cayenne-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robert Zeigler <robert.zeig...@gmail.com>
Subject Re: hashing, best practices?
Date Thu, 07 Aug 2008 19:18:24 GMT
Yeah, that's what I've always done, as well.
I was just sitting here wondering if there was a way to take advantage  
of the db functions.
Ah well.  Thanks!

Robert

On Aug 7, 2008, at 8/72:00 PM , Michael Gentry wrote:

> I've done it in code.  If your Java side is the same as the DB side,
> it really doesn't much matter (like using SHA1).  (If you want someone
> to be able to reset the password from the SQL command-line, for
> example).  Doing it in code seems fine to me.  Create a setPassword()
> cover method in Users.java that hashes it and sets it in the parent:
>
> public void setPassword(String newPassword)
> {
>  super.setPassword(sha1(newPassword));
> }
>
> This way you toss the plain-text password quickly.  Also, if it is set
> to the original password, Cayenne will skip it as a changed value.
>
> I've also used this technique with encryption, too.  You have to
> override the set/get methods for the encrypted fields (say, a social
> security number or a credit card number).  It is a little more work to
> do queries on encrypted fields, of course.
>
>
> On Thu, Aug 7, 2008 at 1:13 PM, Robert Zeigler <robert.zeigler@gmail.com 
> > wrote:
>> Hi all,
>>
>> Up to this point, whenever I've had to store hashed text (say, the  
>> hashed
>> from of a password) in the db, I've simply hashed in code.
>> But the question arose the other day of how you would go about  
>> doing this on
>> the database sided (assuming your target db supports your target hash
>> function).
>> Say, for example, you have the following table:
>>
>> users
>>  id integer
>>  username varchar('32')
>>  password varchar('40')
>>
>> And you want to hash the password as sha1.
>>
>> Using mysql and straight sql, you would do something like:
>>
>> insert into users (id,username,password)  
>> values(1,'userx',sha1('usery'));
>>
>> Is there some way to get cayenne to generate this same sql when  
>> inserting
>> new rows?
>> Or, for example, when cayenne detects a diff in password, and does  
>> an update
>> users set password=..., to have it do password=sha1('newpassword')?
>>
>> Of course, I can hash the password in code... but it would be nice if
>> cayenne could somehow manage this for me.
>>
>> And I could do some sort of ugly hack like having a post-persist  
>> callback
>> that executes sqltemplate to sha1-hash the value of the newly  
>> inserted
>> row... but that really is ugly.
>>
>> Surely I'm not the only one who hashes passwords in the  
>> database. ;) What
>> are other people doing here? Does everyone just handle the hashing  
>> in code,
>> like I've been doing up until now?
>>
>> Robert
>>


Mime
View raw message