Encrypted passwords for Database Directory Services

Hello,

I wonder about whether it is possible to use encrypted passwords for a User Directory Service (based on a database) in WebMethods. The description of the “Query Authenticate” when creating or updating such a service says:
“Sql query that returns persisted user credentials for authentication. Parameters: {uid}, {dn}, {password}. Example SELECT password FROM users WHERE id = ‘{uid}’”

So far so good, the example query works fine in case I do not save the password encrypted in the database. But apparently this is not a good approach. Now I struggle to authenticate a user when the password is SHA1-encrypted in the database. Since it seems to be necassary to return the plain text password to the application, I thought that using the {password} parameter in the following way would solve my problem:

SELECT '{password}' as password FROM users WHERE id = '{uid}' AND HASHBYTES('SHA1', '{password}') = encryptedPassword

However, even though that would work in theorie, it fails practically because of the fact, that in contrary of what the description says, the parameter {password} is never replaced by the system and the query receives the SQL Server like that:

SELECT '{password}' as password FROM users WHERE id = 'testuser' AND HASHBYTES('SHA1', '{password}') = encryptedPassword

instead of

SELECT 'myPassword' as password FROM users WHERE id = 'testuser' AND HASHBYTES('SHA1', 'myPassword') = encryptedPassword

I would really appreciate any help or any hint.

Why can’t you create a Stored procedure which accepts the encrypted password as an input parameter and encapsulate all the logic in the stored procedure?

Hi Felix,

Why don’t you take the advantage of encrypt, decrypt built-in services help in this case ? Can you give a try and let us know your observations.

Thanks,