-
1. Re: Need a little help from a seam and php guru
kapitanpetko May 13, 2009 4:15 AM (in response to hardaur)Well, use the source :) Check out PasswordHash#generatedSaltedHash(). It goes like this:
if (saltPhrase != null) { md.update(saltPhrase.getBytes()); byte[] salt = md.digest(); md.reset(); md.update(password.getBytes()); md.update(salt); }
saltPhrase is the username, so you need to hash it to get the salt,
then concat the password with the salt and hash again to get the final hash string.
So the algorithm is something like this
(S: salt, U: username, P: password, PH: password hash, MD: message digest (MD5 in your case)):S = MD(U) PH = MD(P||S)
Btw, all this has changed in Seam 2.1.2, so beware :)
HTH
-
2. Re: Need a little help from a seam and php guru
hardaur May 14, 2009 12:23 AM (in response to hardaur)Ahh, wasn't catching that the username was being hashed. Still not able to get it though.
Let me ask about a different direction; What's the latest and greatest on integration with JBoss SSO or OpenSSO. I see that there's Jira issues out there but don't see that anything is happening. On the other side there is a ton of buzz about it via google. Is anybody aware of any decent documentation in this regard (SSO) for a relatively plug-n-play solution?
Really appreciate your response Nikolay!
Gerald
-
3. Re: Need a little help from a seam and php guru
kapitanpetko May 14, 2009 5:01 AM (in response to hardaur)
Gerald Anderson wrote on May 14, 2009 00:23:
Ahh, wasn't catching that the username was being hashed. Still not able to get it though.I am far from a PHP guru, but your best bet is probably to print both steps from Java and PHP and see where things go wrong.
You need a binary blob of the password bytes + the salt bytes to get this to work with the standard md5 function. Btw, does
PHP have md5_update or some such?
Let me ask about a different direction; What's the latest and greatest on integration with JBoss SSO or OpenSSO. I see that there's Jira issues out there but don't see that anything is happening. On the other side there is a ton of buzz about it via google. Is anybody aware of any decent documentation in this regard (SSO) for a relatively plug-n-play solution?Yeah, I'd like to see something like this too. It shouldn't be too hard to integrate Seam security with *SSO, but if someone has already done it, all the better :)
-
4. Re: Need a little help from a seam and php guru
maristr May 20, 2009 2:23 PM (in response to hardaur)Yes... the problem is definitely that PHP has no cryptographic framework like JCE. The MD5 function is pretty simple without a possibility to update the digest prior to finalizing
AFAIK the same situation is for SHA1 && PHP.
If you really wish to generate user records from PHP, the fastest workaround is to write custom PasswordHash (probably not extending but a new class, the current one has imho no proper abstraction) and to use own hash building mechanism which can be reproduced in PHP with simple call to md5 function, e.g.: $md5($salt.md5($pwd)).
Marian