I am working on an application that wants to leverage the ofBiz user logins to allow ofBiz users to automatically logon to another application developed in .NET ASP.NET. The ASP.NET application gets a login from the user and then accesses a copy of the ofBiz user login table to compare passwords for login validation. I have the .NET code creating a SHA-1 password hash but it does not compare properly to the encrypted passwords in ofBiz. I wrote some test Java code and determined that it's version of SHA-1 is the same as the .NET version hash. So it looks like a salt is being used but none of the ofBiz developers where I work can point out how to find the salt value or help me with this. I have looked through the login code and it looks like a straight SHA-1 hash using MessageDigest. But then the hashed passwords should match but they don't.
Can someone tell me what (and where) the salt value is that is being used? Or if I'm missing something here what it is? And possibly point me to where in the documentation this is covered (if it is)? Thanks! - Grant
