Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Glassfish 4 - JDBC Realm

What's the difference between the Password encryption algorithm and the Digest Algorithm in Glassfish 4? Because Password encryption algorithm cannot be blank, I used MD5, and for Encoding, Hex. The Digest Algorithm is blank, so the default is SHA-256.

But if I made a simple login application with JAAS, and create the tables, insert one user, and the password is encrypted with MD5, the user cannot log in. If i encrypt the password with SHA-256, the user can log in.

So, what is the Password encryption algorithm field?

like image 588
Arnold Galovics Avatar asked Oct 14 '13 16:10

Arnold Galovics


1 Answers

The documentation is not very clear on this point, but my interpretation is as follows. This is based on Glassfish v4 reference manual.

Password encryption algorithm determines how the passwords are encrypted within your database. This is the parameter digestrealm-password-enc-algorithm. You really want to have this set to something because of course leaving passwords in a database in the clear is a security hole.

When someone tries to authenticate, glassfish needs a way to compare what was submitted to what's in the database. But, since the latter is all locked up, it needs a key to unlock. The encryption (strictly, hashing) used on that key is what is defined in Digest Algorithm (parameter digest-algorithm). It defaults to SHA-256 in v4 (prior, it was MD5).

like image 127
AlwaysLearning Avatar answered Oct 20 '22 20:10

AlwaysLearning