Glassfish 4 - JDBC Realm

Asked 14/10, 2013 at 16:49 Answered 21/10, 2013 at 20:52

Solved java jdbc glassfish jaas glassfish-4

What's the difference between the Password encryption algorithm and the Digest Algorithm in Glassfish 4? Because Password encryption algorithm cannot be blank, I used MD5, and for Encoding, Hex. The Digest Algorithm is blank, so the default is SHA-256.

But if I made a simple login application with JAAS, and create the tables, insert one user, and the password is encrypted with MD5, the user cannot log in. If i encrypt the password with SHA-256, the user can log in.

So, what is the Password encryption algorithm field?

Diligence answered 14/10, 2013 at 16:49 Comment(2)

I am having issue with migration from 4.0 to 4.1.1 #40687237 – Spaetzle 27/11, 2016 at 1:28

SHA-256 is only marginally better for a password verifier than MD5, neither should be used. When saving a password verifier just using a hash function is not sufficient and just adding a salt does little to improve the security. Instead use a function such as PBKDF2, Rfc2898DeriveBytes, Argon2, password_hash, Bcrypt or similar functions. The point is to make the attacker spend substantial of time finding passwords by brute force. – Gemmation 6/12, 2017 at 1:5

The documentation is not very clear on this point, but my interpretation is as follows. This is based on Glassfish v4 reference manual.

Password encryption algorithm determines how the passwords are encrypted within your database. This is the parameter digestrealm-password-enc-algorithm. You really want to have this set to something because of course leaving passwords in a database in the clear is a security hole.

When someone tries to authenticate, glassfish needs a way to compare what was submitted to what's in the database. But, since the latter is all locked up, it needs a key to unlock. The encryption (strictly, hashing) used on that key is what is defined in Digest Algorithm (parameter digest-algorithm). It defaults to SHA-256 in v4 (prior, it was MD5).

Charmion answered 21/10, 2013 at 20:52 Comment(0)

So, what is the Password encryption algorithm field?

Digest Algorithm is used to encrypt/hash the login request, while Password encryption algorithm is used to decrypt the password from db.

But if I made a simple login application with JAAS, and create the tables, insert one user, and the password is encrypted with MD5, the user cannot log in.

Put MD5 in password encryption field, and leave Digest Algorithm blank (by default , it is sha-256 in GlassFish 4).

Hamid answered 17/10, 2013 at 19:38 Comment(2)

I did this, but if i want to log in, it isn't working. So what? But if i change the password field to an SHA-256 encoded password, it is working. – Diligence 17/10, 2013 at 20:0

Hi , did you manage to solve it ? Can you put MD5 at both places and try again ? (with MD5 hashed passwords in the database). Both Sha-256 and MD5 encryptions are working fine here, with GlassFish OSE 4.0 and MySQL. Anyway, if it's working with SHA-256 you should stick with that because MD5 hash text has been cracked with just the power of a cluster made of 20 Playstations.. SHA-256 is 'safer' since it takes more time to decrypt it. – Hamid 21/10, 2013 at 19:11

Recommended topics

Hot tags