Forums

Home » Liferay Portal » English » 3. Development

Combination View Flat View Tree View
Threads [ Previous | Next ]
toggle
Flo We
Liferay 6.0 Password Encryption
December 22, 2011 12:16 AM
Answer

Flo We

Rank: Junior Member

Posts: 45

Join Date: January 12, 2011

Recent Posts

Hello everyone,

I want to validate if the user has entered his correct password at some point (as an additional verification that it is still the user and not someone who is using the PC while the original User forgot to log out).

So I want to try it with the User Object:
1
2User currentUser = DpUserUtils.getCurrentUser(requestData.getRequest());
3currentUser.getPassword();


with the getPassword-Method I get the encrypted Password from the current User.
The problem I have is, that I don't know how to properly encrypt the submitted password to check if it is the same.

After searching for a solution I stumbled upon this post: http://www.liferay.com/de/community/forums/-/message_boards/message/206512
There someone said you can do it with
1String pwenc = com.liferay.portal.security.pwd.PwdEncryptor.encrypt(pw);

But it seems that this method isn't implemented anymore...

I would appreciate your help!

With best Regards,
Florian
Flo We
RE: Liferay 6.0 Password Encryption
December 22, 2011 6:12 AM
Answer

Flo We

Rank: Junior Member

Posts: 45

Join Date: January 12, 2011

Recent Posts

I tried it with a self coded encryption method:
1
2byte[] defaultBytes = requestData.getRequestParam("password_orig").getBytes();
3
4MessageDigest md = MessageDigest.getInstance("SHA");
5md.update(requestData.getRequestParam("password_orig").getBytes());
6BigInteger bigInt = new BigInteger(1, md.digest());
7String Password = bigInt.toString(16);


I tried following Algorithms:
MD2
MD5
SHA
SHA-1
SHA-256
SHA-384

After searching the Interweb this should be the Algorithms that Liferay should use and it is said SHA is the default algorithm.
Has nobody any input to that problem?
Flo We
RE: Liferay 6.0 Password Encryption
December 22, 2011 6:32 AM
Answer

Flo We

Rank: Junior Member

Posts: 45

Join Date: January 12, 2011

Recent Posts

Hello,

I found the method authenticateByEmailAddress in the UserLocalServiceUtil.
1authResult = UserLocalServiceUtil.authenticateByEmailAddress(company.getCompanyId(), login, password, headerMap, parameterMap);


With this method you can authenticate the user with the given Password.
David H Nebinger
RE: Liferay 6.0 Password Encryption
December 22, 2011 7:41 AM
Answer

David H Nebinger

Rank: Liferay Legend

Posts: 5739

Join Date: September 1, 2006

Recent Posts

I think the difference between trying to encode yourself and using the UserLocalServiceUtil method is the correct salt value used for encoding. If you were to dig into the LR implementation I think you'd find it is using the default method, but probably salting differently than what you were trying.

In all cases tho it is typically better to find and use an official LR method rather than trying to replicate yourself. Will protect you from the underlying LR changes and administrative change of the different encryption methods.
M. Garcia
RE: Liferay 6.0 Password Encryption
December 22, 2011 8:13 AM
Answer

M. Garcia

Rank: Regular Member

Posts: 107

Join Date: May 17, 2011

Recent Posts

Hello Flo,

I've been digging in Liferay Javadoc to find it out some time ago, here's the method I created that encode a password the same way Liferay does :

 1private static String hashPwd(String... pwd)
 2            throws NoSuchAlgorithmException {
 3        MessageDigest messageDigest = null;
 4        byte[] bytes = null;
 5
 6        try {
 7            messageDigest = MessageDigest.getInstance(ENCODE_PWD_ALGORITHM);
 8            StringBundler sb = new StringBundler(pwd.length * 2 - 1);
 9            for (String t : pwd) {
10                if (sb.length() > 0) {
11                    sb.append(StringPool.COLON);
12                }
13                sb.append(t);
14            }
15            String s = sb.toString();
16            messageDigest.update(s.getBytes(Digester.ENCODING));
17            bytes = messageDigest.digest();
18
19        } catch (NoSuchAlgorithmException nsae) {
20            System.out
21                    .println("NoSuchAlgorithmException ");
22            nsae.printStackTrace();
23        } catch (UnsupportedEncodingException uee) {
24            System.out
25                    .println("UnsupportedEncodingException ");
26        }
27        return Base64.encode(bytes);
28    }


For details check out the classes I used in the Javadoc.

Hope it helps ;)
Jitendra Rajput
RE: Liferay 6.0 Password Encryption
December 23, 2011 10:41 AM
Answer

Jitendra Rajput

Rank: Liferay Master

Posts: 610

Join Date: January 7, 2011

Recent Posts

There is no way by which u can decode password ...Even its nt a proper way.

If you wish you can verify old password with
1UserLocalServiceUtil,authenticateByEmailAddress().

This method will return 1 if your old password is correct else it will return null.

One way by which you can get logged in user's password using request

1PortalUtil.getUserPassword(request)[quote]
Mazhar Alam
RE: Liferay 6.0 Password Encryption
February 23, 2012 2:25 AM
Answer

Mazhar Alam

Rank: Regular Member

Posts: 188

Join Date: November 25, 2011

Recent Posts

Hi Jitendra,

Using
UserLocalServiceUtil.authenticateByEmailAddress() --it actually only validates the email address as its priority..coz i provided wrong password and then also it was returning 1.

Do You know any alternate method to it,which can validate both email and password.

Thanks in advance.
Jitendra Rajput
RE: Liferay 6.0 Password Encryption
February 28, 2012 1:46 AM
Answer

Jitendra Rajput

Rank: Liferay Master

Posts: 610

Join Date: January 7, 2011

Recent Posts

This method authenticateByEmailAddress() method also verify user password. I just looked into source code for this ..

If you wish you can also verify just look into authenticate() method inside UserLocalServiceImpl.