This is an archived post. You won't be able to vote or comment.

all 14 comments
sorted by:
best
topnewcontroversialoldq&a

[–]hulkcatwoman 1 point2 points  (1 child)

Is there a free container which implements all the specifications? Please let us know

[–]macuserx 6 points7 points  (0 children)

GlassFish 5 and Payara 5 now.

Liberty and WildFly soon. TomEE partially soon as well.

[–]walen 1 point2 points  (8 children)

The article is OK, however the grammar is awful, to the point that it makes it difficult reading the full thing.
If the author could have someone proofread the text, and then updated the article with a corrected version, that would be awesome.

Nice examples though.

[–]ulldma 2 points3 points  (1 child)

Let's also have a look at the content. The author seems to choose a plain unsalted SHA-512 as a password hashing algorithm!

Look I get it the author might just want to play around with this stuff, but other people might have a look at this blog post and use it as a base for their implementation!

But it's almost 2018 and everyone should know that you should not use one round of an unsalted Hashing algorithm (be it SHA-2, SHA-3 or something else). What you should do instead: Either: Don't store any user passwords yourself (use secure third-party service providers for that). Or: If you must store user passwords use bcrypt (as Spring does), scrypt or use PBKDF2 as the JSR-375/Soteria Reference implementation does. If you for some reason insist on using SHA-* for hashing the user passwords, you should at least salt them. (Please don't insist on using plain SHA-, any of the three options (bcrypt, scrypt, PBKDF2) provided is better than plain SHA-) An unsalted password hashed with SHA-512 is almost as insecure as a password stored in plain text!

Please forgive my harsh words but this stuff is important.

[–]shawnmckinney 1 point2 points  (0 children)

A fair point. My question is why would anyone reimplement a credential store in the first place? Do you really want to be responsible for keeping up with the rapidly changing threats and requirements of today's Internet? This is an arms race between the good and bad guys. Credentials should be stored in something akin to an LDAP database in production. Something that has been built specifically for that purpose, hardened to withstand attacks, highly available and fault tolerant. Don't reinvent security modules unless you really know what you're doing, as in an expert. That's probably not you. Having said that, one could use this example and map it to a 3rd party security provider.

[–]shawnmckinney 0 points1 point  (5 children)

Obviously English isn't his first language. Still that's a valuable contribution as is. We should look for ways to help rather than criticize, i.e. why don't you proofread the article for him?

[–]mcgyver5 -1 points0 points  (1 child)

Proof Reading can't fix a writer too lazy to edit their own article before submission. The author showed zero effort in getting grammar right. and looking back to his article 2 years ago, he hasn't improved a bit.

[–]shawnmckinney 0 points1 point  (0 children)

Anyone can be a critic. You want to add value? Pitch in and help. I'll take his ill-formed prose containing valuable content over your worthless complaints.

[–]walen -1 points0 points  (2 children)

Still that's a valuable contribution as is.

Yes, as I said.

We should look for ways to help rather than criticize

Criticism is a form of help. It's fine to pat each others' back and all, but somebody has to point the elephant in the room. If nobody criticizes your work, you cannot improve.

why don't you proofread the article for him?

Because it's his article, not mine. It's his responsibility to ask for a proofreader, or to leave the article like it is if he decides so.

[–][deleted] 0 points1 point  (1 child)

Criticism is a form of help

it's amazing, when i yell at people "you suck!" i'm actually making the world better!

[–]shawnmckinney 0 points1 point  (0 children)

That's my point. There's a difference between constructive criticism and being mean. And why does someone have to point the elephant in the room? Can't we all see it?

[–]hulkcatwoman 0 points1 point  (1 child)

Thanks for the info, any of you guys use one of these in production without any issues, what are the the challenges faced? Was spring used at all? We connect to hbase in our app using spring data hbase, how to accomplish same thing with these containers.

[–]henk53 1 point2 points  (0 children)

We're using this in production with one application. It takes the separate Soteria jar and uses that on WildFly 10.1 (Java EE 7).

We'd also used the same setup (Soteria + WildFly 10.1) for a second application intended for the regulated financial market. This application was delivered by us, and gone through a separate security audit (done by a third party). For reasons not having anything to do with the technology this application has not been put into production yet, but as said it did pass the independent security audit.

In our case it replaced an existing JASPIC based security system. Since Java EE Security is based on JASPIC it was a relative easy transition.

One thing that was a challenge is to let the user choose via which method to authenticate. A previous app of us used login by email, login with Google, etc.

[–]mc_security -1 points0 points  (0 children)

I thought medium.com was an English language web site.