Question

What's the difference between the Password encryption algorithm and the Digest Algorithm in Glassfish 4? Because Password encryption algorithm cannot be blank, I used MD5, and for Encoding, Hex. The Digest Algorithm is blank, so the default is SHA-256.

But if I made a simple login application with JAAS, and create the tables, insert one user, and the password is encrypted with MD5, the user cannot log in. If i encrypt the password with SHA-256, the user can log in.

So, what is the Password encryption algorithm field?

Was it helpful?

Solution

The documentation is not very clear on this point, but my interpretation is as follows. This is based on Glassfish v4 reference manual.

Password encryption algorithm determines how the passwords are encrypted within your database. This is the parameter digestrealm-password-enc-algorithm. You really want to have this set to something because of course leaving passwords in a database in the clear is a security hole.

When someone tries to authenticate, glassfish needs a way to compare what was submitted to what's in the database. But, since the latter is all locked up, it needs a key to unlock. The encryption (strictly, hashing) used on that key is what is defined in Digest Algorithm (parameter digest-algorithm). It defaults to SHA-256 in v4 (prior, it was MD5).

OTHER TIPS

So, what is the Password encryption algorithm field?

Digest Algorithm is used to encrypt/hash the login request, while Password encryption algorithm is used to decrypt the password from db.

But if I made a simple login application with JAAS, and create the tables, insert one user, and the password is encrypted with MD5, the user cannot log in.

Put MD5 in password encryption field, and leave Digest Algorithm blank (by default , it is sha-256 in GlassFish 4).

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top