I'm still using the flexibleJDBCRealm1 as I've documented in previous blogs2,3.
In the Glassfish administration console, under Configurations -> server-config -> Security -> Realms -> myRealm, the settings are now as follows.
| Name | Value | Description |
|---|---|---|
| datasource.jndi | jdbc/mydb | the data source to my database |
| jaas.context | flexibleJdbcRealm | |
| password.digest | SHA-512 | I have upgraded from SHA1 to SHA2, which seems more secure |
| password.encoding | HEX:128 | See note below |
| sql.groups | select groupid from mmv_groups where name in (?) | using a database view, makes it easier to change table layout without effecting the securityrealm |
| sql.password | select password from mmv_users where name in (?) | same as above |
Note
The SHA-512 encoding always creates 128 characters as the hash.However, in the source code of the flexibleJDBCRealm, this hash is converted from a byte[] into a hexadecimal string by means of a call "new BigInteger(1, aData).toString(16);".
This effectively means that if the byte[] starts with one or more "0"s, these are removed in the BigInteger call leaving you with a hash that is less than 128 characters.
This is why I need to use "HEX:128", instead of just "HEX".
MariaDB/MySQL
The values are easily verifiable in the database.I can just do a
SELECT SHA2(usertable.password, 512) from usertable where user='mrbear';
It should yield the exact same result as the encryption function of the flexibleJDBCRealm.
References
- [1] FlexibleJDBCRealm
- http://flexiblejdbcrealm.wamblee.org/site/
- [2] Security Realms in Glassfish
- http://randomthoughtsonjavaprogramming.blogspot.nl/2016/04/security-realms-in-glassfish.html
- [3] Glassfish Security Realms
- http://randomthoughtsonjavaprogramming.blogspot.nl/2014/10/glassfish-security-realms.html
- [4] Installation instructions
- http://flexiblejdbcrealm.wamblee.org/site/documentation/snapshot/installation.html
No comments:
Post a Comment