Results 1 to 6 of 6

Thread: Md5 Password encryption, how?

  1. Nov 15th, 2007, 04:34 AM #1
    struggle
    struggle is offline Junior Member
    Join Date
    Nov 2007
    Posts
    11

    Default Md5 Password encryption, how?

    Hi,

    i wanna use md5 password encryption for my application, but don't knows how to handle it?

    I have defined the bean for the passwordEncoder:

    <!-- MD5 Encoder -->
    <bean id="passwordEncoder" class="org.acegisecurity.providers.encoding.Md5Pas swordEncoder"></bean>

    <!-- Authentifizierung -->
    <bean id="loginAuthenticationProvider"
    class="org.acegisecurity.providers.dao.DaoAuthenti cationProvider">
    <property name="userDetailsService" ref="loginAuthService" />
    <property name="passwordEncoder"><ref bean="passwordEncoder"/></property>
    </bean>

    But how did i use this password Encoder to make a md5 encryption?

    Thanx

    Tim
  2. Nov 15th, 2007, 05:25 AM #2
    Andreas Senft
    Andreas Senft is offline Senior Member
    Join Date
    Aug 2004
    Posts
    2,715

    Default

    For creating an MD5 digest of a password you could use a plain java.security.MessageDigest, specifying MD5 as algorithm.
  3. Nov 15th, 2007, 05:59 AM #3
    struggle
    struggle is offline Junior Member
    Join Date
    Nov 2007
    Posts
    11

    Default

    ok, but i don't know on which location i must use it?
  4. Nov 15th, 2007, 06:24 AM #4
    Andreas Senft
    Andreas Senft is offline Senior Member
    Join Date
    Aug 2004
    Posts
    2,715

    Default

    For initially setting up a user you need an administrative tool/dialog for your application. From there the data has to be filled.
    If the user has to be able to change his password, you also need an extra dialog there. The user enters his password, you hash it and store the hash.

    As of securing such dialogs: For the administrative dialog you should ensure that only an administrator could access it.
    For a user changing his password you should ensure that he is authenticated before he can do it. However, there might arise problems when the passowrd of an already authenticated user changes. But I remember there have been some threads around concerning this topic.
  5. Nov 15th, 2007, 06:47 AM #5
    struggle
    struggle is offline Junior Member
    Join Date
    Nov 2007
    Posts
    11

    Default

    Hi Andreas,

    i understand what you mean.

    What i don't understand is:

    what happens if the user wants to login, with login and 1234 as example?

    Will acegi encrypt the 1234 by himself?

    Thanx
  6. Nov 15th, 2007, 06:53 AM #6
    Andreas Senft
    Andreas Senft is offline Senior Member
    Join Date
    Aug 2004
    Posts
    2,715

    Default

    Quote Originally Posted by struggle View Post
    what happens if the user wants to login, with login and 1234 as example?

    Will acegi encrypt the 1234 by himself?
    Yes, that is what the encoder is for. To be exact, it is not encryption, it is hashing. The difference is, that the former is reversible and the latter is not.

    The point is, that you store only the password hash, and acegi generates a hash from the login data and compares these hashes. Just ensure that the passwort is not transferred unsecurely before hashing it. So the cleartext password is safe.
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules