cayenne-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Michael Gentry" <>
Subject Re: hashing, best practices?
Date Thu, 07 Aug 2008 19:00:00 GMT
I've done it in code.  If your Java side is the same as the DB side,
it really doesn't much matter (like using SHA1).  (If you want someone
to be able to reset the password from the SQL command-line, for
example).  Doing it in code seems fine to me.  Create a setPassword()
cover method in that hashes it and sets it in the parent:

public void setPassword(String newPassword)

This way you toss the plain-text password quickly.  Also, if it is set
to the original password, Cayenne will skip it as a changed value.

I've also used this technique with encryption, too.  You have to
override the set/get methods for the encrypted fields (say, a social
security number or a credit card number).  It is a little more work to
do queries on encrypted fields, of course.

On Thu, Aug 7, 2008 at 1:13 PM, Robert Zeigler <> wrote:
> Hi all,
> Up to this point, whenever I've had to store hashed text (say, the hashed
> from of a password) in the db, I've simply hashed in code.
> But the question arose the other day of how you would go about doing this on
> the database sided (assuming your target db supports your target hash
> function).
> Say, for example, you have the following table:
> users
>   id integer
>   username varchar('32')
>   password varchar('40')
> And you want to hash the password as sha1.
> Using mysql and straight sql, you would do something like:
> insert into users (id,username,password) values(1,'userx',sha1('usery'));
> Is there some way to get cayenne to generate this same sql when inserting
> new rows?
> Or, for example, when cayenne detects a diff in password, and does an update
> users set password=..., to have it do password=sha1('newpassword')?
> Of course, I can hash the password in code... but it would be nice if
> cayenne could somehow manage this for me.
> And I could do some sort of ugly hack like having a post-persist callback
> that executes sqltemplate to sha1-hash the value of the newly inserted
> row... but that really is ugly.
> Surely I'm not the only one who hashes passwords in the database. ;) What
> are other people doing here? Does everyone just handle the hashing in code,
> like I've been doing up until now?
> Robert

View raw message