Question
I was just running through a few basic tutorials on using JAAS in web applications.
I got everything setup fine but noticed that the j_password parameter is sent from the client browser in clear text.
Is there a way to make JAAS hash this value before sending it?
My application is running on Tomcat 7, so I don't know if this could achieved through some server specific setting or via some web app setting?
Solution
Have a look at The definitive guide to form-based website authentication
In short: Client side password hashing requires javascript on the client; there is no such standard if you use form based authentication that you can simply enable on the server. In any case, make sure your connection is encrypted (HTTP over SSL). Then it is less/not important to hash passwords on client side.
https://stackoverflow.com/questions/18957690
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian