Am Samstag, 17. März 2012, 18:36:30 schrieb John D. Mitchell:
Note also that there are a few different aspects of this that people may be confusing/conflating...
- Protecting the user credentials for long-term storage in the database itself.
- Creating security tokens for the (relatively) high-speed access verification on a per-request basis.
- Creating a decently secure communication channel.
Hi all,
Now, since I've finally undestood what this thread is about ;) I have two suggestions, regarding the second point:
1. If opening a database connection is slow (in our case because of slow authentication), then a wide-spread solution in the J2EE world is the use of connection pools.
2. Another alternative which comes into my mind is encrypting the whole password file with a "slow" encryption algorithm (we could even use Java Crypto API, since we already use it for the XQuery crypto API). On startup, basex will decrypt the file once, an the store the "quick" password hashes in-memory.
Regards, Dimitar