Skip to main content


Eclipse Community Forums
Forum Search:

Search      Help    Register    Login    Home
Home » Eclipse Projects » Eclipse Scout » password with salt
password with salt [message #899529] Wed, 01 August 2012 10:13 Go to next message
Bertin Kiekebosch is currently offline Bertin KiekeboschFriend
Messages: 330
Registered: August 2011
Senior Member
Hi,

we are using DataSourceSecurityFilter for authentication. We want to add salt to the passwords. Now on login I need to change the way the password is checked by the DataSourceSecurityFilter because the simple select statement (org.eclipse.scout.rt.server.servlet.filter.DataSourceSecurityFilter#selectUserPass=SELECT name FROM account WHERE name=? and password=?
) is not enough anymore

I planned to make a new class that inherits form DataSourceSecurityFilter and then override protected boolean isValidUser(String username, String password) method.

And then register my new class as an extension (servletfilter.filters)

Is this the way to do it?


Regards Bertin

Report message to a moderator

Re: password with salt [message #899766 is a reply to message #899529] Thu, 02 August 2012 09:31 Go to previous messageGo to next message
Ivan Motsch is currently offline Ivan MotschFriend
Messages: 154
Registered: March 2010
Senior Member
Thats the way i would do it too.
Another variant would be to create a composite filter class that delegates to the database security filter and then delegates to your additional filter.
But in the end it comes to the same result.

Report message to a moderator

Re: password with salt [message #900544 is a reply to message #899766] Tue, 07 August 2012 13:17 Go to previous messageGo to next message
Bertin Kiekebosch is currently offline Bertin KiekeboschFriend
Messages: 330
Registered: August 2011
Senior Member
Tried to inherit from DataSourceSecurityFilter but that did not work for me. So I directly inherited from AbstractChainableSecurityFilter and copied everything from DataSourceSecurityFilter and changed the implementation where needed.
public class SaltedDataSourceSecurityFilter extends AbstractChainableSecurityFilter {
...
...
}

Now it works with one problem, my configuration parameters are not automatically read.

To read the parameters, the implementation in DataSourceSecurityFilter which I copied is like: 
FilterConfigInjection.FilterConfig config = new FilterConfigInjection(config0, getClass()).getAnyConfig();

But I get an error then:
javax.servlet.ServletException: Missing init-param with name 'jdbcDriverName'.
	at nl.rid.grammastudio6.server.securityfilter.SaltedDataSourceSecurityFilter.getInitParam(SaltedDataSourceSecurityFilter.java:84)
	at nl.rid.grammastudio6.server.securityfilter.SaltedDataSourceSecurityFilter.init(SaltedDataSourceSecurityFilter.java:70)
	at org.eclipse.scout.http.servletfilter.internal.FilterConfigImpl.getFilter(FilterConfigImpl.java:68)

Although my ini file has all the parameters prefixed with SaltedDataSourceSecurityFilter for example:
org.eclipse.scout.rt.server.servlet.filter.SaltedDataSourceSecurityFilter#active=true
org.eclipse.scout.rt.server.servlet.filter.SaltedDataSourceSecurityFilter#jdbcDriverName=com.mysql.jdbc.Driver


So I changed it to use the params of DataSourceSecurityFilter like this:
FilterConfigInjection.FilterConfig config = new FilterConfigInjection(config0, DataSourceSecurityFilter.class).getAnyConfig();

And it works. But I do not like it this way, maybe someone can explain what is going wrong here and how to fix it in a way that I can use the correct prefix which should be my new class name.

Regards Bertin

Report message to a moderator

icon7.gif  Re: password with salt works good now [message #900735 is a reply to message #900544] Wed, 08 August 2012 10:55 Go to previous message
Bertin Kiekebosch is currently offline Bertin KiekeboschFriend
Messages: 330
Registered: August 2011
Senior Member
Works now,

org.eclipse.scout.rt.server.servlet.filter.SaltedDataSourceSecurityFilter#active=true

of course, my own class is not in this package, but in my own package. After correcting the package name it works.

Regards Bertin

Report message to a moderator

Previous Topic:Multi-Module Applications
Next Topic:Set '*' as a Password Char in a Form Field
Goto Forum:
  

[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Sat Apr 20 04:14:49 GMT 2024

Powered by FUDForum. Page generated in 0.03259 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.0.2.
Copyright ©2001-2010 FUDforum Bulletin Board Software

Back to the top

Sign up to our Newsletter

A fresh new issue delivered monthly