Issue Details (XML | Word | Printable)

Type: Improvement Improvement
Status: Open Open
Priority: Major Major
Assignee: raharsha
Reporter: ananner
Votes: 1
Watchers: 0

If you were logged in you would be able to see more operations.

JDBCRealm should allow for salting hashed passwords

Created: 24/Nov/06 07:22 AM   Updated: 28/Aug/13 12:58 PM
Component/s: security
Affects Version/s: 9.1pe
Fix Version/s: not determined

Time Tracking:
Not Specified


Operating System: Windows XP
Platform: PC

Issuezilla Id: 1,577
Participants: ananner, raharsha, Shing Wai Chan, tmpsa and Tom Mueller

 Description  « Hide

The JDBCRealm allows for the hashing of passwords, but it does not currently
allow for the passwords to be salted before they are hashed. There should be a
mechanism that allows for salted, hashed passwords.

Weblogic 9.2 uses a hidden salt that is added to hashed passwords. I believe
that the JBoss mechanism is better: it uses a callback to a custom class (that
can be a custom class created by the user), and this custom callback is
responsible for adding a salt to the password before it is hashed.

No work has yet been logged on this issue.