using md5 and salt with j security check

Question

Right now I am using j security check and md5 to authenticate my jsp pages. I would like to salt the password before I store it into the database. Due to restricted access at school, I do not have rights to create a trigger to inject some salt. Is there any other way to do this?

here is my realm:

<Realm 
    className="org.apache.catalina.realm.JDBCRealm" 
    driverName="com.mysql.jdbc.Driver" 
    connectionURL="jdbc:mysql://someurl"
    connectionName="name" 
    connectionPassword="password" 
    userTable="name.users" 
    userNameCol="user_name" 
    userCredCol="user_password" 
    userRoleTable="name.users"
    roleNameCol="role"
    digest="MD5"
    />

Answer 1

Quickly said : "No, you can't. At least, not Simply"

In fact, digests are handled by public static final Digest(String credentials, String algorithm,String encoding) method in org.apache.catalina.realm.RealmBase class from which your JDBCRealm class inherits. This Digest method calls directly MessageDigest instance which can be used only with "MD5", "SHA-1" and "MD2" I think. So, you can't do anything to your password before or after applying your MD5 algortihm

But, you can implement a provider to have the algorithm you want. But I warn you, that's not so simple.

And by the way, I'd personnally prefer to have a SHA-1 hashed password than a MD5 one, even if it's salted :-)

Answer 2

I think that the only way is to make own implementation of few functions (overriding JDBCRealm's methods) such as authenticate.