I don’t think CAS’ out of the box password encoder supports salt, etc. cas-addons has a Shiro’s framework based encoder impl which supports salting (only static at this time):
https://github.com/Unicon/cas-addons/wiki/Configuring%20ShiroHashServicePasswordEncoder If there is enough interest for dynamic salt config, we could consider it adding it. Or another option, of course is the JIRA against CAS core for the more robust encoder impl(s) to be developed, etc. Best, Dmitriy. On Jul 10, 2014, at 11:19 AM, [email protected] wrote: > Hi Dmitriy, > > Thanks very much for that – it works! :-) > > Now for the really difficult part, I fear… Is it possible to provide a salt > by specifying a database column? > > Thanks again, > > Richard > > From: Dmitriy Kopylenko [mailto:[email protected]] > Sent: 10 July 2014 16:12 > To: [email protected] > Subject: Re: [cas-user] Using SHA512 > > Hi Richard. > > Try SHA-512 instead of SHA512 > > Best, > Dmitriy. > > On Jul 10, 2014, at 10:04 AM, Richard Wiseman <[email protected]> wrote: > > > Hi, > > The CAS documentation <https://wiki.jasig.org/display/CASUM/JDBC> indicates > that you can use any of the MACs listed on the JDK Javadoc > <http://download.oracle.com/javase/1.5.0/docs/guide/security/jce/JCERefGuide.html#AppA> > for the password encoder's encodingAlgorithm attribute; this list includes > "HmacSHA512", which is what I want to use. (I confess I don't know the > difference, if any, between SHA512 and HmacSHA512 in the context of hashing > passwords.) > > I have used the following in my deployerConfigContext.xml file: > > <bean id="passwordEncoder" > class="org.jasig.cas.authentication.handler.DefaultPasswordEncoder" > c:encodingAlgorithm="SHA1" p:characterEncoding="UTF-8" /> > > and it worked. However, neither of the following two variants works: > > <bean id="passwordEncoder" > class="org.jasig.cas.authentication.handler.DefaultPasswordEncoder" > c:encodingAlgorithm="HmacSHA512" p:characterEncoding="UTF-8" /> > > and > > <bean id="passwordEncoder" > class="org.jasig.cas.authentication.handler.DefaultPasswordEncoder" > c:encodingAlgorithm="SHA512" p:characterEncoding="UTF-8" /> > > Each of these results in something in the log such as: > > 2014-07-10 15:13:01,251 INFO > [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit > trail record BEGIN > ============================================================= > WHO: audit:unknown > WHAT: java.security.NoSuchAlgorithmException: SHA512 MessageDigest not > available > ACTION: TICKET_GRANTING_TICKET_NOT_CREATED > APPLICATION: CAS > WHEN: Thu Jul 10 15:13:01 BST 2014 > CLIENT IP ADDRESS: 10.255.240.6 > SERVER IP ADDRESS: cas.zion.bt.co.uk > ============================================================= > > This suggests that I have to provide an implementation of SHA512. However, I > have no idea where to get one or how to make it available once I do! (I > assume I would get a JAR file and put it in WEB-INF/lib - but I don't know > how I would specify the implementing class name in deployerConfigContext.xml.) > > Also, even if I do find an implementation, what I really need is one that > lets me specify a salt for each password. > > And I need to get the salt from the database containing the hashed passwords. > > Is this an unrealistic or naively optimistic notion? Should I really be > thinking about implementing a bean or other Java class and (somehow) using > that instead of CAS's built in JDBC options? If I should, what's the > preferred/easiest approach? > > Any advice would be much appreciated! > > Many thanks. > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
