Results 1 to 3 of 3

Thread: Jasypt with Hibernate and ACEGI, best practice for digesting new passwords?

  1. Oct 11th, 2007, 07:55 AM #1
    Fatefree
    Fatefree is offline Member
    Join Date
    Feb 2007
    Posts
    75

    Default Jasypt with Hibernate and ACEGI, best practice for digesting new passwords?

    My application uses a BasicPasswordEncryptor wired into the Acegi DaoAuthentication provider, which works fine. My question is what is the best practice for when a new user is created, in regards to Hibernate?

    Specifically I know I want to digest a string before it gets persisted in the database (No need to ever decrypt, just compare digested strings for authentication). The two ways I was thinking of doing that are:

    1) Tell hibernate to store the password in an encrypted way, using the same BasicPasswordEncryptor (Which I have not found documentation on, at least in a way to force it to use the same encryptor acegi is using)

    or 2) In my UserDetails implementation, I can change the getPassword() method to return an ecrypted version (which would make it secure from any call at all)

    So which is the more appropriate way to encrypt a new password? If its 1, can anyone show me some example on how to make hibernate use the same digestor, and if its 2, can someone explain how to best do this? I was thinking wire in the encryptor into the userdetails implementation?
  2. Oct 11th, 2007, 08:21 AM #2
    Injecteer
    Injecteer is offline Senior Member
    Join Date
    Dec 2005
    Posts
    269

    Default

    I am using the solution 1', so that in the single register() method I re-use acegi's password encoder to encrypt the plain-text password:
    Code:
      
PasswordEncoder passwordEncoder;
SaltSource salt;

public void register(T account) throws ObjectAlreadyExistsException{
    try {
      accountDao.findByUsername(account.getUsername());
      throw new ObjectAlreadyExistsException("Account already exists!");
    } catch (ObjectNotFoundException e) {

      accountDao.create(account);

      // setting a password with an "Id" as a salt
      String encryptedPassword = passwordEncoder.encodePassword(account.getPassword(), salt.getSalt(account));
      account.setPassword(encryptedPassword);
    }
  }
    pretty easy to implement and works as charm
    Also, it doesn't depend on anything but acegi, so that you can use it no-hibernate app.
  3. Oct 15th, 2007, 12:24 PM #3
    dfernandez
    dfernandez is offline Member
    Join Date
    Feb 2007
    Posts
    32

    Default

    Hello Fatefree,

    The best practice for digesting passwords for new users is that you get the BasicPasswordEncryptor (not the Acegi integration wrapper) as a dependency for the piece of your business code that creates the new user, and use it for encrypting the password before saving it (the password). I don't think Hibernate is relevant at all in this scenario.

    As for BasicPasswordEncryptor, it cannot be configured to "use the same encryptor ACEGI is using", but exactly the contrary. It is ACEGI which should use the BasicPasswordEncryptor as its password encoder using the Acegi-integration features in Jasypt (http://www.jasypt.org/springsecurity.html)

    Regards,
    Daniel.
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules