Hitachi Vantara Pentaho Community Forums
Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: How to work with encrypted user passwords?

  1. #1

    Default How to work with encrypted user passwords?

    We are facing a challenge with authenticating users so they can get in to the Pentaho admin console. We are using the JDBC security DAO (Oracle) and our users table is supposed to store the password in an encrypted digest form.

    From what I know, there is no function we can use in the SQL to decrypt this password when trying to authenticate users. So I wanted to know if there is a way we can apply our custom encryption function to the plain-text password passed by the login screen to the acegi authentication routine.

    Any ideas, anyone?

  2. #2
    Join Date
    Nov 2006



    in WEB-INF/applicationContext-acegi-security-jdbc.xml
    <bean id="passwordEncoder" class="org.acegisecurity.providers.encoding.PlaintextPasswordEncoder" />
    <bean id="passwordEncoder" class="org.acegisecurity.providers.encoding.Md5PasswordEncoder" />
    or with the class name corresponding to the digest you use. I just tried it and it works.


  3. #3

    Question Better security

    The MD5 hash is in most cases secure enough...
    BUT when a person has access to your user table, he can gues by recuring hash text if some password the same. You can imagine that some default passwords are easy to gues.

    Is there a way to make the password encoding more secure?? Like salting the password with username (or something) and then hash it?

  4. #4
    Join Date
    Oct 2007


    You can add a salt source which would mean they would have to recalculate the hash for every username, preventing them from using rainbow tables at least.

    add this to your daoAuthenticationProvider in applicationContext-acegi-security-jdbc.xml
    <property name="saltSource"><ref bean="saltSource"/></property>
    then add the following bean:
    <bean id="saltSource" class="org.acegisecurity.providers.dao.salt.ReflectionSaltSource">
            <property name="userPropertyToUse" value="getUsername"/>
    For more information have a look at the acegi docs.

    good luck

    SQL: as much of a standard as the English language

  5. #5

    Question MD5 passwords and the administration console

    I am also trying to get the admin console working with md5 encrypted passwords. Where are the settings where the encryption method is defined for insert or update user passwords?

  6. #6
    Join Date
    Oct 2006


    The admin console will use the password encoder defined in applicationContext-spring-security-hibernate.xml. If you change the encoder after saving user passwords, you will have to re-save them to get the admin console to encode using the latest password encoder.

  7. #7

    Thumbs up

    I use the applicationContext-spring-security-jdbc.xml and not the hibernate xml....
    in applicationContext-spring-security-jdbc.xml I have:
    <bean id="passwordEncoder" class="" />

    So you have to edit applicationContext-spring-security-hibernate.xml even when you don't use it...(???!!!)

    <bean id="passwordEncoder" class="" />

    Strange but it works

  8. #8
    Join Date
    Sep 2009

    Default same problem to me.....

    Hi ,
    I am also using pentaho version 3.5.I have done configuration for mysql database.I am able to create user role in my MySql database.By default
    application uses PlaintextPasswordEncoder.But problem is that when i am try to login it gives me login error for bad password.When i change my password to plain text not encrypted it works ,and i am able to login.I also tried by changing provider in applicationContext-spring-security-jdbc.xml file to
    But it's not working.

    So please if anybody have solved this issue please give me solution.
    Thanks in advance.

    Amol Patil.

  9. #9
    Join Date
    Sep 2009

    Unhappy Problem with user authetication

    Hi Jeevan,

    I been trying to configure MySql with Pentaho BI server 3.5 RC2 to do login authentication. i got screwed up setting Pentaho with the help of Wiki and created my set of files,

    and i have configured META-INF\Context.xml and Simple-jndi.

    But i am unable to load users list in Login Scroll down,Security and Roles..
    Shall i have to create the authorities table in my database ???
    i dont know wat to do.....

    Help me out to fix this..
    Would be greatful...


  10. #10
    wvaibhav Guest

    Default Regarding bypassing login

    Hi Wil/Ulrich,

    I am using BI 3.5, After publishing the report, same report link I have provided from my existing web app which already have a security mechanism.

    Now, how can I byepass pentaho login page, so as to show the reports directly to the user without any authentication. Please guide me.

    vaibhav Kumar

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
Privacy Policy | Legal Notices | Safe Harbor Privacy Policy

Copyright © 2005 - 2019 Hitachi Vantara Corporation. All Rights Reserved.