Password Encryption Algorithm in Glassfish 4

限于喜欢 提交于 2020-01-02 03:29:10

问题


I've recently updated Glassfish from 3.1.2 to 4.0 and wanted to set up a JDBCRealm that I used before on my app which uses FORM based authentication. The passwords are hashed with SHA-256 in the database (that is the default Digest Algorithm option).

The realm has a property that became mandatory in this Glassfish version: Password Encryption Algorithm. Quite incredibly, the official Glassfish documentation says it's optional, and the note under the input field says it is a risk to leave it empty, however you cannot leave it empty as it is mandatory.

I cannot log in in my app that was working before no matter what I set in this property. (This is true to both the newly registered and old users.) I was googling for days but couldn't find the options for this field. What are the options?

Also, I'm using Glassfish with MySQL. Does Glassfish send the hashed passwords encrypted to the DB or is it just some instruction to MySQL to store the hashed passwords with this kind of encryption?

This question helped me somewhat but didn't solve my problem.

UPDATE: Actually, I don't use the classic FORM based authentication, but a custom JSF form with programmatic login using HttpServletRequest#login(), but I don't think it matters in this issue.


回答1:


I've tested a simple use case with Glassfish 4.1 and a JDBC Realm configured for MySQL.

You can set up a simple user table:

  • name: stores the username
  • password: stores the SHA-256 hash of the user's password (without salting)
  • group: stores the user group (i.e. admin, user)

I.e.

INSERT INTO users (name, password, group) VALUES ("admin", SHA2("password", 256), "admins"); 

In the admin console, go to Configurations > Security > Realms and edit your realm.

In the "Password Encryption Algorithm" field enter "AES".

In the "Digest Algorithm" field enter "SHA-256".

In the "Charset" field enter "UTF-8".




回答2:


For future reference for those who get to this question looking for how Glassfish uses configuration "Password Encryption Algorithm" in JDBCRealm. I took a look in the code and it seems to not be used at all: Link, Permalink.



来源:https://stackoverflow.com/questions/22731036/password-encryption-algorithm-in-glassfish-4

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!