Thanks for add encrypted password support.
I was willing to use http digest authentication from my applications,
but I forgot it once due to it must stored password in clear-text till
this release.
BTW, Is there right way to aquire the MasterPassword from applications?
(I think it may impossible due to security reasons...)
I want to add users to table dynamically from my applications,
but it requires the MasterPassword to encrypt.
or is there any other better approaches?
thanks.
(12/02/28 21:07), Kumar Jayanti wrote:
> The passwords for HTTP Digest Authentication were expected to be
> stored in clear text till we introduced this feature. Now it should
> be possible to store/provision passwords in Encrypted Form in the DB.
> The Configuration of the Encryption Algorithm tells the JDBCRealm
> implementation about the algorithm used for encryption. The
> encryption key as nithya mentioned is the MasterPassword.
>
>
> On 28-Feb-2012, at 5:21 PM, Laird Nelson wrote:
>
>> On Tue, Feb 28, 2012 at 4:47 AM, Nithya Subramanian
>> <nithya.subramanian_at_oracle.com
>> <mailto:nithya.subramanian_at_oracle.com>> wrote:
>>
>> The "Password Encryption Algorithm" is a new property of the JDBC
>> Digest Realm. It denotes the algorithm for storing the
>> DigestRealm passwords in the database in an encrypted form, which
>> is later decrypted before validation in this specific realm. The
>> key for decryption is the master password. This is an additional
>> level of security for Digest Realms. This parameter is currently
>> optional in 3.1.2, but would be made mandatory in BG.
>>
>>
>> I am afraid I am not intelligent enough to understand this explanation.
>>
>> For the sake of brevity, suppose that logging in to Glassfish is
>> accomplished via a hypothetical login() function that takes a
>> username and a password. So login("scott", "tiger"), let us say,
>> proceeds through the realm infrastructure and allows Glassfish to
>> determine whether the user is who he says he is.
>>
>> Suppose in my database I have stored the MD5 hash of "tiger" as the
>> password for user "scott".
>>
>> If I am reading this right, to make it so that Glassfish will hash
>> the incoming string "tiger" in such a way that it can be compared
>> with the stored hash, I would specify a DigestAlgorithm of "MD5". I
>> would also leave the Password Encryption Algorithm blank, since I
>> have not stored this password in an encrypted fashion, but rather in
>> a hashed fashion.
>>
>> I suspect however that I am *not* reading you properly, and that you
>> mean something else. Perhaps you mean that the hash itself is
>> encrypted if I also specify the Password Encryption Algorithm?
>>
>> Thanks in advance for your patience and any further help you can give
>> here. In the meantime I'll go read the source code you mentioned.
>>
>> Best,
>> Laird
>>
>> --
>> http://about.me/lairdnelson
>>
>