Jasypt with Hibernate and ACEGI, best practice for digesting new passwords?

Printable View

Oct 11th, 2007, 07:55 AM
Fatefree

Jasypt with Hibernate and ACEGI, best practice for digesting new passwords?

My application uses a BasicPasswordEncryptor wired into the Acegi DaoAuthentication provider, which works fine. My question is what is the best practice for when a new user is created, in regards to Hibernate?

Specifically I know I want to digest a string before it gets persisted in the database (No need to ever decrypt, just compare digested strings for authentication). The two ways I was thinking of doing that are:

1) Tell hibernate to store the password in an encrypted way, using the same BasicPasswordEncryptor (Which I have not found documentation on, at least in a way to force it to use the same encryptor acegi is using)

or 2) In my UserDetails implementation, I can change the getPassword() method to return an ecrypted version (which would make it secure from any call at all)

So which is the more appropriate way to encrypt a new password? If its 1, can anyone show me some example on how to make hibernate use the same digestor, and if its 2, can someone explain how to best do this? I was thinking wire in the encryptor into the userdetails implementation?
Oct 11th, 2007, 08:21 AM
Injecteer

I am using the solution 1', so that in the single register() method I re-use acegi's password encoder to encrypt the plain-text password:

Code:

PasswordEncoder passwordEncoder; SaltSource salt; public void register(T account) throws ObjectAlreadyExistsException{ try { accountDao.findByUsername(account.getUsername()); throw new ObjectAlreadyExistsException("Account already exists!"); } catch (ObjectNotFoundException e) { accountDao.create(account); // setting a password with an "Id" as a salt String encryptedPassword = passwordEncoder.encodePassword(account.getPassword(), salt.getSalt(account)); account.setPassword(encryptedPassword); } }

pretty easy to implement and works as charm :)
Also, it doesn't depend on anything but acegi, so that you can use it no-hibernate app.
Oct 15th, 2007, 12:24 PM
dfernandez

Hello Fatefree,

The best practice for digesting passwords for new users is that you get the BasicPasswordEncryptor (not the Acegi integration wrapper) as a dependency for the piece of your business code that creates the new user, and use it for encrypting the password before saving it (the password). I don't think Hibernate is relevant at all in this scenario.

As for BasicPasswordEncryptor, it cannot be configured to "use the same encryptor ACEGI is using", but exactly the contrary. It is ACEGI which should use the BasicPasswordEncryptor as its password encoder using the Acegi-integration features in Jasypt (http://www.jasypt.org/springsecurity.html)

Regards,
Daniel.