Password Encryption Algorithm in Glassfish 4

Question

I've recently updated Glassfish from 3.1.2 to 4.0 and wanted to set up a JDBCRealm that I used before on my app which uses FORM based authentication. The passwords are hashed with SHA-256 in the database (that is the default Digest Algorithm option).

The realm has a property that became mandatory in this Glassfish version: Password Encryption Algorithm. Quite incredibly, the official Glassfish documentation says it's optional, and the note under the input field says it is a risk to leave it empty, however you cannot leave it empty as it is mandatory.

I cannot log in in my app that was working before no matter what I set in this property. (This is true to both the newly registered and old users.) I was googling for days but couldn't find the options for this field. What are the options?

Also, I'm using Glassfish with MySQL. Does Glassfish send the hashed passwords encrypted to the DB or is it just some instruction to MySQL to store the hashed passwords with this kind of encryption?

This question helped me somewhat but didn't solve my problem.

UPDATE: Actually, I don't use the classic FORM based authentication, but a custom JSF form with programmatic login using HttpServletRequest#login(), but I don't think it matters in this issue.

Answer 1

I've tested a simple use case with Glassfish 4.1 and a JDBC Realm configured for MySQL.

You can set up a simple user table:

• name: stores the username
• password: stores the SHA-256 hash of the user's password (without salting)
• group: stores the user group (i.e. admin, user)

I.e.

INSERT INTO users (name, password, group) VALUES ("admin", SHA2("password", 256), "admins"); 

In the admin console, go to Configurations > Security > Realms and edit your realm.

In the "Password Encryption Algorithm" field enter "AES".

In the "Digest Algorithm" field enter "SHA-256".

In the "Charset" field enter "UTF-8".