The passwords for HTTP Digest Authentication were expected to be stored in clear text till we introduced this feature. Now it should be possible to store/provision passwords in Encrypted Form in the DB. The Configuration of the Encryption Algorithm tells the JDBCRealm implementation about the algorithm used for encryption. The encryption key as nithya mentioned is the MasterPassword.
On 28-Feb-2012, at 5:21 PM, Laird Nelson wrote:
> On Tue, Feb 28, 2012 at 4:47 AM, Nithya Subramanian <nithya.subramanian_at_oracle.com> wrote:
> The "Password Encryption Algorithm" is a new property of the JDBC Digest Realm. It denotes the algorithm for storing the DigestRealm passwords in the database in an encrypted form, which is later decrypted before validation in this specific realm. The key for decryption is the master password. This is an additional level of security for Digest Realms. This parameter is currently optional in 3.1.2, but would be made mandatory in BG.
>
> I am afraid I am not intelligent enough to understand this explanation.
>
> For the sake of brevity, suppose that logging in to Glassfish is accomplished via a hypothetical login() function that takes a username and a password. So login("scott", "tiger"), let us say, proceeds through the realm infrastructure and allows Glassfish to determine whether the user is who he says he is.
>
> Suppose in my database I have stored the MD5 hash of "tiger" as the password for user "scott".
>
> If I am reading this right, to make it so that Glassfish will hash the incoming string "tiger" in such a way that it can be compared with the stored hash, I would specify a DigestAlgorithm of "MD5". I would also leave the Password Encryption Algorithm blank, since I have not stored this password in an encrypted fashion, but rather in a hashed fashion.
>
> I suspect however that I am *not* reading you properly, and that you mean something else. Perhaps you mean that the hash itself is encrypted if I also specify the Password Encryption Algorithm?
>
> Thanks in advance for your patience and any further help you can give here. In the meantime I'll go read the source code you mentioned.
>
> Best,
> Laird
>
> --
> http://about.me/lairdnelson
>