The password encoders are injected as Spring beans
(applicationSecurityContext.xml). Here is an example
<bean id="strongPbePasswordEncoder"
class="org.geoserver.security.password.GeoServerPBEPasswordEncoder"
scope="prototype">
<property name="prefix" value="crypt2" />
<property name="providerName" value="BC" />
<property name="algorithm" value="PBEWITHSHA256AND256BITAES-CBC-BC" />
<property name="availableWithoutStrongCryptogaphy" value="false" />
</bean>
If you have encrypted passwords and you change the "algorithm" property, it
is not possible to decrypt these passwords. I think this is the only way to
break the encoding/decoding schema. I think most people will not be able to
interpret the value and will not change it.
People having those skills should know what they are doing.
I would go on with ""isResponsibleForEncdoing"
Cheers
2013/7/7 Andrea Aime <[email protected]>
> On Sun, Jul 7, 2013 at 10:18 AM, Christian Mueller <
> [email protected]> wrote:
>
>> Hi Andrea
>>
>> 1) Our password encoders never produce the same result for identical
>> plain text passwords. The encoding uses a random salt.
>>
>> 2) The post changed event is used by GeoServerSecurityFilterChainProxy to
>> create the internal data structure for the filter chains.
>>
>> 3) What about checking the encrypted password
>> with GeoServerPasswordEncoder.isResponsibleForEncoding(..). If the current
>> config password encoder is responsible for the encrypted password, you can
>> skip the recode logic.
>>
>
> Yes, this approach crossed my mind. However... is it possible to have a
> configurable password encoder, that would take parameters to run, and thus
> with the same encoder, the password structure would be different? I'm
> probably just thinking too much...
>
> Cheers
> Andrea
>
> --
> ==
> Our support, Your Success! Visit http://opensdi.geo-solutions.it for more
> information.
> ==
>
> Ing. Andrea Aime
> @geowolf
> Technical Lead
>
> GeoSolutions S.A.S.
> Via Poggio alle Viti 1187
> 55054 Massarosa (LU)
> Italy
> phone: +39 0584 962313
> fax: +39 0584 1660272
> mob: +39 339 8844549
>
> http://www.geo-solutions.it
> http://twitter.com/geosolutions_it
>
> -------------------------------------------------------
>
--
DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH
------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:
Build for Windows Store.
http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
Geoserver-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/geoserver-devel
