geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Aaron Mulder" <>
Subject Re: Can I hash my passwords
Date Fri, 07 Apr 2006 13:09:05 GMT
On 4/7/06, Rohit Rai <> wrote:
> Thanks Aaron for the reply.
> By your reply I understand that I'll have to modify the server code itself.
> But that is not possible.

No, not in the server code really.  You need to make a custom JAAS
LoginModule, which is part of a security realm.  It would work with
any app server supporting JAAS (and most of them do).  I was
suggesting you copy one of ours to start with since that would save
you 95% of the code, but you could create one from scratch if you
wanted to.

> Am trying to find a work around in my application code.

Well, for a strictly application solution, your application could hash
the password before submitting it to the security realm, and then the
security realm could contain the hashed passwords, so as far as the
security realm was concerned the hashed passwords would be the "real"
passwords, but your application would know better.  I think I can dig
up an example of this if you like (IIRC it uses form based login, and
the form doesn't submit to j_security_check, but instead to a servlet
that hashes the password and redirects with the username and hashed
password to j_security_check).

> Will keep you people updated.
> Will be glad to see it as a regular feature in Geronimo.
> How do I join Geronimo Jira?

Go to
and click the "Log In" link and I believe the screen there has a link
to sign up for an account.


View raw message