users@glassfish.java.net

Re: JDBC Realm and new Password Encryption Algorithm field

From: Laird Nelson <ljnelson_at_gmail.com>
Date: Tue, 28 Feb 2012 06:51:30 -0500

On Tue, Feb 28, 2012 at 4:47 AM, Nithya Subramanian <
nithya.subramanian_at_oracle.com> wrote:

> **
> The "Password Encryption Algorithm" is a new property of the JDBC Digest
> Realm. It denotes the algorithm for storing the DigestRealm passwords in
> the database in an encrypted form, which is later decrypted before
> validation in this specific realm. The key for decryption is the master
> password. This is an additional level of security for Digest Realms. This
> parameter is currently optional in 3.1.2, but would be made mandatory in
> BG.
>

I am afraid I am not intelligent enough to understand this explanation.

For the sake of brevity, suppose that logging in to Glassfish is
accomplished via a hypothetical login() function that takes a username and
a password. So login("scott", "tiger"), let us say, proceeds through the
realm infrastructure and allows Glassfish to determine whether the user is
who he says he is.

Suppose in my database I have stored the MD5 hash of "tiger" as the
password for user "scott".

If I am reading this right, to make it so that Glassfish will hash the
incoming string "tiger" in such a way that it can be compared with the
stored hash, I would specify a DigestAlgorithm of "MD5". I would also
leave the Password Encryption Algorithm blank, since I have not stored this
password in an encrypted fashion, but rather in a hashed fashion.

I suspect however that I am *not* reading you properly, and that you mean
something else. Perhaps you mean that the hash itself is encrypted if I
also specify the Password Encryption Algorithm?

Thanks in advance for your patience and any further help you can give
here. In the meantime I'll go read the source code you mentioned.

Best,
Laird

-- 
http://about.me/lairdnelson