I would like to use request.login() to programatically login a user under two different circumstances. (I am using a DataSourceRealm in tomcat 8 with a credentialHandler that specified iteration and saltLength).
The first circumstance: User enters user name and password in a form and submits. This works fine as my context.xml specifies the hashing algorithm and the DataSourceRealm class performs the iterations with the salt specified from the stored credential (ie: the database retrieved password used for comparison).
The second circumstance: I use a cookie to recognize the user. This is done similarly to what is outlined in this answer: Java EE 6: How to implement "Stay Logged In" when user login in to the web application However, calling the request.login() method with the hashed, iterated, salted password will obviously not login successfully since the login method is supposed to accept the cleantext (unhashed, unsalted, uniterated) password.
How can I overcome this issue? If there were any way to login without the password for circumstance two that would suffice (since I am actually logging in with the same credential as will be retrieved by the login() method).
Thank you
Aucun commentaire:
Enregistrer un commentaire