A couple things, * Given the choice, don't use MD5 <http://www.stopusingmd5now.com/> * A hash is one way, so if you hash something on the client side you have no way of recovering the original text * Basic Auth, is basically plain text, but when coupled with SSL, it may be good enough * consider using a standard (BASIC, OAUTH, etc), before rolling your own * Password storage on the server side needs to be hashed, and not stored in a recoverable format
To be complete, If you want send passwords/tokens to the server in some other format, you can create an AuthenticatingFilter Take a look at the Basic Auth one for an example https://github.com/apache/shiro/blob/1.2.x/web/src/main/java/org/apache/shiro/web/filter/authc/BasicHttpAuthenticationFilter.java#L338 On Thu, Apr 30, 2015 at 9:19 AM, amarjyotib <[email protected]> wrote: > Usually when we send username and password from a webpage, it goes in > plain-text. To secure the transportation of password, we can implement > JavaScript salted MD5 hashing which is also suggested by OWASP. How to > handle this in a Apache Shrio implementation? In Apache Shrio, the login > module only accepts plain-text password. I am using SSL. > > > > -- > View this message in context: > http://shiro-user.582556.n2.nabble.com/Transporting-user-password-from-Browser-to-Web-Server-in-a-Apache-Shrio-Implementation-tp7580531.html > Sent from the Shiro User mailing list archive at Nabble.com. >
