Well thanks let me try this one also but the source that I got doesnt have this passwordhash.java code file. Is this hash code file from DSpace 3 sources or from same 1.8.2. I think I downloaded 1.8.2 version of dspace 1 week back but I cant find this file there. What does this website do is this for those people who fixes the bugs or mods, secondly is it safe enough to use code files uploaded here.
Thanks & Regards From: João Melo [mailto:[email protected]] Sent: Thursday, November 01, 2012 3:25 PM To: Umair Kayani Cc: [email protected]; [email protected] Subject: Re: [Dspace-tech] Application Security details of dspace 1.8.2 Hi, DSpace Eperson password hash: https://github.com/DSpace/DSpace/blob/master/dspace-api/src/main/java/org/ds pace/eperson/PasswordHash.java Hashing the eperson password for storing purposes only allows one to secure DSpace against those who have access to the database (mainly, DSpace administrators). However deploying DSpace without HTTPS will allow anyone on the local network to watch all passwords, as they travel as plaintext. On 1 November 2012 08:24, Umair Kayani <[email protected]> wrote: Helix, Using SSL was our backup plan. DSpace keeps the hash of the password in database so I was wondering at what servlet this change occur. If request is going with clear password then it must be converting it to match with database password of the user for authentication. I need to know that code file or method for my understanding at least. Though I checked AuthenticationManager, AuthenticationMethod and eperson code files and found nothing there except a hashcode method in eperson code file. Can anyone confirm if this is the one which dspace uses to convert plain text password to hashcode and then match that hashcode with database hashcode. Thanks & Regards Umair Kayani -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of helix84 Sent: Wednesday, October 31, 2012 5:26 PM To: Umair Kayani Cc: [email protected] Subject: [?? Probable Spam] Re: [Dspace-tech] Application Security details of dspace 1.8.2 On Wed, Oct 31, 2012 at 1:03 PM, Umair Kayani <[email protected]> wrote: > What I want is to make my login password encrypted without deploying > SSL certificate (without going on to https). What I investigated so > far is that my password travels in plain text on the network which is > a security risk. But when I check my password in database it is the > hash value so I want to know at what point my password calculates its > hash or verify its hash. Please also let me know what code files are > involved in all its process That's correct, password is sent in plain text over HTTP, which is why it's recommended to use HTTPS at least for the login form. I have to say that while it's possible to make a system which will encrypt the password being sent, that means reimplementing "something like TLS", which is bound to be a poor reimplementation and is one of the most common security mistakes in general. For that reason, I'm not going to give you tips how to do it. I'm wondering what is the reason why you don't want to use HTTPS. Perhaps you don't have a free IP address? The solution is to use SNI (Server Name Indication). Regards, ~~helix84 Compulsory reading: DSpace Mailing List Etiquette https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette ---------------------------------------------------------------------------- -- Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_sfd2d_oct _______________________________________________ DSpace-tech mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/dspace-tech -- Image removed by sender. Thanks, João Melo (My Portfolio <http://www.lyncode.com/m/jmelo/> ) DSpace Department Lyncode: <http://www.google.com/url?q=http%3A%2F%2Fwww.lyncode.com%2F&sa=D&sntz=1&usg =AFrqEzdV8iS6rMxflxnn138XReuRfUG3OQ> Official website <http://www.google.com/url?q=http%3A%2F%2Ftwitter.com%2Flyncode&sa=D&sntz=1&; usg=AFrqEzeDuT3ZqMW5uVIA8AoxtTtAeiCX3Q> Image removed by sender. Follow us on Facebook <http://www.google.com/url?q=http%3A%2F%2Fwww.facebook.com%2Flyncode&sa=D&sn tz=1&usg=AFrqEzcWXjHa3gKBGLsNVxktapxkiWDnww> Image removed by sender.
<<~WRD000.jpg>>
------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_sfd2d_oct
_______________________________________________ DSpace-tech mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/dspace-tech
