Eclipse Community Forums
Forum Search:

Search      Help    Register    Login    Home
Home » Eclipse Projects » scout » password with salt
password with salt [message #899529] Wed, 01 August 2012 10:13 Go to next message
Bertin Kiekebosch is currently offline Bertin KiekeboschFriend
Messages: 309
Registered: August 2011
Senior Member
Hi,

we are using DataSourceSecurityFilter for authentication. We want to add salt to the passwords. Now on login I need to change the way the password is checked by the DataSourceSecurityFilter because the simple select statement (org.eclipse.scout.rt.server.servlet.filter.DataSourceSecurityFilter#selectUserPass=SELECT name FROM account WHERE name=? and password=?
) is not enough anymore

I planned to make a new class that inherits form DataSourceSecurityFilter and then override protected boolean isValidUser(String username, String password) method.

And then register my new class as an extension (servletfilter.filters)

Is this the way to do it?


Regards Bertin






Re: password with salt [message #899766 is a reply to message #899529] Thu, 02 August 2012 09:31 Go to previous messageGo to next message
Ivan Motsch is currently offline Ivan MotschFriend
Messages: 100
Registered: March 2010
Senior Member
Thats the way i would do it too.
Another variant would be to create a composite filter class that delegates to the database security filter and then delegates to your additional filter.
But in the end it comes to the same result.
Re: password with salt [message #900544 is a reply to message #899766] Tue, 07 August 2012 13:17 Go to previous messageGo to next message
Bertin Kiekebosch is currently offline Bertin KiekeboschFriend
Messages: 309
Registered: August 2011
Senior Member
Tried to inherit from DataSourceSecurityFilter but that did not work for me. So I directly inherited from AbstractChainableSecurityFilter and copied everything from DataSourceSecurityFilter and changed the implementation where needed.
public class SaltedDataSourceSecurityFilter extends AbstractChainableSecurityFilter {
...
...
}

Now it works with one problem, my configuration parameters are not automatically read.

To read the parameters, the implementation in DataSourceSecurityFilter which I copied is like:
FilterConfigInjection.FilterConfig config = new FilterConfigInjection(config0, getClass()).getAnyConfig();

But I get an error then:
javax.servlet.ServletException: Missing init-param with name 'jdbcDriverName'.
	at nl.rid.grammastudio6.server.securityfilter.SaltedDataSourceSecurityFilter.getInitParam(SaltedDataSourceSecurityFilter.java:84)
	at nl.rid.grammastudio6.server.securityfilter.SaltedDataSourceSecurityFilter.init(SaltedDataSourceSecurityFilter.java:70)
	at org.eclipse.scout.http.servletfilter.internal.FilterConfigImpl.getFilter(FilterConfigImpl.java:68)

Although my ini file has all the parameters prefixed with SaltedDataSourceSecurityFilter for example:
org.eclipse.scout.rt.server.servlet.filter.SaltedDataSourceSecurityFilter#active=true
org.eclipse.scout.rt.server.servlet.filter.SaltedDataSourceSecurityFilter#jdbcDriverName=com.mysql.jdbc.Driver


So I changed it to use the params of DataSourceSecurityFilter like this:
FilterConfigInjection.FilterConfig config = new FilterConfigInjection(config0, DataSourceSecurityFilter.class).getAnyConfig();

And it works. But I do not like it this way, maybe someone can explain what is going wrong here and how to fix it in a way that I can use the correct prefix which should be my new class name.

Regards Bertin
icon7.gif  Re: password with salt works good now [message #900735 is a reply to message #900544] Wed, 08 August 2012 10:55 Go to previous message
Bertin Kiekebosch is currently offline Bertin KiekeboschFriend
Messages: 309
Registered: August 2011
Senior Member
Works now,

org.eclipse.scout.rt.server.servlet.filter.SaltedDataSourceSecurityFilter#active=true

of course, my own class is not in this package, but in my own package. After correcting the package name it works.

Regards Bertin
Previous Topic:Multi-Module Applications
Next Topic:Set '*' as a Password Char in a Form Field
Goto Forum:
  


Current Time: Fri Dec 19 06:47:46 GMT 2014

Powered by FUDForum. Page generated in 0.01629 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.0.2.
Copyright ©2001-2010 FUDforum Bulletin Board Software