2

I'm rewriting old java desktop swing app to JSF application using PrimeFaces.

The old app didn't use hibernate but I have decided to use it in new app. Everything works fine but the problem is when I want to save passwords with hibernate using MySql’s function password().

Is there a way to do this because it would be nice if I could import data from old database to new database without changing passwords.

I managed to bring login to work using this code snippet:

public User login(String username, String password) {

    User result = null;

    Session session = HibernateUtil.getSessionFactory().openSession();
    try {
        String sql = "select s from User where username=:username and password=password(:password)";
        Query query = session.createQuery(sql);
        query.setString("username", username);
        query.setString("password", password);

        result = (User) query.uniqueResult();

        if (result != null) {
            Hibernate.initialize(result.getUserData());
        }
    }
    finally {
        session.close();
    }

    return result;
}

But here is problem with registration of new users since I don't know how store passwords. The code I’m using to save users to database looks like:

public User addUser(User obj) {
    Session session = HibernateUtil.getSessionFactory().openSession();

    try {
        session.save(obj);
        session.flush();
    }
    finally {
        session.close();
    }
    return obj;
}

I know I could write the whole insert statement the old fashioned way but what’s the point of using hibernate then and the code would look ugly. Also I’m not happy with login snippet as well. I’ve also tried to update password with trigger after insert but I kept getting error:

Updating of NEW row is not allowed in after trigger

So I abandoned this approach since its ugly and it doesn’t work.

Should I just use jasypt or any other library to encrypt password in applications and be done with it? Or is there an elegant solution to my problem.

Improve this question

2 Answers 2

Reset to default
3

The MySql function password() should not be used at all for hashing passwords! From the documentation:

The PASSWORD() function is used by the authentication system in MySQL Server; you should not use it in your own applications.

The calculation is fast and unsalted, which makes it very unsecure. Instead leave the hashing to the server side language and use a library which uses a slow hash function with a cost factor like BCrypt, PBKDF2 or SCrypt. A wellknown library for Java is jBCrypt.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

Using Jasypt EncryptedStringType is much more convenient, since you delegate the password hashing to the UserType.

This way your application logic doesn't have to deal with password related responsibilities (like it's the case of your SELECT using the non-portable PASSWORD SQL function).

The UserType will also take care of hashing the actual password for an INSERT/UPDATE too.

So, Jasypt is a much better alternative.

Improve this answer

4 Comments

Maybe i overlooked something, but is the Jasypt library not meant for encryption? I couldn't find any hash functions and user passwords should certainly be hashed not encrypted.
Encryption can be one-way (hashing) or two-ways(private and public keys). Hashing can be done with MD5, SHA-1 or SHA-2 and Jasypt supports those.
Ok, finally i found the page i searched for and it seems that one way hashes are indeed supported, there is also some example code. Usually one distinguishes between encryption (two-way) and hashing (one-way).
In college, I learned this stuff during the Communication theory, encoding and encryption' course. The hashing theory is a branch of encryption.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.