[
https://issues.apache.org/jira/browse/GERONIMO-1565?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12538008
]
Vamsavardhana Reddy commented on GERONIMO-1565:
-----------------------------------------------
I think LDAP Servers provide for storing a hashed password and the algorithm
need not be same for all passwords stored in the LDAP server. It will be the
LDAP Server's responsibility to validate the user provided password against the
one stored in LDAP. My guess, it is a bug in Apache DS.
> Ldap Login Module should handle password hashing
> ------------------------------------------------
>
> Key: GERONIMO-1565
> URL: https://issues.apache.org/jira/browse/GERONIMO-1565
> Project: Geronimo
> Issue Type: Wish
> Security Level: public(Regular issues)
> Components: security
> Affects Versions: 1.0
> Environment: All supported platforms
> Reporter: Phani Balaji Madgula
> Fix For: Wish List
>
>
> If a J2EE application is configured for declarative security management, and
> uses a security realm deployed on Apache Directory Server user registry for
> role mappings, container fails to authenticate users if the passwords are
> hashed in LDAP registry using any standard Hashing techniques MD5, SHA.etc.
> Container authenticates successfully, if the passwords are stored plain.
> The following information might help out in resolving the issue.
> I developed a small application that uses pure programmatic security login,
> using Nescape Java LDAP SDK.
> When I store password in MD5/SHA, I applied corresponding hashing on password
> sent by user and compared with the passoword retrieved from the LDAP server.
> To know how the password is stored in LDAP, we can check for prefix "{md5}"
> for MD5, and "{sha}" for SHA.
> The following is the code snippet
>
> String uname = req.getParameter("userName");
> String password = req.getParameter("password");
>
> boolean loginSucceed = false;
> String hashMethod = "PLAIN";
> String hashedPassword = password;
> String ldapPassword = getLdapPassword(uname); //Retrieve password from
> LDAP for the user
> if(ldapPassword.startsWith("{md5}")){
> hashMethod = "MD5";
> }else if(ldapPassword.startsWith ("{sha}")){
> hashMethod = "SHA";
> }
> if(hashMethod.equals("SHA")){
> hashedPassword = getSHAHashedPassword(password);
> }else if(hashMethod.equals("MD5")){
> hashedPassword = getMD5HashedPassword(password);
> }
>
> System.out.println("AuthenticateServlet:service:hashedPassword:"+hashedPassword);
>
> System.out.println("AuthenticateServlet:service:ldapPassword:"+ldapPassword);
> if(hashedPassword.equals (ldapPassword))loginSucceed=true;
> .
>
> So, with programmatic login, we can solve the problem.
> I guess hashing is not part of specification while using container managed
> security authentication.
> With declarative/container security management, I guess, current application
> login implementation must consider Hashing of passwords also.
> Thanks
> phani
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
