How would you implement salted passwords in Tomcat 5.5

Question

My web application is relying on container-managed security and I'm wondering if it's possible to use salted passwords at all. As far as I can tell it's easy enough to store digested passwords in a database by just configuring a JDBC or DataSource Realm, but there's no way to add a salt to those digest.

Any suggestions?

Edit: it seems I just need to think some more before asking questions ;-)

It's just a matter of choosing who's doing the digest calculation (client or server) and configure Tomcat accordingly.

Answer 1

Passord-based encryption in JCE uses salt as per PKCS#5. See http://java.sun.com/j2se/1.4.2/docs/guide/security/jce/JCERefGuide.html#PBEEx for an example.

Answer 2

If you're creating and storing the digests you can create and store the salts at the same time.

Your auth table would contain .... pwdDigest varchar(64), -- or int256 if you have one hashSalt int64, ....

Then depending on the auth protocol you're using you either send the hashSalt to the client when you get the username for client side encryption or use it to hash the password if you receive it in clear.

I'm not familiar with the database access technologies you're talking about, so I apologise if I've missed the point and oversimplified the answer.

Answer 3

Tomcat 5.5 and 6.0 don't support salted passwords in JDBCRealms and DataSourceRealms. It's a known bug, and the suggested patch seems to work fine, but it wasn't accepted yet.

If you don't want to apply the patch you can at least use it as an implementation example:

Bug 45871 - Support for salted and digested patches in DataSourceRealm