I created a JSF web application using container-managed authentication and authorization. I defined security constraints, security role(s), and the FORM log-in config; I provided the code below for how I defined all these parameters. Everything works fine; when the user tries to access "protected" web pages they are prompted to log in, access is granted if successful or denied if fails. Since the passwords are being stored as plaintext, the log in functionally using container-managed authentication works fine when the users enter plain text passwords as well.
As you know, I cannot access/change/work-on the plain text passwords entered by the user using the FORM authentication method. But i want to hash+salt my passwords before saving, bu then the log in will not work since the users will enter plain text and the database will have a hashed+salted password. Is there a way to keep the container-managed authentication and authorization functionality and still hash+salt passwords, if not how can I? Since FORM authentication does not let me work with the password entered by the user, I can't hash+salt it before the comparison is made with the password saved in the database. If there's a book or blog I can read please direct me. I have looked intensively throughout the web and have not found an answer I understood.
<security-constraint>
<web-resource-collection>
<web-resource-name>Administrator Area</web-resource-name>
<url-pattern>/faces/administrator/*</url-pattern>
<url-pattern>/administrator/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>ADMINISTRATOR</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>ADMINISTRATOR</role-name>
</security-role>
The login config is as follows:
<login-config>
<auth-method>FORM</auth-method>
<realm-name>DataSourceRealm</realm-name>
<form-login-config>
<form-login-page>/faces/login.xhtml</form-login-page>
<form-error-page>/faces/login.xhtml</form-error-page>
</form-login-config>
</login-config>
The log in page is as follows:
<form id="log_in_form" method="post" action="j_security_check">
User name: <input type="text" name="j_username"/>
Password: <input type="password" name="j_password"/>
<input type="submit" value="Login"/>
</form>