On 01/19/2012 04:28 AM, Paul Libbrecht wrote:
Hello developers, since quite long I see that XWiki has the practice of a cookie that says the username (and password) encrypted. The way to encrypt the username seems a "simple" cipher that would be fairly easy to share, provided the key is shared of course. I am considering to use this for the purpose of recognizing the authenticity of a request to another web-application. I am thinking a simple servlet-filter would be able to do most of the authentication services, provided the user is logged in into xwiki (and the cookie-path makes /blabla also receive the cooke). But there are two questions: - is this encryption recognizable as signed? (i.e. can someone without the key generate an encrypted username?)
The same key is used both for encryption and decryption, but there's no signature on it, so probably any random string can be encrypted and decrypted, so you'll need a way to check the plaintext value as well, not just that the encrypted one.
The algorithm used by default is DES/ECB with PKCS5Padding, but this can be changed in the configuration.
- is this practice expected to last?
No idea.
If yes to both, it would be interesting to share a servlet filter (or even Apache module) that would do this recognition and indicate the recognized user-principals. Maybe that was done already?
Well, the authentication is based on http://securityfilter.sourceforge.net/ which does provide a servlet filter, which we're not using in XWiki and instead have our own authentication process.
thanks in advance
-- Sergiu Dumitriu http://purl.org/net/sergiu/ _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
