We are trying to look at the Custom Security Runtime in JHeadstart 184.108.40.206. We have it all working, but notice that the password information is stored in plain text in the JHS_USERS table. I am wondering what we would need to do in order to store a hashed value instead of plain text.
Can we implement our own Custom Login Module Class? How does that interact with the Authorization (JHeadstart or ADF)?
Yes, you can extend the oracle.jheadstart.controller.jsf.bean.LoginBean and override the doCustomAuthentication method and stick in an encrypter function (just remember to add the same encrypter function to the user creation process that inserts/updates the password).
Not sure if that's the only way, but I've used the same custom class in 4 JHS projects and it works fine.
What is the best way to do the user creation override if using the JhsModel? To be honest, I feel like creating a separate Model that we can do whatever we want with, such as adding the hashing to the entity object for JHS_USERS. Have you ever modified the Model supplied from JHS? Or do you just create your own model from an admin perspective.
If you can help me with part two, that would be great and I can mark this question as answered!
I think I know the answer to part 2. We need to use ADF BC Substitutions. I see that is what the JDev team also recommends. Doing it this way, I could extend off the base class, add the one requirement to hash the value and update the model appropriately.