>-----Original Message----- >From: Marlon Pierce [mailto:[email protected]] >Sent: Monday, August 08, 2011 8:59 AM >To: [email protected] >Subject: Re: [discuss] hashing, salting, and initial_data.sql > >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >Yes, but I was thinking about implementing a (hopefully) more elegant >solution.
For what use case? The only thing I can think of where this might be useful would be for moving users over from some other container to Rave -- but I would think in that case you'd inevitably end up needing to write some kind of custom migration utility anyway and I'd see dealing with the passwords as part of that. Is there some other use case you have in mind? > >Marlon > > >On 8/8/11 8:39 AM, Ciancetta, Jesse E. wrote: >>> -----Original Message----- >>> From: Marlon Pierce [mailto:[email protected]] >>> Sent: Thursday, August 04, 2011 4:53 PM >>> To: [email protected] >>> Subject: [discuss] hashing, salting, and initial_data.sql >>> >> I'm looking at hashing and salting passwords stored in Rave's database. This >> works fine for new user accounts, but the demo accounts (canonical, >> john.doe, etc) are a problem because they are inserted directly into the DB >by >> DataSourcePopulator.java by reading initial_data.sql. It would be possible to >> grok the "@user_id_" lines from initial_data.sql and hash the passwords >there >> in SqlFileParser.java before inserting in the DB, but this would be an ugly >> and >> fragile hack. >> >> >> Other suggestions? Should we populate the database of demo users >through >> JPA instead of inserting directly via SQL commands? >> >>> Is there some reason you can't salt and hash the passwords for the demo >accounts manually and then insert the pre-salted/hashed values directly into >the initial_data.sql file (with a comment block explaining what's being done >and what the actual passwords are)? >> >>> Admittedly not the most elegant solution, but seems good enough for >what we need to do. >> >> >> Marlon >-----BEGIN PGP SIGNATURE----- >Version: GnuPG/MacGPG2 v2.0.16 (Darwin) >Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > >iQEcBAEBAgAGBQJOP92GAAoJEEfVXEODPFIDAbcH+wS14qhg/9aHLRGMeqFJ2 >uCP >uPy0+VQm5jWFfhHia8dI6szwXlSuvWxN8St0frlILoeWUEqtQ8/wzto+kPvIIsNO >C1EyFKBPlXK5v/nCsPqcFLYMJKv/K8VptgB9t75PWA05HstZES1Yeq32Rct9vd/B >laPU3umhOdYjKOEt9On4MpwTNOfRyFJCsksul5q1118I6JEVYZaS330wrL9wEAS >R >thzLry6J3a7dLZBktATHMD5kdgdLwlB3G23umjEgMwawdtzsTZyK3LqXLD8fLlwq >ylxgSZ2sEa02bssY2L14nhC/IUDc3r9Ad2Z8HInW4iA+EN8jGXHQGZXwE+ellqs= >=WhSE >-----END PGP SIGNATURE-----
