Well, use the source :) Check out PasswordHash#generatedSaltedHash(). It goes like this:

if (saltPhrase != null)
{
   md.update(saltPhrase.getBytes());
   byte[] salt = md.digest();
            
   md.reset();
   md.update(password.getBytes());
   md.update(salt);
}

saltPhrase is the username, so you need to hash it to get the salt,
then concat the password with the salt and hash again to get the final hash string.
So the algorithm is something like this
(S: salt, U: username, P: password, PH: password hash, MD: message digest (MD5 in your case)):

S = MD(U)
PH = MD(P||S)

Btw, all this has changed in Seam 2.1.2, so beware :)

HTH

Gerald Anderson wrote on May 14, 2009 00:23:


Ahh, wasn't catching that the username was being hashed.  Still not able to get it though. 

I am far from a PHP guru, but your best bet is probably to print both steps from Java and PHP and see where things go wrong.
You need a binary blob of the password bytes + the salt bytes to get this to work with the standard md5 function. Btw, does
PHP have md5_update or some such?

Let me ask about a different direction;  What's the latest and greatest on integration with JBoss SSO or OpenSSO.  I see that there's Jira issues out there but don't see that anything is happening.  On the other side there is a ton of buzz about it via google.  Is anybody aware of any decent documentation in this regard (SSO) for a relatively plug-n-play solution?

Yeah, I'd like to see something like this too. It shouldn't be too hard to integrate Seam security with *SSO, but if someone has already done it, all the better :)