users@glassfish.java.net

Re: JDBC Realm and new Password Encryption Algorithm field

From: Nithya Subramanian <nithya.subramanian_at_oracle.com>
Date: Tue, 28 Feb 2012 15:17:50 +0530

The "Password Encryption Algorithm" is a new property of the JDBC Digest
Realm. It denotes the algorithm for storing the DigestRealm passwords
in the database in an encrypted form, which is later decrypted before
validation in this specific realm. The key for decryption is the master
password. This is an additional level of security for Digest Realms.
This parameter is currently optional in 3.1.2, but would be made
mandatory in BG.

You can find the code related to this in the 3.1.2 Glassfish codebase -
DigestRealmBase.java.

The Digest algorithm property is for hashing (one-way) the password,
applicable to JDBCRealm (not just JDBCDigestRealm) as well.

HTH
Nithya

On Saturday 25 February 2012 03:20 AM, Laird Nelson wrote:
> On Fri, Feb 24, 2012 at 2:18 PM, Laird Nelson <ljnelson_at_gmail.com
> <mailto:ljnelson_at_gmail.com>> wrote:
>
> What is the difference between the digest algorithm property and
> the password encryption algorithm property in the JDBC realm setup?
>
>
> I've also posted this problem on StackOverflow:
> http://stackoverflow.com/questions/9437897/glassfish-3-1-2s-jdbcrealm-has-a-new-password-encryption-algorithm-field-what
>
> In working today to understand these properties, I also noticed that
> JDBCRealm.java is not where I expected it to be found:
> http://java.net/projects/glassfish/sources/svn/show/trunk/main/nucleus/security/core/src/main/java/com/sun/enterprise/security/auth/realm/jdbc?rev=52693
> (note the directory is empty). My copy of Glassfish's source code,
> which I updated from subversion today, has two prior copies under /v3
> and /v2; neither (as I would expect) references the new password
> encryption algorithm property at all.
>
> Thanks,
> Best,
> Laird
>
> --
> http://about.me/lairdnelson
>