security - How would you implement salted passwords in Tomcat 5.5

itemprop="text">

My web application is relying on
container-managed security and I'm wondering if it's possible to use salted passwords at
all. As far as I can tell it's easy enough to store digested passwords in a database by
just configuring a JDBC or DataSource Realm, but there's no way to add a salt to those
digest.

Any
suggestions?

Edit:
it seems I just need to think some more before asking questions
;-)

It's just a matter of choosing who's doing
the digest calculation (client or server) and configure Tomcat
accordingly.

itemprop="text">

class="normal">Answer

If you're creating and storing the
digests you can create and store the salts at the same
time.

Your auth table would contain

....
pwdDigest varchar(64), -- or int256 if you have
one
hashSalt
int64,
....

Then depending on the auth
protocol you're using you either send the hashSalt to the client when you get the
username for client side encryption or use it to hash the password if you receive it in
clear.

I'm not familiar with the
database access technologies you're talking about, so I apologise if I've missed the
point and oversimplified the answer.