You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@rave.apache.org by Marlon Pierce <mp...@cs.indiana.edu> on 2011/08/04 22:53:02 UTC
[discuss] hashing, salting, and initial_data.sql
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I'm looking at hashing and salting passwords stored in Rave's database. This works fine for new user accounts, but the demo accounts (canonical, john.doe, etc) are a problem because they are inserted directly into the DB by DataSourcePopulator.java by reading initial_data.sql. It would be possible to grok the "@user_id_" lines from initial_data.sql and hash the passwords there in SqlFileParser.java before inserting in the DB, but this would be an ugly and fragile hack.
Other suggestions? Should we populate the database of demo users through JPA instead of inserting directly via SQL commands?
Marlon
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJOOwatAAoJEEfVXEODPFIDwLsH/iH9J4zxEsPsuRigckvkAual
BmhJqpzZtB6KCJ5DnzwwQqTRsbJ5QoO8hlwLyTzNTZMkbU6zhsn6P33Wxh41WkEq
hLe9ufvbUPjFsquK+1l5gYIiuDt0nW7S2C6qstycJ9ReA2QaYn4iz+7O7w73DwYx
h6FxB3lM7vVXfdX9zVpBR2TPirBCjuDKJk0m7kGgspYqZ58cUZqlv08EniPhab7N
+Qj793UVxogpqJ1PyoFwr4Q/oyYdGOHIUDu4WhkxIPXC6fzr4BL3LuCb3NmNcCBi
puCQGR4sQ0r4VVfJke1U3umTN/0DGV65Ya89HyBFdhr87engTD/laCPdEEKU3N4=
=Mj94
-----END PGP SIGNATURE-----
RE: [discuss] hashing, salting, and initial_data.sql
Posted by "Ciancetta, Jesse E." <jc...@mitre.org>.
>-----Original Message-----
>From: Marlon Pierce [mailto:mpierce@cs.indiana.edu]
>Sent: Monday, August 08, 2011 8:59 AM
>To: rave-dev@incubator.apache.org
>Subject: Re: [discuss] hashing, salting, and initial_data.sql
>
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Yes, but I was thinking about implementing a (hopefully) more elegant
>solution.
For what use case? The only thing I can think of where this might be useful would be for moving users over from some other container to Rave -- but I would think in that case you'd inevitably end up needing to write some kind of custom migration utility anyway and I'd see dealing with the passwords as part of that.
Is there some other use case you have in mind?
>
>Marlon
>
>
>On 8/8/11 8:39 AM, Ciancetta, Jesse E. wrote:
>>> -----Original Message-----
>>> From: Marlon Pierce [mailto:mpierce@cs.indiana.edu]
>>> Sent: Thursday, August 04, 2011 4:53 PM
>>> To: rave-dev@incubator.apache.org
>>> Subject: [discuss] hashing, salting, and initial_data.sql
>>>
>> I'm looking at hashing and salting passwords stored in Rave's database. This
>> works fine for new user accounts, but the demo accounts (canonical,
>> john.doe, etc) are a problem because they are inserted directly into the DB
>by
>> DataSourcePopulator.java by reading initial_data.sql. It would be possible to
>> grok the "@user_id_" lines from initial_data.sql and hash the passwords
>there
>> in SqlFileParser.java before inserting in the DB, but this would be an ugly and
>> fragile hack.
>>
>>
>> Other suggestions? Should we populate the database of demo users
>through
>> JPA instead of inserting directly via SQL commands?
>>
>>> Is there some reason you can't salt and hash the passwords for the demo
>accounts manually and then insert the pre-salted/hashed values directly into
>the initial_data.sql file (with a comment block explaining what's being done
>and what the actual passwords are)?
>>
>>> Admittedly not the most elegant solution, but seems good enough for
>what we need to do.
>>
>>
>> Marlon
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG/MacGPG2 v2.0.16 (Darwin)
>Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
>iQEcBAEBAgAGBQJOP92GAAoJEEfVXEODPFIDAbcH+wS14qhg/9aHLRGMeqFJ2
>uCP
>uPy0+VQm5jWFfhHia8dI6szwXlSuvWxN8St0frlILoeWUEqtQ8/wzto+kPvIIsNO
>C1EyFKBPlXK5v/nCsPqcFLYMJKv/K8VptgB9t75PWA05HstZES1Yeq32Rct9vd/B
>laPU3umhOdYjKOEt9On4MpwTNOfRyFJCsksul5q1118I6JEVYZaS330wrL9wEAS
>R
>thzLry6J3a7dLZBktATHMD5kdgdLwlB3G23umjEgMwawdtzsTZyK3LqXLD8fLlwq
>ylxgSZ2sEa02bssY2L14nhC/IUDc3r9Ad2Z8HInW4iA+EN8jGXHQGZXwE+ellqs=
>=WhSE
>-----END PGP SIGNATURE-----
RE: [discuss] hashing, salting, and initial_data.sql
Posted by "Franklin, Matthew B." <mf...@mitre.org>.
>-----Original Message-----
>From: Marlon Pierce [mailto:mpierce@cs.indiana.edu]
>Sent: Friday, August 12, 2011 10:38 AM
>To: rave-dev@incubator.apache.org
>Subject: Re: [discuss] hashing, salting, and initial_data.sql
>
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>I agree. If there are no objections, I'll revert and change initial_data.sql to use
>the hard-coded hashes this code generated.
+1
>
>
>Marlon
>
>
>On 8/12/11 10:32 AM, Franklin, Matthew B. wrote:
>>> -----Original Message-----
>>> From: Ciancetta, Jesse E. [mailto:jcian@mitre.org]
>>> Sent: Monday, August 08, 2011 9:11 AM
>>> To: rave-dev@incubator.apache.org
>>> Subject: RE: [discuss] hashing, salting, and initial_data.sql
>>>
>>>> -----Original Message-----
>>>> From: Marlon Pierce [mailto:mpierce@cs.indiana.edu]
>>>> Sent: Monday, August 08, 2011 8:59 AM
>>>> To: rave-dev@incubator.apache.org
>>>> Subject: Re: [discuss] hashing, salting, and initial_data.sql
>>>>
>> Yes, but I was thinking about implementing a (hopefully) more elegant
>> solution.
>>>>
>>>> For what use case? The only thing I can think of where this might be
>useful
>>>> would be for moving users over from some other container to Rave -- but
>I
>>>> would think in that case you'd inevitably end up needing to write some
>kind of
>>>> custom migration utility anyway and I'd see dealing with the passwords as
>part
>>>> of that.
>>
>>
>>> + 1
>>
>>> I just noticed that hashing and salting of passwords was added to the
>SqlFileParser class. This class (SqlFileParser) is very generic and can be used in
>any situation where SQL statements and child scripts are to be parsed from a
>file. The hashing and salting definitely does not belong in this class as it is
>unique to a particular table in a particular context.
>>
>>>>
>>>> Is there some other use case you have in mind?
>>>>
>>
>> Marlon
>>
>>
>> On 8/8/11 8:39 AM, Ciancetta, Jesse E. wrote:
>>>>>>> -----Original Message-----
>>>>>>> From: Marlon Pierce [mailto:mpierce@cs.indiana.edu]
>>>>>>> Sent: Thursday, August 04, 2011 4:53 PM
>>>>>>> To: rave-dev@incubator.apache.org
>>>>>>> Subject: [discuss] hashing, salting, and initial_data.sql
>>>>>>>
>>>>>> I'm looking at hashing and salting passwords stored in Rave's database.
>This
>>>>>> works fine for new user accounts, but the demo accounts (canonical,
>>>>>> john.doe, etc) are a problem because they are inserted directly into
>the DB
>> by
>>>>>> DataSourcePopulator.java by reading initial_data.sql. It would be
>possible
>>>> to
>>>>>> grok the "@user_id_" lines from initial_data.sql and hash the
>passwords
>> there
>>>>>> in SqlFileParser.java before inserting in the DB, but this would be an
>ugly
>>>> and
>>>>>> fragile hack.
>>>>>>
>>>>>>
>>>>>> Other suggestions? Should we populate the database of demo users
>> through
>>>>>> JPA instead of inserting directly via SQL commands?
>>>>>>
>>>>>>> Is there some reason you can't salt and hash the passwords for the
>demo
>> accounts manually and then insert the pre-salted/hashed values directly
>into
>> the initial_data.sql file (with a comment block explaining what's being done
>> and what the actual passwords are)?
>>>>>>
>>>>>>> Admittedly not the most elegant solution, but seems good enough
>for
>> what we need to do.
>>>>>>
>>>>>>
>>>>>> Marlon
>>
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG/MacGPG2 v2.0.16 (Darwin)
>Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
>iQEcBAEBAgAGBQJORTq/AAoJEEfVXEODPFIDn5gH/iHsuE9xshj1KStBJCOg0+oz
>KYr74mlN8BL7dWYAJZGf+OIN6SqDXeoH1O8IJYFjI38dZOD0+/RAsxmQa0KCzdb
>2
>lPDCIxZZO5FBDoXYRxsBYr8TWWiOujcp42pAWazomNVp9KMyoFKqXa9X6BVB/
>krU
>POKTMPqtR+pn1TESJDOgBxdFiLdSYPn3cKkjYgAQDSjihESAz10ryDGmnEoCRk8
>B
>lZEwlZ4zzn1coQOr5fxNR1x2WQ54TrsxkYt9uq02ZsTXGeDIYMfqGKfgVEJ/0Ryw
>+3GNktB26uMVD9eVP7iITO1U2wOKK+xB+iLtejYA771lFLPYxYcllSck4XXeBeE=
>=aZSG
>-----END PGP SIGNATURE-----
Re: [discuss] hashing, salting, and initial_data.sql
Posted by Marlon Pierce <mp...@cs.indiana.edu>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I agree. If there are no objections, I'll revert and change initial_data.sql to use the hard-coded hashes this code generated.
Marlon
On 8/12/11 10:32 AM, Franklin, Matthew B. wrote:
>> -----Original Message-----
>> From: Ciancetta, Jesse E. [mailto:jcian@mitre.org]
>> Sent: Monday, August 08, 2011 9:11 AM
>> To: rave-dev@incubator.apache.org
>> Subject: RE: [discuss] hashing, salting, and initial_data.sql
>>
>>> -----Original Message-----
>>> From: Marlon Pierce [mailto:mpierce@cs.indiana.edu]
>>> Sent: Monday, August 08, 2011 8:59 AM
>>> To: rave-dev@incubator.apache.org
>>> Subject: Re: [discuss] hashing, salting, and initial_data.sql
>>>
> Yes, but I was thinking about implementing a (hopefully) more elegant
> solution.
>>>
>>> For what use case? The only thing I can think of where this might be useful
>>> would be for moving users over from some other container to Rave -- but I
>>> would think in that case you'd inevitably end up needing to write some kind of
>>> custom migration utility anyway and I'd see dealing with the passwords as part
>>> of that.
>
>
>> + 1
>
>> I just noticed that hashing and salting of passwords was added to the SqlFileParser class. This class (SqlFileParser) is very generic and can be used in any situation where SQL statements and child scripts are to be parsed from a file. The hashing and salting definitely does not belong in this class as it is unique to a particular table in a particular context.
>
>>>
>>> Is there some other use case you have in mind?
>>>
>
> Marlon
>
>
> On 8/8/11 8:39 AM, Ciancetta, Jesse E. wrote:
>>>>>> -----Original Message-----
>>>>>> From: Marlon Pierce [mailto:mpierce@cs.indiana.edu]
>>>>>> Sent: Thursday, August 04, 2011 4:53 PM
>>>>>> To: rave-dev@incubator.apache.org
>>>>>> Subject: [discuss] hashing, salting, and initial_data.sql
>>>>>>
>>>>> I'm looking at hashing and salting passwords stored in Rave's database. This
>>>>> works fine for new user accounts, but the demo accounts (canonical,
>>>>> john.doe, etc) are a problem because they are inserted directly into the DB
> by
>>>>> DataSourcePopulator.java by reading initial_data.sql. It would be possible
>>> to
>>>>> grok the "@user_id_" lines from initial_data.sql and hash the passwords
> there
>>>>> in SqlFileParser.java before inserting in the DB, but this would be an ugly
>>> and
>>>>> fragile hack.
>>>>>
>>>>>
>>>>> Other suggestions? Should we populate the database of demo users
> through
>>>>> JPA instead of inserting directly via SQL commands?
>>>>>
>>>>>> Is there some reason you can't salt and hash the passwords for the demo
> accounts manually and then insert the pre-salted/hashed values directly into
> the initial_data.sql file (with a comment block explaining what's being done
> and what the actual passwords are)?
>>>>>
>>>>>> Admittedly not the most elegant solution, but seems good enough for
> what we need to do.
>>>>>
>>>>>
>>>>> Marlon
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJORTq/AAoJEEfVXEODPFIDn5gH/iHsuE9xshj1KStBJCOg0+oz
KYr74mlN8BL7dWYAJZGf+OIN6SqDXeoH1O8IJYFjI38dZOD0+/RAsxmQa0KCzdb2
lPDCIxZZO5FBDoXYRxsBYr8TWWiOujcp42pAWazomNVp9KMyoFKqXa9X6BVB/krU
POKTMPqtR+pn1TESJDOgBxdFiLdSYPn3cKkjYgAQDSjihESAz10ryDGmnEoCRk8B
lZEwlZ4zzn1coQOr5fxNR1x2WQ54TrsxkYt9uq02ZsTXGeDIYMfqGKfgVEJ/0Ryw
+3GNktB26uMVD9eVP7iITO1U2wOKK+xB+iLtejYA771lFLPYxYcllSck4XXeBeE=
=aZSG
-----END PGP SIGNATURE-----
RE: [discuss] hashing, salting, and initial_data.sql
Posted by "Franklin, Matthew B." <mf...@mitre.org>.
>-----Original Message-----
>From: Ciancetta, Jesse E. [mailto:jcian@mitre.org]
>Sent: Monday, August 08, 2011 9:11 AM
>To: rave-dev@incubator.apache.org
>Subject: RE: [discuss] hashing, salting, and initial_data.sql
>
>>-----Original Message-----
>>From: Marlon Pierce [mailto:mpierce@cs.indiana.edu]
>>Sent: Monday, August 08, 2011 8:59 AM
>>To: rave-dev@incubator.apache.org
>>Subject: Re: [discuss] hashing, salting, and initial_data.sql
>>
>>-----BEGIN PGP SIGNED MESSAGE-----
>>Hash: SHA1
>>
>>Yes, but I was thinking about implementing a (hopefully) more elegant
>>solution.
>
>For what use case? The only thing I can think of where this might be useful
>would be for moving users over from some other container to Rave -- but I
>would think in that case you'd inevitably end up needing to write some kind of
>custom migration utility anyway and I'd see dealing with the passwords as part
>of that.
+ 1
I just noticed that hashing and salting of passwords was added to the SqlFileParser class. This class (SqlFileParser) is very generic and can be used in any situation where SQL statements and child scripts are to be parsed from a file. The hashing and salting definitely does not belong in this class as it is unique to a particular table in a particular context.
>
>Is there some other use case you have in mind?
>
>>
>>Marlon
>>
>>
>>On 8/8/11 8:39 AM, Ciancetta, Jesse E. wrote:
>>>> -----Original Message-----
>>>> From: Marlon Pierce [mailto:mpierce@cs.indiana.edu]
>>>> Sent: Thursday, August 04, 2011 4:53 PM
>>>> To: rave-dev@incubator.apache.org
>>>> Subject: [discuss] hashing, salting, and initial_data.sql
>>>>
>>> I'm looking at hashing and salting passwords stored in Rave's database. This
>>> works fine for new user accounts, but the demo accounts (canonical,
>>> john.doe, etc) are a problem because they are inserted directly into the DB
>>by
>>> DataSourcePopulator.java by reading initial_data.sql. It would be possible
>to
>>> grok the "@user_id_" lines from initial_data.sql and hash the passwords
>>there
>>> in SqlFileParser.java before inserting in the DB, but this would be an ugly
>and
>>> fragile hack.
>>>
>>>
>>> Other suggestions? Should we populate the database of demo users
>>through
>>> JPA instead of inserting directly via SQL commands?
>>>
>>>> Is there some reason you can't salt and hash the passwords for the demo
>>accounts manually and then insert the pre-salted/hashed values directly into
>>the initial_data.sql file (with a comment block explaining what's being done
>>and what the actual passwords are)?
>>>
>>>> Admittedly not the most elegant solution, but seems good enough for
>>what we need to do.
>>>
>>>
>>> Marlon
>>-----BEGIN PGP SIGNATURE-----
>>Version: GnuPG/MacGPG2 v2.0.16 (Darwin)
>>Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>>
>>iQEcBAEBAgAGBQJOP92GAAoJEEfVXEODPFIDAbcH+wS14qhg/9aHLRGMeqFJ
>2
>>uCP
>>uPy0+VQm5jWFfhHia8dI6szwXlSuvWxN8St0frlILoeWUEqtQ8/wzto+kPvIIsN
>O
>>C1EyFKBPlXK5v/nCsPqcFLYMJKv/K8VptgB9t75PWA05HstZES1Yeq32Rct9vd/B
>>laPU3umhOdYjKOEt9On4MpwTNOfRyFJCsksul5q1118I6JEVYZaS330wrL9wEA
>S
>>R
>>thzLry6J3a7dLZBktATHMD5kdgdLwlB3G23umjEgMwawdtzsTZyK3LqXLD8fLlw
>q
>>ylxgSZ2sEa02bssY2L14nhC/IUDc3r9Ad2Z8HInW4iA+EN8jGXHQGZXwE+ellqs=
>>=WhSE
>>-----END PGP SIGNATURE-----
Re: [discuss] hashing, salting, and initial_data.sql
Posted by Marlon Pierce <mp...@cs.indiana.edu>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Yes, but I was thinking about implementing a (hopefully) more elegant solution.
Marlon
On 8/8/11 8:39 AM, Ciancetta, Jesse E. wrote:
>> -----Original Message-----
>> From: Marlon Pierce [mailto:mpierce@cs.indiana.edu]
>> Sent: Thursday, August 04, 2011 4:53 PM
>> To: rave-dev@incubator.apache.org
>> Subject: [discuss] hashing, salting, and initial_data.sql
>>
> I'm looking at hashing and salting passwords stored in Rave's database. This
> works fine for new user accounts, but the demo accounts (canonical,
> john.doe, etc) are a problem because they are inserted directly into the DB by
> DataSourcePopulator.java by reading initial_data.sql. It would be possible to
> grok the "@user_id_" lines from initial_data.sql and hash the passwords there
> in SqlFileParser.java before inserting in the DB, but this would be an ugly and
> fragile hack.
>
>
> Other suggestions? Should we populate the database of demo users through
> JPA instead of inserting directly via SQL commands?
>
>> Is there some reason you can't salt and hash the passwords for the demo accounts manually and then insert the pre-salted/hashed values directly into the initial_data.sql file (with a comment block explaining what's being done and what the actual passwords are)?
>
>> Admittedly not the most elegant solution, but seems good enough for what we need to do.
>
>
> Marlon
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJOP92GAAoJEEfVXEODPFIDAbcH+wS14qhg/9aHLRGMeqFJ2uCP
uPy0+VQm5jWFfhHia8dI6szwXlSuvWxN8St0frlILoeWUEqtQ8/wzto+kPvIIsNO
C1EyFKBPlXK5v/nCsPqcFLYMJKv/K8VptgB9t75PWA05HstZES1Yeq32Rct9vd/B
laPU3umhOdYjKOEt9On4MpwTNOfRyFJCsksul5q1118I6JEVYZaS330wrL9wEASR
thzLry6J3a7dLZBktATHMD5kdgdLwlB3G23umjEgMwawdtzsTZyK3LqXLD8fLlwq
ylxgSZ2sEa02bssY2L14nhC/IUDc3r9Ad2Z8HInW4iA+EN8jGXHQGZXwE+ellqs=
=WhSE
-----END PGP SIGNATURE-----
RE: [discuss] hashing, salting, and initial_data.sql
Posted by "Ciancetta, Jesse E." <jc...@mitre.org>.
>-----Original Message-----
>From: Marlon Pierce [mailto:mpierce@cs.indiana.edu]
>Sent: Thursday, August 04, 2011 4:53 PM
>To: rave-dev@incubator.apache.org
>Subject: [discuss] hashing, salting, and initial_data.sql
>
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>I'm looking at hashing and salting passwords stored in Rave's database. This
>works fine for new user accounts, but the demo accounts (canonical,
>john.doe, etc) are a problem because they are inserted directly into the DB by
>DataSourcePopulator.java by reading initial_data.sql. It would be possible to
>grok the "@user_id_" lines from initial_data.sql and hash the passwords there
>in SqlFileParser.java before inserting in the DB, but this would be an ugly and
>fragile hack.
>
>
>Other suggestions? Should we populate the database of demo users through
>JPA instead of inserting directly via SQL commands?
Is there some reason you can't salt and hash the passwords for the demo accounts manually and then insert the pre-salted/hashed values directly into the initial_data.sql file (with a comment block explaining what's being done and what the actual passwords are)?
Admittedly not the most elegant solution, but seems good enough for what we need to do.
>
>Marlon
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG/MacGPG2 v2.0.16 (Darwin)
>Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
>iQEcBAEBAgAGBQJOOwatAAoJEEfVXEODPFIDwLsH/iH9J4zxEsPsuRigckvkAual
>BmhJqpzZtB6KCJ5DnzwwQqTRsbJ5QoO8hlwLyTzNTZMkbU6zhsn6P33Wxh41
>WkEq
>hLe9ufvbUPjFsquK+1l5gYIiuDt0nW7S2C6qstycJ9ReA2QaYn4iz+7O7w73DwYx
>h6FxB3lM7vVXfdX9zVpBR2TPirBCjuDKJk0m7kGgspYqZ58cUZqlv08EniPhab7N
>+Qj793UVxogpqJ1PyoFwr4Q/oyYdGOHIUDu4WhkxIPXC6fzr4BL3LuCb3NmNcC
>Bi
>puCQGR4sQ0r4VVfJke1U3umTN/0DGV65Ya89HyBFdhr87engTD/laCPdEEKU3N
>4=
>=Mj94
>-----END PGP SIGNATURE-----
RE: [discuss] hashing, salting, and initial_data.sql
Posted by "Franklin, Matthew B." <mf...@mitre.org>.
>-----Original Message-----
>From: Ciancetta, Jesse E. [mailto:jcian@mitre.org]
>Sent: Monday, August 08, 2011 8:40 AM
>To: rave-dev@incubator.apache.org
>Subject: RE: [discuss] hashing, salting, and initial_data.sql
>
>>-----Original Message-----
>>From: Marlon Pierce [mailto:mpierce@cs.indiana.edu]
>>Sent: Thursday, August 04, 2011 4:53 PM
>>To: rave-dev@incubator.apache.org
>>Subject: [discuss] hashing, salting, and initial_data.sql
>>
>>-----BEGIN PGP SIGNED MESSAGE-----
>>Hash: SHA1
>>
>>I'm looking at hashing and salting passwords stored in Rave's database. This
>>works fine for new user accounts, but the demo accounts (canonical,
>>john.doe, etc) are a problem because they are inserted directly into the DB
>by
>>DataSourcePopulator.java by reading initial_data.sql. It would be possible to
>>grok the "@user_id_" lines from initial_data.sql and hash the passwords
>there
>>in SqlFileParser.java before inserting in the DB, but this would be an ugly and
>>fragile hack.
>>
>>
>>Other suggestions? Should we populate the database of demo users
>through
>>JPA instead of inserting directly via SQL commands?
>
>Is there some reason you can't salt and hash the passwords for the demo
>accounts manually and then insert the pre-salted/hashed values directly into
>the initial_data.sql file (with a comment block explaining what's being done
>and what the actual passwords are)?
+1 Its only demo data :)
>
>Admittedly not the most elegant solution, but seems good enough for what
>we need to do.
So long as it is working when users change/create their passwords, I think this solution is perfectly fine.
>>
>>Marlon
>>-----BEGIN PGP SIGNATURE-----
>>Version: GnuPG/MacGPG2 v2.0.16 (Darwin)
>>Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>>
>>iQEcBAEBAgAGBQJOOwatAAoJEEfVXEODPFIDwLsH/iH9J4zxEsPsuRigckvkAua
>l
>>BmhJqpzZtB6KCJ5DnzwwQqTRsbJ5QoO8hlwLyTzNTZMkbU6zhsn6P33Wxh41
>>WkEq
>>hLe9ufvbUPjFsquK+1l5gYIiuDt0nW7S2C6qstycJ9ReA2QaYn4iz+7O7w73DwYx
>>h6FxB3lM7vVXfdX9zVpBR2TPirBCjuDKJk0m7kGgspYqZ58cUZqlv08EniPhab7N
>>+Qj793UVxogpqJ1PyoFwr4Q/oyYdGOHIUDu4WhkxIPXC6fzr4BL3LuCb3NmNc
>C
>>Bi
>>puCQGR4sQ0r4VVfJke1U3umTN/0DGV65Ya89HyBFdhr87engTD/laCPdEEKU3
>N
>>4=
>>=Mj94
>>-----END PGP SIGNATURE-----