On Mon, May 6, 2013 at 11:52 AM, Tania Marinova <taniamm2...@yahoo.com> wrote:
>
>
> Hello I 've made a an axis 2 web service which stores the user hashed
> password in a database.
> So it's obvious that I shold add some kind of security to my web service
> so i use rampart!
>
> But it's written that in a real application, you'd naturally want to use
> some other mechanism (such as a database or an external security mechanism)
> to verify the username and password combination.
> so it seems that I can't understand how to make the implementtion - so I
> will hash password with salt salt and to store it in a database and then I
> don't know what to do next.
> could you recommend the steps
>
> So you will see that in my request from javascript the password is also
> seen so it seens that this should also be changes!
> Thank you in advance!
>
<snip>
>From your other post I sense you could be using a higher level API to
do your hashing , comparisons and Base64 handling. Also, just store
the digest, not the salt, in the db. I use Jasypt , which makes the
issue easy to solve correctly.
To hash, store this 'digest' value in the DB in the password column as
its already encoded to Base64 - do not store the salt in the db:
StandardStringDigester digester = new StandardStringDigester();
digester.setAlgorithm("SHA-1"); // optionally set the algorithm
digester.setIterations(2500);
digester.setSaltSizeBytes(32);
String digest = digester.digest(password);
Then retrieve that digest from the db as dbDigest, and compare with
the user supplied value:
if (!digester.matches(userPassword, dbDigest)) ) {
throw new Exception("incorrect password");
}
- R
---------------------------------------------------------------------
To unsubscribe, e-mail: java-user-unsubscr...@axis.apache.org
For additional commands, e-mail: java-user-h...@axis.apache.org
