13 Replies Latest reply on Nov 20, 2009 2:49 PM by prati bha

    Password Hashing

    Zubeen Dedhia Newbie
      I want to hash(md5) the password while storing in the database.
      So i use the following :

      @Column(name = "password", length = 50)
              @UserPassword(hash = "md5")
              @Length(max = 50)
              public String getPassword() {
                      return this.password;
              }

              public void setPassword(String password) {
                      this.password = password;
              }


      i also store one md5 hashed password in the database manually.
      Now, i use the Authenticator....but it does not work..
      The Authentication Logic
      //Retrieving User whose login name matches
                      Users user = (Users) entityManager
                                      .createQuery(
                                                      "SELECT users FROM Users users WHERE users.name = :userName")
                                      .setParameter("userName", identity.getUsername())
                                      .getSingleResult();
                      this.user = user;

                      //User does not exist
                      if (user == null) {
                              log.info("No such user " + identity.getUsername());
                              return false;
                      }
                      //User Exists
                      log.info("Yes such user " + identity.getUsername());
                      if(identity.getPassword().equals(user.getPassword()))
                      {
                              log.info("Yes such password " + identity.getUsername());
                              return true;
                      }
      CAN ANYONE TELL ME WHERE I AM GOING WRONG?
      DO I NEED TO DO ANYTHING ADDITIONAL?
        • 1. Re: Password Hashing
          Shervin Asgari Master

          You can have a look here:


          Seam 2.1.2


          Or if you are using 2.1.1, look here: Seam 2.1.1


          They might be helpful.

          • 2. Re: Password Hashing
            Zubeen Dedhia Newbie

            i have read it before but not quite understood it...

            • 3. Re: Password Hashing
              Shervin Asgari Master

              Then tell me what is your problem.

              • 4. Re: Password Hashing
                Muruga boopathy Newbie
                Why don't you check your components.xml in case of using custom authenticator you must make a entry there to use that ,if you have done that already, don't use identity.getUserName() in seam 2.1.2, use like below to get the password and password entered .

                String userName = identity.getCredentials().getUsername();
                String password = identity.getCredentials().getPassword();
                • 5. Re: Password Hashing
                  Zubeen Dedhia Newbie

                  Not a problem with identity.getUserName()...because the username is getting verfied...its the md5 hashed password in the db that is not getting verified.

                  • 6. Re: Password Hashing
                    Shane Bryzak Master

                    Use the password hash generator page in the Seamspace example to compare the hash with the one you have in your database.  I'm guessing that you're not calculating it correctly (possibly missing a salt value, etc).

                    • 7. Re: Password Hashing
                      Zubeen Dedhia Newbie

                      I tried using the SAME hash generator used in Seamspace (Hash.java) with my code:




                      @Column(name = "password", length = 50)
                              @UserPassword(hash = "md5")
                              @Length(max = 50)
                              public String getPassword() {
                                      return this.password;
                              }
                      
                              public void setPassword(String password) {
                                      this.password = password;
                              }
                      
                      //Retrieving User whose login name matches
                                      Users user = (Users) entityManager
                                                      .createQuery(
                                                                      "SELECT users FROM Users users WHERE users.name = :userName")
                                                      .setParameter("userName", identity.getUsername())
                                                      .getSingleResult();
                                      this.user = user;
                      
                                      //User does not exist
                                      if (user == null) {
                                              log.info("No such user " + identity.getUsername());
                                              return false;
                                      }
                                      //User Exists
                                      log.info("Yes such user " + identity.getUsername());
                                      if(identity.getPassword().equals(user.getPassword()))
                                      {
                                              log.info("Yes such password " + identity.getUsername());
                                              return true;
                                      }
                      
                      





                      now, No password is encrypted while entering in databse.
                      im too confused..please help

                      • 8. Re: Password Hashing
                        Kamil Burzynski Newbie

                        Did you tried to print received and stored passwords to the logs? Maybe there is just simple problem, like .equals() instead of .equalsIgnoreCase() or something like that?

                        • 9. Re: Password Hashing
                          Shane Bryzak Master

                          Why are you comparing identity.getPassword() with user.getPassword()? If you're hashing your passwords in the database, then user.getPassword() will be the hash - identity.getPassword() returns the plain text password the user is authenticating with, so of course they won't be equal.

                          • 10. Re: Password Hashing
                            Zubeen Dedhia Newbie

                            ok did that..
                            now i insert an entry manually into the database
                            insert into users values('admin',null,md5('admin'))


                            after this i try to login using username/password as admin/admin...the user gets verified but the password does not..

                            • 11. Re: Password Hashing
                              prati bha Newbie
                              Hi Shervin

                              I followed ur blog and now i can save hashed password in database.
                              I also used hash="md5" annotation
                              @UserPassword(hash ="md5")
                                      public String getPassword() {
                                              return password;
                                      }


                              Now the problem is how can I log in using plain text password.
                              Although i am using this query

                              Person user = (Person)entityManager.createQuery("select p from Person p where p.userName = :username and p.password = MD5(:password)")

                              Its not working.
                              Am i misiing something.

                              Pratibha
                              • 12. Re: Password Hashing
                                prati bha Newbie
                                Yeah solved this like

                                if(user!=null) {

                                if (user.getPassword().equals(usrmanager.generatePasswordHash(user.getPassword(), user.getUserName())))
                                {

                                        return true;
                                        //authentication successful
                                }

                                Thanks
                                Pratibha.


                                • 13. Re: Password Hashing
                                  prati bha Newbie

                                  Ohh!! Really sorry for my previous post it should be


                                  (user.getPassword().equals(usrmanager.generatePasswordHash(identity.getCredentials().getPassword(), identity.getCredentials().getUserName())))




                                  I am not using identitySore and don't really know whether taht will be of any help