users@glassfish.java.net

Re: JDBC Realm and new Password Encryption Algorithm field

From: Kumar Jayanti <v.b.kumar.jayanti_at_oracle.com>
Date: Tue, 28 Feb 2012 17:59:12 +0530

On 28-Feb-2012, at 5:48 PM, Laird Nelson wrote:

> On Tue, Feb 28, 2012 at 7:07 AM, Kumar Jayanti <v.b.kumar.jayanti_at_oracle.com> wrote:
> The passwords for HTTP Digest Authentication were expected to be stored in clear text till we introduced this feature. Now it should be possible to store/provision passwords in Encrypted Form in the DB. The Configuration of the Encryption Algorithm tells the JDBCRealm implementation about the algorithm used for encryption. The encryption key as nithya mentioned is the MasterPassword.
>
> I must be missing something fundamental in all this, and for that I really do apologize.
>
> If I store my password in the database as an MD5 hash, then...there's no plain text.
>
> And the JDBCRealm has always been able to handle this case, with the Digest Algorithm property. So this new feature must be doing something else, since handling non-plaintext passwords has been in JDBCRealm for ages.
right.
>
> So surely it is not the case that it has been "expected" that passwords were to be stored in plain text? After all, if I specify a Digest Algorithm that is NOT "none" for my JDBC realm then Glassfish behaves according to the rules in DigestRealmBase.java, which hashes the incoming password using the digest algorithm, compares it to the stored (NOT plain text) hash, and authenticates or rejects the user.
>
> Where I'm still lost (again, my apologies!) is what exactly is being encrypted in the case where (a) my password is already hashed in the database, (b) my Digest Algorithm is set to, say, MD5 and (c) my Password Encryption Algorithm is non-null.

Sorry for the confusion. As i said this feature is for the HTTP Digest Authentication. And so applicable if you are using the JDBCDigestRealm.
>
> (I understand that *whatever* is being encrypted is being encrypted using the MasterPassword (presumably you mean the asadmin master password mechanism?) as a key.)
>
> Again, thanks for your patience. Always nice to start the day feeling thick and slow. :-(
>
> Best,
> Laird
>
> --
> http://about.me/lairdnelson
>