The JDBCRealm allows for the hashing of passwords, but it does not currently
allow for the passwords to be salted before they are hashed. There should be a
mechanism that allows for salted, hashed passwords.
Weblogic 9.2 uses a hidden salt that is added to hashed passwords. I believe
that the JBoss mechanism is better: it uses a callback to a custom class (that
can be a custom class created by the user), and this custom callback is
responsible for adding a salt to the password before it is hashed.