2

I created a GWT project which requires authentication. Initially, the users' passwords were in plain text, but now I would like to hash them with BCrypt. I searched but I cannot find a place describing how to make Jetty authenticate against a BCrypt hashed password.

I'm sending the password to the server using a FORM in plain text and over SSL. What do I need to do to make Jetty hash this password and compare it to the one in the database?

Thank you;

dubreakkk
  • 199
  • 2
  • 10
  • If I understood correctly, you want (or rather, already have) Jetty to handle session/user managment - you might however want to look into writing the authentication part in your application - see this question: http://stackoverflow.com/questions/2974100/question-on-gwt-cookies-and-webpage-directing. It should give you the greatest flexibility (no problem with integrating BCrypt) and security (session management via the container is usually susceptible to an XSRF attack). In general, it's discouraged - do a search on GWT's Google Group for `"session management"`, but of course YMMV :) – Igor Klimer Jun 15 '10 at 18:26

1 Answers1

0

In JAAS, this is done by a LoginModule. The Jetty-specific JAAS tutorial (which I actually just glanced over) explains, how you can implement your own, and configure Jetty to use it.

As Igor already noted and explained in the post he linked to, the container session management alone won't be good enough to defend against XSRF. You can still use JAAS - but make sure, that your server calls are additionally protected by a token that's not stored in a cookie.

I would personally use a different token than the one used in the cookie. This helps to protect a little bit against XSS (otherwise, you would defeat the purpose of httpOnly cookies).

Chris Lercher
  • 37,264
  • 20
  • 99
  • 131
  • This is a question late after this post but you were saying that jaas wasn't enough to protect a website. Is it still the case ? It's for a jsf project. – Ced Jun 25 '15 at 20:50
  • Also the tutorial you linked is down. I'm planning to implement bcypt for jaas and it's difficult to find how to. – Ced Jun 25 '15 at 20:51