I created a GWT project which requires authentication. Initially, the users' passwords were in plain text, but now I would like to hash them with BCrypt. I searched but I cannot find a place describing how to make Jetty authenticate against a BCrypt hashed password.
I'm sending the password to the server using a FORM in plain text and over SSL. What do I need to do to make Jetty hash this password and compare it to the one in the database?
Thank you;
In JAAS, this is done by a LoginModule. The Jetty-specific JAAS tutorial (which I actually just glanced over) explains, how you can implement your own, and configure Jetty to use it.
As Igor already noted and explained in the post he linked to, the container session management alone won't be good enough to defend against XSRF. You can still use JAAS - but make sure, that your server calls are additionally protected by a token that's not stored in a cookie.
I would personally use a different token than the one used in the cookie. This helps to protect a little bit against XSS (otherwise, you would defeat the purpose of httpOnly cookies).