Hitachi Vantara Pentaho Community Forums
Results 1 to 10 of 12

Thread: How to work with encrypted user passwords?

Hybrid View

Previous Post Previous Post   Next Post Next Post
  1. #1

    Default How to work with encrypted user passwords?

    We are facing a challenge with authenticating users so they can get in to the Pentaho admin console. We are using the JDBC security DAO (Oracle) and our users table is supposed to store the password in an encrypted digest form.

    From what I know, there is no function we can use in the SQL to decrypt this password when trying to authenticate users. So I wanted to know if there is a way we can apply our custom encryption function to the plain-text password passed by the login screen to the acegi authentication routine.

    Any ideas, anyone?
    Thanks!

  2. #2
    Join Date
    Nov 2006
    Posts
    171

    Default

    Hi,

    in WEB-INF/applicationContext-acegi-security-jdbc.xml
    replace
    Code:
    <bean id="passwordEncoder" class="org.acegisecurity.providers.encoding.PlaintextPasswordEncoder" />
    by
    Code:
    <bean id="passwordEncoder" class="org.acegisecurity.providers.encoding.Md5PasswordEncoder" />
    or with the class name corresponding to the digest you use. I just tried it and it works.

    Cheers,
    Ulrich

  3. #3

    Question Better security

    The MD5 hash is in most cases secure enough...
    BUT when a person has access to your user table, he can gues by recuring hash text if some password the same. You can imagine that some default passwords are easy to gues.

    Is there a way to make the password encoding more secure?? Like salting the password with username (or something) and then hash it?

  4. #4
    Join Date
    Oct 2007
    Posts
    235

    Default

    You can add a salt source which would mean they would have to recalculate the hash for every username, preventing them from using rainbow tables at least.

    add this to your daoAuthenticationProvider in applicationContext-acegi-security-jdbc.xml
    Code:
    <property name="saltSource"><ref bean="saltSource"/></property>
    then add the following bean:
    Code:
    <bean id="saltSource" class="org.acegisecurity.providers.dao.salt.ReflectionSaltSource">
            <property name="userPropertyToUse" value="getUsername"/>
        </bean>
    For more information have a look at the acegi docs.

    good luck

    Wil
    SQL: as much of a standard as the English language

  5. #5

    Question MD5 passwords and the administration console

    I am also trying to get the admin console working with md5 encrypted passwords. Where are the settings where the encryption method is defined for insert or update user passwords?

  6. #6
    Join Date
    Oct 2006
    Posts
    817

    Default

    The admin console will use the password encoder defined in applicationContext-spring-security-hibernate.xml. If you change the encoder after saving user passwords, you will have to re-save them to get the admin console to encode using the latest password encoder.

  7. #7
    Join Date
    Aug 2016
    Posts
    18

    Default how to encrypt the password in 6.1 version bi server

    we are trying to encrypt the password in 6.1 version bi server but we con't so any one help me



    Quote Originally Posted by ulrich View Post
    Hi,

    in WEB-INF/applicationContext-acegi-security-jdbc.xml
    replace
    Code:
    <bean id="passwordEncoder" class="org.acegisecurity.providers.encoding.PlaintextPasswordEncoder" />
    by
    Code:
    <bean id="passwordEncoder" class="org.acegisecurity.providers.encoding.Md5PasswordEncoder" />
    or with the class name corresponding to the digest you use. I just tried it and it works.

    Cheers,
    Ulrich

  8. #8
    Join Date
    Apr 2007
    Posts
    2,010

    Default

    For anyone who comes across this, detailed blog here:

    https://dankeeley.wordpress.com/2018...ds-with-salts/

  9. #9
    wvaibhav Guest

    Default Regarding bypassing login

    Hi Wil/Ulrich,

    I am using BI 3.5, After publishing the report, same report link I have provided from my existing web app which already have a security mechanism.

    Now, how can I byepass pentaho login page, so as to show the reports directly to the user without any authentication. Please guide me.

    Thanks
    vaibhav Kumar

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
Privacy Policy | Legal Notices | Safe Harbor Privacy Policy

Copyright © 2005 - 2019 Hitachi Vantara Corporation. All Rights Reserved.