On Tue, Aug 19, 2008 at 2:52 PM, David Latorre <[EMAIL PROTECTED]> wrote: >> How about we do a common password encryption strategy between >> PropertiesUserManager and DbUserManager? Right now, >> PropertiesUserManager does a simple MD5 on the password, but this is >> not a good idea as it is not secure against lookup attacks. So, I'm >> planning to rewrite it to use a stronger hashing algorithm (salt and >> multiple hashing rounds). At the same time, it might make sense to do >> the same for DbUserManager. Would that solve your issue? >> > Not really since we are integrating our database with several other systems > ( our hashing algorithm is not very secure either but the thing is that i > have to use a 'predefined' algorithm). Any way it is true that configuration > should be kept as simple as possible ... I would vote for an object that > implements the new, more-robust encryption code, we would store the object > in the UserManagers with a public setter so that the encryption method can > be overriden by code. I'd say there's no need to have an interface for such > a simple task.
Thanks for the explanation, makes be much better understand your requirement. Let me think about how to best solve this. Could you maybe add an JIRA issue? /niklas
