4 Replies Latest reply on Nov 24, 2008 1:25 AM by nepveul

    password hash value

    nepveul
    nepveul Nov 23, 2008 3:31 PM

      Hi All,


      I'm having trouble setting the identity manager with password hashing setup.


      If I use the annotation 


      @UserPassword(hash="none")



      then I have, for example, 'demo'/'demo' as my username and password for my user and it works fine.


      If I use 


      @UserPassword(hash="MD5")



      then I don't know how to setup my database value for my password_hash column.


      I've tried 'fe01ce2a7fbac8fafaed7c982a04e229' which is the string returned by most MD5 hash generator on the net. I've tried '/9Se/pfHeUH8FJ4asBD6jQ==' as well which comes from the seamspace demo.


      Both cases do not work, I can't get my demo user to login.


      Maybe I am missing some configuration?


      Thanks!


      Laurent


      • 226 Views
      • Tags:
        • 1. Re: password hash value
          joblini
          joblini Nov 23, 2008 7:56 PM (in response to nepveul)

          I generated a password for demo/demo, I also get /9Se/pfHeUH8FJ4asBD6jQ==


          Is the @UserEnabled column in your database set to true?  I noticed that if the user is disabled the invalid username/password is displayed.  I think this message is displayed for various problems during the authentication process.  Perhaps a problem in your configuration? Check components.xml


          Incidently, here is how the hash is generated, notice that it is based on the username and the password.



             public String generateSaltedHash(String password, String saltPhrase, String algorithm)
   {
      try {        
         MessageDigest md = MessageDigest.getInstance(algorithm);
                  
         if (saltPhrase != null)
         {
            md.update(saltPhrase.getBytes());
            byte[] salt = md.digest();
            
            md.reset();
            md.update(password.getBytes());
            md.update(salt);
         }
         else
         {
            md.update(password.getBytes());
         }
         
         byte[] raw = md.digest();
         return Base64.encodeBytes(raw);
     } 
     catch (Exception e) {
         throw new RuntimeException(e);        
     } 
   }


            • Actions
          • 2. Re: password hash value
            nepveul
            nepveul Nov 23, 2008 10:51 PM (in response to nepveul)

            Hey Ingo,


            Thanks for you answer. My UserEnabled column is correctly set because when I use an unhashed password, it is working fine.


            As for the method you provided, what would be the saltPhrase value?


            Thanks!


            Laurent

              • Actions
            • 3. Re: password hash value
              joblini
              joblini Nov 24, 2008 1:18 AM (in response to nepveul)

              The salt is the username, see JpaIdentityStore and PasswordHash in the source files included with Seam.


                protected String getUserAccountSalt(Object user)
   {
      // By default, we'll use the user's username as the password salt
      return userPrincipalProperty.getValue(user).toString();
   }


                • Actions
              • 4. Re: password hash value
                nepveul
                nepveul Nov 24, 2008 1:25 AM (in response to nepveul)

                Got it working! Thanks!

                  • Actions