvement Improvement
    • Status: Open
    • Priority: Major Major
    • Resolution: Unresolved
    • Affects Version/s: 9.1pe
    • Fix Version/s: not determined
    • Component/s: security
    • Labels:
      None
    • Environment:

      Operating System: Windows XP
      Platform: PC

    • Issuezilla Id:
      1,577

      Description

      The JDBCRealm allows for the hashing of passwords, but it does not currently
      allow for the passwords to be salted before they are hashed. There should be a
      mechanism that allows for salted, hashed passwords.

      Weblogic 9.2 uses a hidden salt that is added to hashed passwords. I believe
      that the JBoss mechanism is better: it uses a callback to a custom class (that
      can be a custom class created by the user), and this custom callback is
      responsible for adding a salt to the password before it is hashed.

        Activity

        Hide
        tmpsa added a comment -

        With the steady flow of stories about stolen password files (even at reputable service providers), this issue is becoming increasingly critical.

        Salted password hashes has been standard tech for a very long time. Glassfish should provide this trivial functionality out-of-the-box.

        Please upgrade the priority and assign a target version for this issue.

        Show
        tmpsa added a comment - With the steady flow of stories about stolen password files (even at reputable service providers), this issue is becoming increasingly critical. Salted password hashes has been standard tech for a very long time. Glassfish should provide this trivial functionality out-of-the-box. Please upgrade the priority and assign a target version for this issue.
        Hide
        Tom Mueller added a comment -

        Bulk update to change fix version to "not determined" for all issues still open but with a fix version for a released version.

        Show
        Tom Mueller added a comment - Bulk update to change fix version to "not determined" for all issues still open but with a fix version for a released version.
        Hide
        Shing Wai Chan added a comment -

        reassign

        Show
        Shing Wai Chan added a comment - reassign

          People

          • Assignee:
            raharsha
            Reporter:
            ananner
          • Votes:
            1 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated: