Encrypt passwords

Contains useful source code for specific use cases.

Encrypt passwords

Postby rjahn » Thu Jun 06, 2013 7:29 pm

We don't encrypt passwords on client-side and not in the database. We use our middleware for that. It's super easy with server-side triggers/events:

Add the method:

Code: Select all
/**
 * Encrypts a password, if password is changed.
 *
 * @param pEvent the storage event
 * @throws Exception if encryption or data change fails
 */
public void doEncryptPwd(StorageEvent pEvent) throws Exception
{
   IBean bn = pEvent.getNew();

   String sNew = (String)bn.get("PASSWORD");
   String sOld;

   IBean bnOld = pEvent.getOld();

   if (bnOld != null)
   {
      sOld = (String)bnOld.get("PASSWORD");
   }
   else
   {
      sOld = null;
   }

   if (!CommonUtil.equals(sOld, sNew))
   {
      //use the configuration of the selected application!
      bn.put("PASSWORD", AbstractSecurityManager.getEncryptedPassword(
                           SessionContext.getCurrentSession().getConfig(), sNew));
   }
}   

to your life-cycle object e.g. Session.java.

Add an event to your storage

Code: Select all
//example storage
dbsUser = new DBStorage();
dbsUser.setDBAccess(getDBAccess());
dbsUser.setFromClause("USER");
dbsUser.open();

dbsUser.eventBeforeInsert().addListener(this, "doEncryptPwd");
dbsUser.eventBeforeUpdate().addListener(this, "doEncryptPwd");


As last step, you need the password algorithm in your config.xml:

Code: Select all
<?xml version="1.0" encoding="UTF-8"?>

<application>
  <securitymanager>
    <passwordalgorithm>SHA</passwordalgorithm>
  </securitymanager>
  ...
</application>

Choose one of the following algorithm: MD2, MD4, MD5, SHA, SHA-256, SHA-384, SHA-512
rjahn
 
Posts: 29
Joined: Sun Sep 13, 2009 1:54 pm

Return to Code snippets