I'm developing a Registration Confirmation feature for a site. A user successfully registers on a registration page, an email is subsequently sent to the user's email address with a hyperlink, and the user clicks on the link and is directed to a Registration Completed page.
I would like to implement Servlet Spec 3.0's programmatic security via the request.login(username, password) method. The only problem is that users' Base64-encoded password digests are stored in the database using a 1-way hashing algorithm. request.login(username, password) fails when the password parameter is a Base64-encoded string. I need to pass a Base64-encoded string to my federated repository so it can compare that encoded password digest to its matching counterpart within a JDBC Custom User Registry.
I've searched the WAS v8.0 documentation for any mention of accepting hashed passwords. I've only found entries pertaining to LDAP repos within a federated repo...not JDBC Custom User Registries within a Federated Repo. I've read that you can configure Tomcat and GlassFish to accept hashed passwords for realms, and I was hoping you could do the same with WAS 8.0. If not...
Is there a way to implement DIGEST authentication programatically for 1 method even though I have <auth-method>FORM</auth-method> defined within my .war's deployment descriptor?
I ditched using WAS 8's federated repository in favor of Apache Shiro. Configuring shiro.ini is a much more sane, flexible solution than the ridiculous amount of esoteric config required within WAS 8. Plus, Shiro puts the power back in my hands instead of requiring an admin to configure security for me.