4 Replies Latest reply on Nov 24, 2008 1:25 AM by Laurent Nepveu

    password hash value

    Laurent Nepveu Newbie

      Hi All,


      I'm having trouble setting the identity manager with password hashing setup.


      If I use the annotation


      @UserPassword(hash="none")



      then I have, for example, 'demo'/'demo' as my username and password for my user and it works fine.


      If I use


      @UserPassword(hash="MD5")



      then I don't know how to setup my database value for my password_hash column.


      I've tried 'fe01ce2a7fbac8fafaed7c982a04e229' which is the string returned by most MD5 hash generator on the net. I've tried '/9Se/pfHeUH8FJ4asBD6jQ==' as well which comes from the seamspace demo.


      Both cases do not work, I can't get my demo user to login.


      Maybe I am missing some configuration?


      Thanks!


      Laurent


        • 1. Re: password hash value
          Ingo Jobling Master

          I generated a password for demo/demo, I also get /9Se/pfHeUH8FJ4asBD6jQ==


          Is the @UserEnabled column in your database set to true?  I noticed that if the user is disabled the invalid username/password is displayed.  I think this message is displayed for various problems during the authentication process.  Perhaps a problem in your configuration? Check components.xml


          Incidently, here is how the hash is generated, notice that it is based on the username and the password.



             public String generateSaltedHash(String password, String saltPhrase, String algorithm)
             {
                try {        
                   MessageDigest md = MessageDigest.getInstance(algorithm);
                            
                   if (saltPhrase != null)
                   {
                      md.update(saltPhrase.getBytes());
                      byte[] salt = md.digest();
                      
                      md.reset();
                      md.update(password.getBytes());
                      md.update(salt);
                   }
                   else
                   {
                      md.update(password.getBytes());
                   }
                   
                   byte[] raw = md.digest();
                   return Base64.encodeBytes(raw);
               } 
               catch (Exception e) {
                   throw new RuntimeException(e);        
               } 
             }


          • 2. Re: password hash value
            Laurent Nepveu Newbie

            Hey Ingo,


            Thanks for you answer. My UserEnabled column is correctly set because when I use an unhashed password, it is working fine.


            As for the method you provided, what would be the saltPhrase value?


            Thanks!


            Laurent

            • 3. Re: password hash value
              Ingo Jobling Master

              The salt is the username, see JpaIdentityStore and PasswordHash in the source files included with Seam.


                protected String getUserAccountSalt(Object user)
                 {
                    // By default, we'll use the user's username as the password salt
                    return userPrincipalProperty.getValue(user).toString();
                 }


              • 4. Re: password hash value
                Laurent Nepveu Newbie

                Got it working! Thanks!