Hello,

My team and I are attempting to use HIbernate to persist user objects. The user password is stored as a hash in MySQL, and is hashed with MySQL's password() function.

When a user changes password, there are several ways to get the right thing to happen:

1 - Store the plaintext password in the DTO, have the service hash the password, replace the freetext with the hash, and persist the DTO.

2 - Same as #1 but have both "password" and "password hash" fields. The former is null on read, full on write.

3 - Have the client call a Java version of password() on the password, setting the DTO field to the resulting hash. Because there is no good java impl of MySQL's password() function.

Which is best? Is there another way? We're using Tomcat but not any of it's authentication.

I would do my best to get away from using mysql's password function. From your post, it sounds like you have that option. Once you start with password, you're stuck with mysql.

The newer verions of mysql supports sha and md5, you should certainly use those.

Now, think of how you will validate a password. I'm guessing that you'll do it in Java. Thus, it would be best if your Java domain object, namely User, could validate a password. Since you're using md5 or sha1, you'd be able to do this from almost any language.

You could implement it it like this:

get/setHashedPassword - maps to the mysql char field.
setPlainPassword - hashes the password and calls setHashedPassword
validatePassword - hashes the input string and compares it to getHashedPassword.