I had a project where I was storing salted hashed passwords like this:
byte[] salt = getSalt();
sql = "INSERT INTO user_login (user_mail, user_handle, user_password, user_salt) VALUES (?,?, SHA2(CONCAT(?, ?), 256), ?)";
prepStmt = conn.prepareStatement(sql);
prepStmt.setString(1, user.getUserMail());
prepStmt.setString(2, user.getUserHandle());
//Process password
prepStmt.setString(3, user.getUserPassword());
prepStmt.setBytes(4, salt);
prepStmt.setBytes(5, salt);
prepStmt.executeUpdate();
The login process being:
sql = "SELECT * FROM user_login WHERE user_mail=? && user_password= SHA2(CONCAT(?, ?), 256)";
prepStmt = conn.prepareStatement(sql);
prepStmt.setString(1, user.getUserMail());
prepStmt.setString(2, user.getUserPassword());
prepStmt.setBytes(3, salt); // being retrieved beforehand
res = prepStmt.executeQuery();
And the update being:
sql = "UPDATE user_login SET user_password = SHA2(CONCAT(?, ?), 256), user_salt = ? WHERE user_id=?";
prepStmt = conn.prepareStatement(sql);
// Process password
prepStmt.setString(1, newPassword);
prepStmt.setBytes(2, newSalt); // being generated beforehand
prepStmt.setBytes(3, newSalt);
prepStmt.setInt(4, currentUser.getUserId());
The important part being this where the database does the work of salting and hashing.
SHA2(CONCAT(?, ?), 256)
Questions:
- How would I translate this part into JPA/Hibernate?
- Is it possible using "@Query", "@Formula" or something else for example?
- Is it even possible to translate to begin with? And if not, is there a way to implement such a thing without conflicts from JPA/Hibernate?
- Should I use database triggers/procedures?*
Thank you for your time.
*edit
