Password Encryption Algorithm in Glassfish 4

 

I've recently updated Glassfish from 3.1.2 to 4.0 and wanted to set up a JDBCRealm that I used before on my app which uses FORM based authentication. The passwords are hashed with SHA-256 in the database (that is the default Digest Algorithm option).

The realm has a property that became mandatory in this Glassfish version: Password Encryption Algorithm. Quite incredibly, the official Glassfish documentation says it's optional, and the note under the input field says it is a risk to leave it empty, however you cannot leave it empty as it is mandatory.

I cannot log in in my app that was working before no matter what I set in this property. (This is true to both the newly registered and old users.) I was googling for days but couldn't find the options for this field. What are the options?

Also, I'm using Glassfish with MySQL. Does Glassfish send the hashed passwords encrypted to the DB or is it just some instruction to MySQL to store the hashed passwords with this kind of encryption?

This question helped me somewhat but didn't solve my problem.

UPDATE: Actually, I don't use the classic FORM based authentication, but a custom JSF form with programmatic login using HttpServletRequest#login() , but I don't think it matters in this issue.

I've tested a simple use case with Glassfish 4.1 and a JDBC Realm configured for MySQL.

You can set up a simple user table:

  • name: stores the username
  • password: stores the SHA-256 hash of the user's password (without salting)
  • group: stores the user group (ie admin, user)

    • Ie 

    INSERT INTO users (name, password, group) VALUES ("admin", SHA2("password", 256), "admins");

    In the admin console, go to Configurations > Security > Realms and edit your realm.

    In the "Password Encryption Algorithm" field enter "AES".

    In the "Digest Algorithm" field enter "SHA-256".

    In the "Charset" field enter "UTF-8".

    For future reference for those who get to this question looking for how Glassfish uses configuration "Password Encryption Algorithm" in JDBCRealm. I took a look in the code and it seems to not be used at all: Link, Permalink.

    链接地址: http://www.djcxy.com/p/49118.html

    上一篇: 在Shiro注销期间销毁SessionScoped CDI bean

    下一篇: Glassfish 4中的密码加密算法