Dear all,

Is there a way to encrypt passwords using some HQL syntax? If yes, how?
For MySQL I would use something like:
"UPDATE Users SET Password = PASSWORD("MyPassworD")..."

How does this work in Hibernate (if at all)? Couldn't find aything the doc or faq.

Cheers,

M.

This is not supported imho

So, everyone who's using Hibernate to handle users with passwords has to save the passwords as plain text?? Or use DB native commands, which counteracts the DB independence of Hibernate. Sounds very unlikely to me...


Cheers,

M.

There are couple of approaches.
1. You can probably override the MysqlDialect and do a "registerFunction" for the mysql PASSWORD function and use that in your HQL. I havent tried this, but it might be something to explore. Take a look at the Mysqldialect code and youd see the current registration for standard functions

2. use the madcow library (http://madcow.tigris.org). This is a library that provides a oneway authentication(which is the same used by mysql). If you encrypt the password using madcow library, itd be the same as using a PASSWORD('...') in mysql. This is what we use(although we dont use Hibernate).
Also please note that this madcow implementation is valid for mysql 4.0.x. Im not sure if it supports 4.1 but im definitely sure that it wont support mysql 5 as the password hashing algorithm has changed in mysql 5.

Another way to do it would be to define your own SQL for inserts and updates:

http://www.hibernate.org/hib_docs/v3/re ... erysql-cud

This way, you can take advantage of some of MySQLs native features.

Ryan-

Thanks a lot for all the hints!

I'm using MySQL 5 so the Madcow thingy won't work. I'll look into overriding the MySQL dialect. But then I'd lose the flexibility of Hibernate and user's who want to use other databases would have to do a good of tweaking themselves. Not very user-friendly.
As for the custom SQL, this would work for the insert part of my problem. But what about validating the password? Working directly with SQL, I'd have something like:
pwQuery = "SELECT ID FROM Users WHERE Password = PASSWORD('" + password + "')";

Again, there's the encryption function from MySQL, which I don't have access to using Hibernate.

Cheers,

M.

Here again you can make use of Hibernate's SQL pass-thru. You could do something like this:



Although I don't recall how unique result works with scalar queries. Have a at the docs here:

http://www.hibernate.org/hib_docs/v3/re ... ing-scalar

and here:

http://www.hibernate.org/hib_docs/v3/re ... rysql.html

I've done a lot using native MySQL functions with Hibernate. Native SQL is the only way you can access MySQL's full text search capabilities. Hope this helps.

Ryan-

Thanks a lot for the explanation. So, I suppose there's no way around using native MySQL.

Cheers,

M.

PS: Sorry, I just gave away the one credit I had for this topic. I thought I could distribute more than one.