Hi Jan-Philipp, Looks like the JCRAuthenticationModule only implements equals() for the password check, as you correctly found out.
This is easily solved: Create a subclass of info.magnolia.jaas.sp.jcr.JCRAuthenticationModule and override the method void matchPassword() Your new matchPassword() method should: 1. check that the user has a password (don't allow users without password). 2. check the hash of "pswd" against user.getPassword() 3. check equals() of "pswd" against user.getPassword() (for compatibility with other LoginModules/UserManagers) 4. throw FailedLoginException if there is a problem or the password cannot be matched. You can then configure your new class in the "jaas.config" file (remember to do both author and public webapps). You might need to check how well this works in combination with the activation mechanism. I think magnolia sends the user's password when activating content from author to public. Regards from Vienna, Richard -----Ursprüngliche Nachricht----- Von: [email protected] [mailto:[email protected]] Im Auftrag von Magnolia Forums (on behalf of Jan-Philipp Bolle) Gesendet: Montag, 19. Dezember 2011 10:50 An: Magnolia User List Betreff: [magnolia-user] hashed passwords and usermanager dear forum users, I created my own usermanager (implements info.magnolia.cms.security.UserManager) for our users (located in a database) . The problem is the passwords are hashed in the database. The Implementation JCRAuthenticationModule only implements a equales of password. Revison 50556 line 157 [code]if (!StringUtils.equals(serverPassword, new String(this.pswd))) { [/code] Is there a possibility to configure in JCRAuthenticationModule to handle hashed password? Regards Philipp -- Context is everything: http://forum.magnolia-cms.com/forum/thread.html?threadId=f8e74ce3-b677-4639-852a-4402eba687ff ---------------------------------------------------------------- For list details, see http://www.magnolia-cms.com/community/mailing-lists.html Alternatively, use our forums: http://forum.magnolia-cms.com/ To unsubscribe, E-mail to: <[email protected]> ---------------------------------------------------------------- ---------------------------------------------------------------- For list details, see http://www.magnolia-cms.com/community/mailing-lists.html Alternatively, use our forums: http://forum.magnolia-cms.com/ To unsubscribe, E-mail to: <[email protected]> ----------------------------------------------------------------
