8 Replies Latest reply on Mar 29, 2011 11:41 AM by angela leon

    PasswordHash

    angela leon Newbie

      Hello everybody!


      a simple question:
      what the




      @UserPassword(hash = "md5")
           public String getPasswordHash() {
                return passwordHash;
           }
      
           public void setPasswordHash(String passwordHash) {
                
                
                this.passwordHash =passwordHash;
           }



      I'm very confused because I thought first that it encrypted the password but i get nothing
      please if some can help me, or explain to me


        • 1. Re: PasswordHash
          angela leon Newbie

          oups I forgot to write the question:
          what is the following code (the one above) supposed to do?? is it supposed to store a crypted password in the Datatable??

          • 2. Re: PasswordHash
            angela leon Newbie

            No one!!please I realy need to understand because I'm trying the code but it just shows the password normally.


            please any explanation is very welcome...

            • 3. Re: PasswordHash
              Khosro Asgharifard Sharabiani Newbie

              If you want to store password in encrypted format in database, you must encrypt it and then save it to database.


              User u=new User();
              u.setUsername("user");
              u.setPasswordHash(PasswordHash.instance().generateSaltedHash("yourpassword",u.getUsername(), "md5"));
              
              


              if your entity is


              @UserPassword(hash = "sha")
                   public String getPasswordHash() {
                        return passwordHash;
                   }
              
                   public void setPasswordHash(String passwordHash) {
                   
                        this.passwordHash =passwordHash;
                   }
              



              Then you must write


              User u=new User();
              u.setUsername("user");
              u.setPasswordHash(PasswordHash.instance().generateSaltedHash("yourpassword",u.getUsername(), "sha"));
              
              



              • 4. Re: PasswordHash
                Craig Bensemann Novice

                I'm afraid that is simply not true. While you may do that if you wish it requires you to use Seams PasswordHash component directly. You would have to use it in both your authenticate method and in the method where you persist new users. If you read the Seam reference guide you will find a section on IdentityManagers and IdentityStores. Using this means your password will be hashed and stored for you simply by annotating it as you have.

                • 5. Re: PasswordHash
                  Khosro Asgharifard Sharabiani Newbie

                  Hi Craig,


                  Do you mean that i wrote a wrong code in this post?


                  Khosro.

                  • 6. Re: PasswordHash
                    Craig Bensemann Novice

                    While not entirely wrong your post is quite misleading. Manually hashing a password is one way to deal with the solution but does not actually take advantage of the @UserPassword(hash = "md5") at all. Using an IdentityStore as I mentioned before will automatically hash the users password based on the @UserPassword(hash = "md5") annotation. This method greatly simplifies user authentication and makes use of that annotation and also does away with any need to manually call or make use of the PasswordHash component.

                    • 7. Re: PasswordHash
                      Khosro Asgharifard Sharabiani Newbie

                      Hi Craig,


                      Yes.I think you are right.


                      Khosro.

                      • 8. Re: PasswordHash
                        angela leon Newbie

                        Hi Craig and Khosro,
                        thank you for your answers.
                        So if I do understand the IdentityStore with the annotation


                        @UserPassword(hash="md5")



                        do actually encrypt the password??and is the password value going to be encrypted even in the datatable User??...because this is what I'm trying to do...


                        I've tried the following:


                        in components.xml


                        <security:identity-manager
                        identity-store="#{ldapIdentityStore}"
                        role-identity-store="#{jpaIdentityStore}"/>


                        and in my User Entity, I've used all the necessary annotations based on seam reference(@UserPrincipal,@UserPassword,@UserRoles and even Enabled), but seem not to work.


                        what do the passwordSalt mean??
                        I really appreciate your help