0

I created a JSF web application using container-managed authentication and authorization. I defined security constraints, security role(s), and the FORM log-in config; I provided the code below for how I defined all these parameters. Everything works fine; when the user tries to access "protected" web pages they are prompted to log in, access is granted if successful or denied if fails. Since the passwords are being stored as plaintext, the log in functionally using container-managed authentication works fine when the users enter plain text passwords as well.

As you know, I cannot access/change/work-on the plain text passwords entered by the user using the FORM authentication method. But i want to hash+salt my passwords before saving, bu then the log in will not work since the users will enter plain text and the database will have a hashed+salted password. Is there a way to keep the container-managed authentication and authorization functionality and still hash+salt passwords, if not how can I? Since FORM authentication does not let me work with the password entered by the user, I can't hash+salt it before the comparison is made with the password saved in the database. If there's a book or blog I can read please direct me. I have looked intensively throughout the web and have not found an answer I understood.

<security-constraint>
<web-resource-collection>
<web-resource-name>Administrator Area</web-resource-name>
<url-pattern>/faces/administrator/*</url-pattern>
<url-pattern>/administrator/*</url-pattern>    
</web-resource-collection>
<auth-constraint>
<role-name>ADMINISTRATOR</role-name>           
</auth-constraint>
</security-constraint>

<security-role>
<role-name>ADMINISTRATOR</role-name>   
</security-role>

The login config is as follows:

<login-config>
<auth-method>FORM</auth-method>
<realm-name>DataSourceRealm</realm-name>     
<form-login-config>
<form-login-page>/faces/login.xhtml</form-login-page>
<form-error-page>/faces/login.xhtml</form-error-page>      
</form-login-config>   
</login-config>

The log in page is as follows:

<form id="log_in_form" method="post" action="j_security_check">
User name: <input type="text" name="j_username"/>
Password:  <input type="password" name="j_password"/>
<input type="submit" value="Login"/>    
</form>
Immer Alexis
  • 23
  • 1
  • 5
  • You can configure `realm` to use [digest algorithm](http://stackoverflow.com/questions/22731036/password-encryption-algorithm-in-glassfish-4) (SHA-512, MD5 or others) . I'm not sure how to add salt to this. – Geinmachi Mar 05 '16 at 21:37
  • 1
    Another thing what you could do is to use [`login`](http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#login%28java.lang.String,%20java.lang.String%29) method. Basically you get rid of `action="j_security_check"` (`j_username` and `j_password` are not needed too - you can now use jsf components if you wish to) and perform login programmatically. You bind login and password to a bean, then you can compute your hash with a salt and send this instead of plain password. https://docs.oracle.com/javaee/6/tutorial/doc/glxce.html – Geinmachi Mar 05 '16 at 21:50
  • How is all this JSF related? The form page is plain html, the AA is container managed> This is not even java related... Add the tag of your corresponding container (tomcat, jboss, whatever) and remove the jsf tag – Kukeltje Mar 06 '16 at 16:40
  • Thank you Geinmachi; that is exactly what I needed. Originally I was under the impression that container-managed authentication and authorization could only be done using the j_security_check method whilst not being able to directly work with the username and password variables. Hello Kukeltje, thanks for your opinion. This application was created JSF 2.0 on a Tomcat Application Container; I have also updated the tags. – Immer Alexis Mar 07 '16 at 22:01

0 Answers0