Nov 15th, 2007, 04:34 AM
Md5 Password encryption, how?
i wanna use md5 password encryption for my application, but don't knows how to handle it?
I have defined the bean for the passwordEncoder:
<!-- MD5 Encoder -->
<bean id="passwordEncoder" class="org.acegisecurity.providers.encoding.Md5Pas swordEncoder"></bean>
<!-- Authentifizierung -->
<property name="userDetailsService" ref="loginAuthService" />
<property name="passwordEncoder"><ref bean="passwordEncoder"/></property>
But how did i use this password Encoder to make a md5 encryption?
Nov 15th, 2007, 05:25 AM
For creating an MD5 digest of a password you could use a plain java.security.MessageDigest, specifying MD5 as algorithm.
Nov 15th, 2007, 05:59 AM
ok, but i don't know on which location i must use it?
Nov 15th, 2007, 06:24 AM
For initially setting up a user you need an administrative tool/dialog for your application. From there the data has to be filled.
If the user has to be able to change his password, you also need an extra dialog there. The user enters his password, you hash it and store the hash.
As of securing such dialogs: For the administrative dialog you should ensure that only an administrator could access it.
For a user changing his password you should ensure that he is authenticated before he can do it. However, there might arise problems when the passowrd of an already authenticated user changes. But I remember there have been some threads around concerning this topic.
Nov 15th, 2007, 06:47 AM
i understand what you mean.
What i don't understand is:
what happens if the user wants to login, with login and 1234 as example?
Will acegi encrypt the 1234 by himself?
Nov 15th, 2007, 06:53 AM
Yes, that is what the encoder is for. To be exact, it is not encryption, it is hashing. The difference is, that the former is reversible and the latter is not.
Originally Posted by struggle
The point is, that you store only the password hash, and acegi generates a hash from the login data and compares these hashes. Just ensure that the passwort is not transferred unsecurely before hashing it. So the cleartext password is safe.