CAS documentation only shows using SHA1 or MD5 for encoding and mentions no other hashes as being available.
David Ohsie wrote an adapter to use Spring Security password encoders in CAS including salts. You can find that here: https://groups.google.com/forum/#!topic/jasig-cas-dev/eZDRV4vbGzg You could use that basic idea to tie in any of the spring securitypassword encoders. I believe those only go up to SHA256. Spring security also has the standard password encoder -- 1024 iterations of sha256 with 8 byte salt -- or the BCrypt encoder -- designed to be slow for the attacker and based off blowfish. See: http://security.stackexchange.com/questions/4781/do-any-security-experts-recommend-bcrypt-for-password-storage http://docs.spring.io/spring-security/site/docs/3.1.x/apidocs/org/springframework/security/crypto/bcrypt/BCryptPasswordEncoder.html http://stackoverflow.com/questions/17444258/how-to-use-new-passwordencoder-from-spring-security http://docs.spring.io/spring-security/site/docs/3.1.x/apidocs/org/springframework/security/crypto/password/StandardPasswordEncoder.html -----Original Message----- From: Richard Wiseman [mailto:[email protected]] Sent: Thursday, July 10, 2014 9:05 AM To: [email protected] Subject: [cas-user] Using SHA512 Hi, The CAS documentation <https://wiki.jasig.org/display/CASUM/JDBC> indicates that you can use any of the MACs listed on the JDK Javadoc <http://download.oracle.com/javase/1.5.0/docs/guide/security/jce/JCERefGuide.html#AppA> for the password encoder's encodingAlgorithm attribute; this list includes "HmacSHA512", which is what I want to use. (I confess I don't know the difference, if any, between SHA512 and HmacSHA512 in the context of hashing passwords.) I have used the following in my deployerConfigContext.xml file: <bean id="passwordEncoder" class="org.jasig.cas.authentication.handler.DefaultPasswordEncoder" c:encodingAlgorithm="SHA1" p:characterEncoding="UTF-8" /> and it worked. However, neither of the following two variants works: <bean id="passwordEncoder" class="org.jasig.cas.authentication.handler.DefaultPasswordEncoder" c:encodingAlgorithm="HmacSHA512" p:characterEncoding="UTF-8" /> and <bean id="passwordEncoder" class="org.jasig.cas.authentication.handler.DefaultPasswordEncoder" c:encodingAlgorithm="SHA512" p:characterEncoding="UTF-8" /> Each of these results in something in the log such as: 2014-07-10 15:13:01,251 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN ============================================================= WHO: audit:unknown WHAT: java.security.NoSuchAlgorithmException: SHA512 MessageDigest not available ACTION: TICKET_GRANTING_TICKET_NOT_CREATED APPLICATION: CAS WHEN: Thu Jul 10 15:13:01 BST 2014 CLIENT IP ADDRESS: 10.255.240.6 SERVER IP ADDRESS: cas.zion.bt.co.uk ============================================================= This suggests that I have to provide an implementation of SHA512. However, I have no idea where to get one or how to make it available once I do! (I assume I would get a JAR file and put it in WEB-INF/lib - but I don't know how I would specify the implementing class name in deployerConfigContext.xml.) Also, even if I do find an implementation, what I really need is one that lets me specify a salt for each password. And I need to get the salt from the database containing the hashed passwords. Is this an unrealistic or naively optimistic notion? Should I really be thinking about implementing a bean or other Java class and (somehow) using that instead of CAS's built in JDBC options? If I should, what's the preferred/easiest approach? Any advice would be much appreciated! Many thanks. -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
