-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Yes, but I was thinking about implementing a (hopefully) more elegant solution.
Marlon On 8/8/11 8:39 AM, Ciancetta, Jesse E. wrote: >> -----Original Message----- >> From: Marlon Pierce [mailto:[email protected]] >> Sent: Thursday, August 04, 2011 4:53 PM >> To: [email protected] >> Subject: [discuss] hashing, salting, and initial_data.sql >> > I'm looking at hashing and salting passwords stored in Rave's database. This > works fine for new user accounts, but the demo accounts (canonical, > john.doe, etc) are a problem because they are inserted directly into the DB by > DataSourcePopulator.java by reading initial_data.sql. It would be possible to > grok the "@user_id_" lines from initial_data.sql and hash the passwords there > in SqlFileParser.java before inserting in the DB, but this would be an ugly > and > fragile hack. > > > Other suggestions? Should we populate the database of demo users through > JPA instead of inserting directly via SQL commands? > >> Is there some reason you can't salt and hash the passwords for the demo >> accounts manually and then insert the pre-salted/hashed values directly into >> the initial_data.sql file (with a comment block explaining what's being done >> and what the actual passwords are)? > >> Admittedly not the most elegant solution, but seems good enough for what we >> need to do. > > > Marlon -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.16 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJOP92GAAoJEEfVXEODPFIDAbcH+wS14qhg/9aHLRGMeqFJ2uCP uPy0+VQm5jWFfhHia8dI6szwXlSuvWxN8St0frlILoeWUEqtQ8/wzto+kPvIIsNO C1EyFKBPlXK5v/nCsPqcFLYMJKv/K8VptgB9t75PWA05HstZES1Yeq32Rct9vd/B laPU3umhOdYjKOEt9On4MpwTNOfRyFJCsksul5q1118I6JEVYZaS330wrL9wEASR thzLry6J3a7dLZBktATHMD5kdgdLwlB3G23umjEgMwawdtzsTZyK3LqXLD8fLlwq ylxgSZ2sEa02bssY2L14nhC/IUDc3r9Ad2Z8HInW4iA+EN8jGXHQGZXwE+ellqs= =WhSE -----END PGP SIGNATURE-----
