Hi,
DSpace Eperson password hash:
https://github.com/DSpace/DSpace/blob/master/dspace-api/src/main/java/org/dspace/eperson/PasswordHash.java
Hashing the eperson password for storing purposes only allows one to secure
DSpace against those who have access to the database (mainly, DSpace
administrators).
However deploying DSpace without HTTPS will allow anyone on the local
network to watch all passwords, as they travel as plaintext.
On 1 November 2012 08:24, Umair Kayani <[email protected]> wrote:
> Helix, Using SSL was our backup plan. DSpace keeps the hash of the
> password in database so I was wondering at what servlet this change occur.
> If request is going with clear password then it must be converting it to
> match with database password of the user for authentication. I need to know
> that code file or method for my understanding at least. Though I checked
> AuthenticationManager, AuthenticationMethod and eperson code files and
> found nothing there except a hashcode method in eperson code file. Can
> anyone confirm if this is the one which dspace uses to convert plain text
> password to hashcode and then match that hashcode with database hashcode.
>
>
> Thanks & Regards
> Umair Kayani
>
> -----Original Message-----
> From: [email protected] [mailto:[email protected]] On Behalf Of
> helix84
> Sent: Wednesday, October 31, 2012 5:26 PM
> To: Umair Kayani
> Cc: [email protected]
> Subject: [?? Probable Spam] Re: [Dspace-tech] Application Security details
> of dspace 1.8.2
>
> On Wed, Oct 31, 2012 at 1:03 PM, Umair Kayani <[email protected]>
> wrote:
> > What I want is to make my login password encrypted without deploying
> > SSL certificate (without going on to https). What I investigated so
> > far is that my password travels in plain text on the network which is
> > a security risk. But when I check my password in database it is the
> > hash value so I want to know at what point my password calculates its
> > hash or verify its hash. Please also let me know what code files are
> > involved in all its process
>
> That's correct, password is sent in plain text over HTTP, which is why
> it's recommended to use HTTPS at least for the login form.
>
> I have to say that while it's possible to make a system which will encrypt
> the password being sent, that means reimplementing "something like TLS",
> which is bound to be a poor reimplementation and is one of the most common
> security mistakes in general. For that reason, I'm not going to give you
> tips how to do it.
>
> I'm wondering what is the reason why you don't want to use HTTPS.
> Perhaps you don't have a free IP address? The solution is to use SNI
> (Server Name Indication).
>
>
> Regards,
> ~~helix84
>
> Compulsory reading: DSpace Mailing List Etiquette
> https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette
>
>
>
>
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_sfd2d_oct
> _______________________________________________
> DSpace-tech mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/dspace-tech
>
--
Thanks, João Melo (My Portfolio <http://www.lyncode.com/m/jmelo/>)
DSpace Department
*Lyncode*: Official
website<http://www.google.com/url?q=http%3A%2F%2Fwww.lyncode.com%2F&sa=D&sntz=1&usg=AFrqEzdV8iS6rMxflxnn138XReuRfUG3OQ>
[image: Follow us on
Facebook]<http://www.google.com/url?q=http%3A%2F%2Ftwitter.com%2Flyncode&sa=D&sntz=1&usg=AFrqEzeDuT3ZqMW5uVIA8AoxtTtAeiCX3Q>
<http://www.google.com/url?q=http%3A%2F%2Fwww.facebook.com%2Flyncode&sa=D&sntz=1&usg=AFrqEzcWXjHa3gKBGLsNVxktapxkiWDnww>
------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_sfd2d_oct
_______________________________________________
DSpace-tech mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/dspace-tech
