users@glassfish.java.net

Re: JDBC Realm and new Password Encryption Algorithm field

From: Laird Nelson <ljnelson_at_gmail.com>
Date: Tue, 28 Feb 2012 07:18:04 -0500

On Tue, Feb 28, 2012 at 7:07 AM, Kumar Jayanti <v.b.kumar.jayanti_at_oracle.com
> wrote:

> The passwords for HTTP Digest Authentication were expected to be stored in
> clear text till we introduced this feature. Now it should be possible to
> store/provision passwords in Encrypted Form in the DB. The Configuration
> of the Encryption Algorithm tells the JDBCRealm implementation about the
> algorithm used for encryption. The encryption key as nithya mentioned is
> the MasterPassword.
>

I must be missing something fundamental in all this, and for that I really
do apologize.

If I store my password in the database as an MD5 hash, then...there's no
plain text.

And the JDBCRealm has always been able to handle this case, with the Digest
Algorithm property. So this new feature must be doing something else,
since handling non-plaintext passwords has been in JDBCRealm for ages.

So surely it is not the case that it has been "expected" that passwords
were to be stored in plain text? After all, if I specify a Digest
Algorithm that is NOT "none" for my JDBC realm then Glassfish behaves
according to the rules in DigestRealmBase.java, which hashes the incoming
password using the digest algorithm, compares it to the stored (NOT plain
text) hash, and authenticates or rejects the user.

Where I'm still lost (again, my apologies!) is what exactly is being
encrypted in the case where (a) my password is already hashed in the
database, (b) my Digest Algorithm is set to, say, MD5 and (c) my Password
Encryption Algorithm is non-null.

(I understand that *whatever* is being encrypted is being encrypted using
the MasterPassword (presumably you mean the asadmin master password
mechanism?) as a key.)

Again, thanks for your patience. Always nice to start the day feeling
thick and slow. :-(

Best,
Laird

-- 
http://about.me/lairdnelson