You could use QueryDatabaseAuthenticationHandler and search against the db with a query that casts the TINYBLOB to CHAR. Here's an (untested) example SELECT CAST(password AS CHAR(512) CHARACTER SET utf8) FROM users WHERE username = ?
On Thu, Jun 14, 2012 at 2:27 AM, Ronen Itkin <[email protected]> wrote: > Hi All, > > So good new! > Apparently the MD5 encoder in the Cas built in implementation, actually > does everything great* but* it returns the hashed output as a STRING type > and not ad a BYTE ARRAY (BLOG for instance). On the other hand, my database > holds the hashed md5 password in a TINYBLOB field and once it was changed > to hold the hashed passwords as clear text, everything worked great! > > So basically I have two options: > > - Rewrite Cas's MD5 encoder (I am not a programmer though..) > - Change the password field type in my db to varchar and save the > hashed string - effects other applications using the very same table. > > Does Cas has any other build in MD5 encoder that returns the hashed output > as an actual byte array and not a string? > > > Anyway, thanks you all for the help!!! > > Appreciate it! > > > > > On Mon, Jun 11, 2012 at 3:19 PM, Eric Pierce <[email protected]> wrote: > >> You could turn on query logging in MySQL ( >> http://dev.mysql.com/doc/refman/5.1/en/query-log.html). That will give >> you the exact query that is being run. >> >> -Eric >> >> On Mon, Jun 11, 2012 at 2:05 AM, Ronen Itkin <[email protected]> wrote: >> >>> Nope, Unfortunately does not show extra info. >>> Unless you have any other suggestions, I will try debugging the code on >>> Eclipse :/ >>> >>> Thanks!! >>> >>> On Mon, Jun 11, 2012 at 3:52 AM, Marvin Addison < >>> [email protected]> wrote: >>> >>>> > By the way, Should it show the hashed password at all? sounds like a >>>> > security vulnerability. >>>> >>>> CAS computes the hash from the password supplied by the user and >>>> compares it with the value on record. So in that sense it "knows" the >>>> hash, but only in a transient fashion. All authentication systems >>>> that authenticate against a hash work this way, so no, there's no >>>> security vulnerability. >>>> >>>> M >>>> >>>> -- >>>> You are currently subscribed to [email protected] as: >>>> [email protected] >>>> >>>> To unsubscribe, change settings or access archives, see >>>> http://www.ja-sig.org/wiki/display/JSG/cas-user >>>> >>> >>> >>> >>> -- >>> * >>> Ronen Itkin* >>> Taykey | www.taykey.com >>> >>> -- >>> You are currently subscribed to [email protected] as: [email protected] >>> >>> >>> To unsubscribe, change settings or access archives, see >>> http://www.ja-sig.org/wiki/display/JSG/cas-user >>> >>> >> >> >> -- >> Eric Pierce >> Identity Management Architect >> Information Technology >> University of South Florida >> (813) 974-8868 -- [email protected] >> >> -- >> You are currently subscribed to [email protected] as: [email protected] >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user >> >> > > > -- > * > Ronen Itkin* > Taykey | www.taykey.com > > -- > You are currently subscribed to [email protected] as: [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- Eric Pierce Identity Management Architect Information Technology University of South Florida (813) 974-8868 -- [email protected] -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
