powered by Jive Software

SHA-1 passwords with out Blowfish encryption

Hi All,

I want to be able to create users that have a straight up SHA-1 password. No Blowfish, nothing special, just plain old vanilla SHA-1. The only way I have been able to accomplish this so far has been to extend DefaultUserProvider and override the createUser, making the following change:

if (!usePlainPassword) {

try {

encryptedPassword = StringUtils.hash(password.getBytes(),

“SHA-1”);

encryptedPassword = AuthFactory.encryptPassword(password);

// Set password to null so that it’s inserted that way.

password = null;

} catch (UnsupportedOperationException uoe) {

// Encrypting the password may have failed if in setup mode.

// Therefore,

// use the plain password.

}

if (!usePlainPassword) {

try {

encryptedPassword = StringUtils.hash(password.getBytes(), “SHA-1”);

// encryptedPassword = AuthFactory.encryptPassword(password);

// Set password to null so that it’s inserted that way.

password = null;

} catch (UnsupportedOperationException uoe) {

// Encrypting the password may have failed if in setup mode.

// Therefore,

// use the plain password.

}

My question is, does anyone know of a better way to do this? The reason for this “requirement” is that I am trying to access “ofUser” table via mod_auth_mysql so that I can have a “single sign on” solution for all the different areas of my project such as Subversion. Thoughts? Suggestions?

Cheers,

Adam

Hi Adam,

you should create a custom SHA1UserProvider. There are already Native, JDBC, Hybrid auth and user providers and creating new ones would be much better. Actually you may cause authentication problems with your change as the Auth provider claims to support plain and digest authentication which is impossible when using SHA-1.

LG

Hey LG,

That is the approach I have taken. I just wasn’t sure whether or not it was the right way to do it. In other words, I was hoping there was already something included with the distribution. Just seems rather misleading that I the JDBCAuthProvider has a “sha1” option but not User Provider exists to create users with SHA-1. Oh well, thanks for your help. Is there a place to post, such work so that others might be able to leverage it?

Cheers,

Adam

Hi Adam,

the JDBCAuthProvider connects to an external database and was read-only for a long time. Maybe the option to store the password was not implemented fully.

LG