tag:blogger.com,1999:blog-6868595312516376692.post5353631753386908833..comments2023-11-23T09:33:53.598+01:00Comments on Enterprise Software Development with Java: GlassFish 3.1 SecureJDBCRealm - Detecting failed logins.Markus Eiselehttp://www.blogger.com/profile/16195673592300911244noreply@blogger.comBlogger5125tag:blogger.com,1999:blog-6868595312516376692.post-37555753399060336592013-04-12T06:00:35.200+02:002013-04-12T06:00:35.200+02:00This comment has been removed by the author.Markus Eiselehttps://www.blogger.com/profile/16195673592300911244noreply@blogger.comtag:blogger.com,1999:blog-6868595312516376692.post-92028954948833838042013-04-11T22:23:35.928+02:002013-04-11T22:23:35.928+02:00This comment has been removed by a blog administrator.Oliverhttps://www.blogger.com/profile/16765031610354307769noreply@blogger.comtag:blogger.com,1999:blog-6868595312516376692.post-19634539543506534532011-05-18T23:12:47.011+02:002011-05-18T23:12:47.011+02:00A bit later on yesterday I ran across the followin...A bit later on yesterday I ran across the following library which also implements a JDBC Realm for Glassfish and supports password salting.<br /><br />http://flexiblejdbcrealm.wamblee.org/site/<br /><br />Unfortunately it doesn't support the failed login and lockout functionality.rperfecthttps://www.blogger.com/profile/10244475198091322176noreply@blogger.comtag:blogger.com,1999:blog-6868595312516376692.post-66578381853184058522011-05-18T13:36:27.262+02:002011-05-18T13:36:27.262+02:00Hi rperfect,
that's sad and true. There are s...Hi rperfect,<br /><br />that's sad and true. There are so many things, the standard login modules doesn't do. <br />On the other hand: There is infrastructure for that, that plug in very decently. And it's more easy to separate problem domains with them. <br />So, you have to get your hands on many many small problems if you are going to secure a standalone GF instance according to state of the art OWASP criterias ... <br />But if you hand it over to Enterprise Access Management Systems (EAM) you are fine.<br /><br />Thanks,<br />MMarkus Eiselehttps://www.blogger.com/profile/16195673592300911244noreply@blogger.comtag:blogger.com,1999:blog-6868595312516376692.post-85537246252392830382011-05-18T04:47:44.702+02:002011-05-18T04:47:44.702+02:00I noticed recently that both this Glassfish and th...I noticed recently that both this Glassfish and the WebLogic JDBC Realms do not implement password "salting". Which makes the hash values that they rely on very weak and vulnerable to "rainbow" table attacks. See the following links;<br /><br />http://en.wikipedia.org/wiki/Password_salt<br />https://www.owasp.org/index.php/Hashing_Java<br /><br />Using the code attached to this article would expose your application to this security weakness.<br /><br />I need to solve this problem myself and still want to use JDBC rather than LDAP, so I'm going to have a go at fixing these classes.rperfecthttps://www.blogger.com/profile/10244475198091322176noreply@blogger.com