Glassfish 4 - JDBC Realm

galovics picture galovics · Oct 14, 2013 · Viewed 9.8k times · Source

What's the difference between the Password encryption algorithm and the Digest Algorithm in Glassfish 4? Because Password encryption algorithm cannot be blank, I used MD5, and for Encoding, Hex. The Digest Algorithm is blank, so the default is SHA-256.

But if I made a simple login application with JAAS, and create the tables, insert one user, and the password is encrypted with MD5, the user cannot log in. If i encrypt the password with SHA-256, the user can log in.

So, what is the Password encryption algorithm field?

Answer

AlwaysLearning picture AlwaysLearning · Oct 21, 2013

The documentation is not very clear on this point, but my interpretation is as follows. This is based on Glassfish v4 reference manual.

Password encryption algorithm determines how the passwords are encrypted within your database. This is the parameter digestrealm-password-enc-algorithm. You really want to have this set to something because of course leaving passwords in a database in the clear is a security hole.

When someone tries to authenticate, glassfish needs a way to compare what was submitted to what's in the database. But, since the latter is all locked up, it needs a key to unlock. The encryption (strictly, hashing) used on that key is what is defined in Digest Algorithm (parameter digest-algorithm). It defaults to SHA-256 in v4 (prior, it was MD5).