You will have to subclass TurbineUserManagement and override encryptPassword message by plugging in a two-way encryption algorithm. You will also have to add another interface containing decryptPassword method.
As to your parameter passing enhancement, I don't particularly care that you are constrained to just 5 parameters. Also, please open up a Bugzilla log entry for this enhacement and submit patches NOT complete source files: http://jakarta.apache.org/jetspeed/site/code-standards.html http://www.apache.org/dev/contributors.html#patches Best regards, Mark Orciuch - [EMAIL PROTECTED] Jakarta Jetspeed - Enterprise Portal in Java http://jakarta.apache.org/jetspeed/ > -----Original Message----- > From: Dan Elder [mailto:[EMAIL PROTECTED] > Sent: Friday, June 20, 2003 11:07 AM > To: Jetspeed Developers List > Subject: Re: Iframe Portlet with Parameter Passing > > > Is there any way to store the cleartext version of a user's > password in > their session so that it can be used later? I understand the security > problems this could pose but for a single sign on solution it is > necessary. There is no need to store it permanently, but if it could > be retrieved as a User (or in my case LDAPUser) object it could then be > passed to other web apps transparent to the user. I like that there is > a BasicAuthenticationIFramePortlet which sort of does this but requires > every user to manually store their password in the configuration (which > is a larger security hole in my mind). > I've been hacking through Turbine and Jetspeed trying to add a > getClearPassword and setClearPassword functionality in the two but it is > still a hack at best which I'm not sure would ever get incorporated > into the main branches. Retrieving the encrypted/hashed password isn't > an option since most web apps using LDAP don't perform a comparison but > actually rebind to the directory as a user. This provides a great deal > more security and allows for much finer controls over what parts of the > directory a user has rights to. In order to bind as a user though each > webapp would need their username (or cn) and password. > As soon as the IframePortlet is done I'll submit a nice > version of it > (documented). Are there any other parameters people would like to see > passed automatically besides: > > username (runData.getUser().getUserName()) > password (runData.getUser().getPassword()) > cleartext password (runData.getUser().getClearPassword()) - > if I ever > get it working > email (runData.getUser().getEmail()) > first name (runData.getUser().getFirstName()) > last name (runData.getUser().getLastName()) > name (runData.getUser().getName()) ? > > Thanks again, > Dan Elder > > > Mark Orciuch wrote: > > Dan, > > > > The parameter passing part is useful - feel free to patch the orginal > > IFramePortlet with this enhancement. As for the authentication part, > > password encryption algorithm used in Jetspeed is a one-way encryption > > technique so you cannot decrypt it. Take a look at > > BasicAuthenticationIFramePortlet (in CVS head). > > > > Best regards, > > > > Mark Orciuch - [EMAIL PROTECTED] > > Jakarta Jetspeed - Enterprise Portal in Java > > http://jakarta.apache.org/jetspeed/ > > > > > >>-----Original Message----- > >>From: Dan Elder [mailto:[EMAIL PROTECTED] > >>Sent: Thursday, June 19, 2003 12:58 PM > >>To: [EMAIL PROTECTED] > >>Subject: Iframe Portlet with Parameter Passing > >> > >> > >> Hello, > >> I've created an Iframe Portlet which is a copy of the > >>existing Iframe > >>Portlet but adds the ability to pass parameters to the source address > >>(i.e. https://mydomain/index.php¶meter=true&other=nothing). This is > >>useful for me because with it I can now tie in other web apps to > >>Jetspeed and have transparent single signon by passing the current > >>username and password (and other values that can be retrieved from > >>runData.getUser()) in a url like > >>https://mydomain/index.php?username=dan&password=rootme. The only > >>problem I'm having right now is that the crypted version of the password > >>is returned instead of the initial password the user logs in with. I > >>know I can disable password encryption in the > >>JetspeedSecurity.properties but storing passwords in the clear in our > >>LDAP directory isn't an option. Is there a way that I'm missing to > >>retrieve the password a user logs in with in the clear even if the > >>backing store is encrypted? If anyone is interested in the portlet I > >>can post all the code as well (it's still got a few bugs). > >> Thank you, > >> Dan Elder > -- > ---------------------------------------------- > Dan Elder, Software Developer, Novacoast, Inc. > Voice: (805) 884-4152 > Mobile: (805) 453-6563 > E-mail: [EMAIL PROTECTED] > ---------------------------------------------- > > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
