Thanks again Dmitriy. I suspected that it wouldn't be possible out of the box but thought I'd ask just in case! I'll look into the possibility of creating a custom plug-in or something.
I'll look at the documentation again to try and work out the best/simplest approach. Any pointers or hints would if course be welcome! :-) Thanks once again, Richard -----Original Message----- From: Dmitriy Kopylenko [[email protected]<mailto:[email protected]>] Sent: Thursday, July 10, 2014 04:26 PM GMT Standard Time To: [email protected] Subject: Re: [cas-user] Using SHA512 I don’t think CAS’ out of the box password encoder supports salt, etc. cas-addons has a Shiro’s framework based encoder impl which supports salting (only static at this time): https://github.com/Unicon/cas-addons/wiki/Configuring%20ShiroHashServicePasswordEncoder If there is enough interest for dynamic salt config, we could consider it adding it. Or another option, of course is the JIRA against CAS core for the more robust encoder impl(s) to be developed, etc. Best, Dmitriy. On Jul 10, 2014, at 11:19 AM, [email protected]<mailto:[email protected]> wrote: Hi Dmitriy, Thanks very much for that – it works! :-) Now for the really difficult part, I fear… Is it possible to provide a salt by specifying a database column? Thanks again, Richard From: Dmitriy Kopylenko [mailto:[email protected]] Sent: 10 July 2014 16:12 To: [email protected]<mailto:[email protected]> Subject: Re: [cas-user] Using SHA512 Hi Richard. Try SHA-512 instead of SHA512 Best, Dmitriy. On Jul 10, 2014, at 10:04 AM, Richard Wiseman <[email protected]<mailto:[email protected]>> wrote: Hi, The CAS documentation <https://wiki.jasig.org/display/CASUM/JDBC> indicates that you can use any of the MACs listed on the JDK Javadoc <http://download.oracle.com/javase/1.5.0/docs/guide/security/jce/JCERefGuide.html#AppA> for the password encoder's encodingAlgorithm attribute; this list includes "HmacSHA512", which is what I want to use. (I confess I don't know the difference, if any, between SHA512 and HmacSHA512 in the context of hashing passwords.) I have used the following in my deployerConfigContext.xml file: <bean id="passwordEncoder" class="org.jasig.cas.authentication.handler.DefaultPasswordEncoder" c:encodingAlgorithm="SHA1" p:characterEncoding="UTF-8" /> and it worked. However, neither of the following two variants works: <bean id="passwordEncoder" class="org.jasig.cas.authentication.handler.DefaultPasswordEncoder" c:encodingAlgorithm="HmacSHA512" p:characterEncoding="UTF-8" /> and <bean id="passwordEncoder" class="org.jasig.cas.authentication.handler.DefaultPasswordEncoder" c:encodingAlgorithm="SHA512" p:characterEncoding="UTF-8" /> Each of these results in something in the log such as: 2014-07-10 15:13:01,251 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN ============================================================= WHO: audit:unknown WHAT: java.security.NoSuchAlgorithmException: SHA512 MessageDigest not available ACTION: TICKET_GRANTING_TICKET_NOT_CREATED APPLICATION: CAS WHEN: Thu Jul 10 15:13:01 BST 2014 CLIENT IP ADDRESS: 10.255.240.6 SERVER IP ADDRESS: cas.zion.bt.co.uk ============================================================= This suggests that I have to provide an implementation of SHA512. However, I have no idea where to get one or how to make it available once I do! (I assume I would get a JAR file and put it in WEB-INF/lib - but I don't know how I would specify the implementing class name in deployerConfigContext.xml.) Also, even if I do find an implementation, what I really need is one that lets me specify a salt for each password. And I need to get the salt from the database containing the hashed passwords. Is this an unrealistic or naively optimistic notion? Should I really be thinking about implementing a bean or other Java class and (somehow) using that instead of CAS's built in JDBC options? If I should, what's the preferred/easiest approach? Any advice would be much appreciated! Many thanks. -- You are currently subscribed to [email protected]<mailto:[email protected]> as: [email protected]<mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected]<mailto:[email protected]> as: [email protected]<mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected]<mailto:[email protected]> as: [email protected]<mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
