glassfish
  1. glassfish
  2. GLASSFISH-1577

JDBCRealm should allow for salting hashed passwords

    Details

    • Type: Improvement Improvement
    • Status: Open
    • Priority: Major Major
    • Resolution: Unresolved
    • Affects Version/s: 9.1pe
    • Fix Version/s: not determined
    • Component/s: security
    • Labels:
      None
    • Environment:

      Operating System: Windows XP
      Platform: PC

    • Issuezilla Id:
      1,577

      Description

      The JDBCRealm allows for the hashing of passwords, but it does not currently
      allow for the passwords to be salted before they are hashed. There should be a
      mechanism that allows for salted, hashed passwords.

      Weblogic 9.2 uses a hidden salt that is added to hashed passwords. I believe
      that the JBoss mechanism is better: it uses a callback to a custom class (that
      can be a custom class created by the user), and this custom callback is
      responsible for adding a salt to the password before it is hashed.

        Activity

        No work has yet been logged on this issue.

          People

          • Assignee:
            raharsha
            Reporter:
            ananner
          • Votes:
            1 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated: