Announcement Announcement Module
Collapse
No announcement yet.
Md5 Password encryption, how? Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Md5 Password encryption, how?

    Hi,

    i wanna use md5 password encryption for my application, but don't knows how to handle it?

    I have defined the bean for the passwordEncoder:

    <!-- MD5 Encoder -->
    <bean id="passwordEncoder" class="org.acegisecurity.providers.encoding.Md5Pas swordEncoder"></bean>

    <!-- Authentifizierung -->
    <bean id="loginAuthenticationProvider"
    class="org.acegisecurity.providers.dao.DaoAuthenti cationProvider">
    <property name="userDetailsService" ref="loginAuthService" />
    <property name="passwordEncoder"><ref bean="passwordEncoder"/></property>
    </bean>

    But how did i use this password Encoder to make a md5 encryption?

    Thanx

    Tim

  • #2
    For creating an MD5 digest of a password you could use a plain java.security.MessageDigest, specifying MD5 as algorithm.

    Comment


    • #3
      ok, but i don't know on which location i must use it?

      Comment


      • #4
        For initially setting up a user you need an administrative tool/dialog for your application. From there the data has to be filled.
        If the user has to be able to change his password, you also need an extra dialog there. The user enters his password, you hash it and store the hash.

        As of securing such dialogs: For the administrative dialog you should ensure that only an administrator could access it.
        For a user changing his password you should ensure that he is authenticated before he can do it. However, there might arise problems when the passowrd of an already authenticated user changes. But I remember there have been some threads around concerning this topic.

        Comment


        • #5
          Hi Andreas,

          i understand what you mean.

          What i don't understand is:

          what happens if the user wants to login, with login and 1234 as example?

          Will acegi encrypt the 1234 by himself?

          Thanx

          Comment


          • #6
            Originally posted by struggle View Post
            what happens if the user wants to login, with login and 1234 as example?

            Will acegi encrypt the 1234 by himself?
            Yes, that is what the encoder is for. To be exact, it is not encryption, it is hashing. The difference is, that the former is reversible and the latter is not.

            The point is, that you store only the password hash, and acegi generates a hash from the login data and compares these hashes. Just ensure that the passwort is not transferred unsecurely before hashing it. So the cleartext password is safe.

            Comment

            Working...
            X