CGrantAnderson wrote: > I am working on an application that wants to leverage the ofBiz user logins > to allow ofBiz users to automatically logon to another application developed > in .NET ASP.NET. The ASP.NET application gets a login from the user and > then accesses a copy of the ofBiz user login table to compare passwords for > login validation. I have the .NET code creating a SHA-1 password hash but > it does not compare properly to the encrypted passwords in ofBiz. I wrote > some test Java code and determined that it's version of SHA-1 is the same as > the .NET version hash. So it looks like a salt is being used but none of > the ofBiz developers where I work can point out how to find the salt value > or help me with this. I have looked through the login code and it looks > like a straight SHA-1 hash using MessageDigest. But then the hashed > passwords should match but they don't. > > Can someone tell me what (and where) the salt value is that is being used? > Or if I'm missing something here what it is? And possibly point me to where > in the documentation this is covered (if it is)?
There is no salt in ofbiz passwords. I have a patch that adds support for it, that is compatible with unix crypt(3).
