I'm trying to override Jetspeed's security system to make it more flexible and more secure by adding user specific password encryption. That is, encryption of the user's password makes use of information specific to that user.
A standard example of this is using user-specific "salt" for a password. For those who don't know, normally a user's password (p) is saved as h = hash(p) in the database, where hash is some hashing function like SHA-256. When salting a password, some value s (usually a random number) is used to salt the hash function, i.e. h = hash(p,s) and then both h and s are saved in the database for that user. (Note, the salt is .not. considered secure data; it is assumed an attacker can see it.) Under a salted password scheme, when a user logs on, s is looked up for that user and the text p' entered by the user is hashed with h' = hash(p',s), and then h and h' are compared. The end result is .not. any more secure for a .single. password, but it prevents an attacker from using a dictionary attack against all of the passwords in the database at once. Since the salt is unique for each user, an attacked must hash a dictionary specific to each user's salt value. So, a given user is no more secure, but the system as a whole is significantly more secure. For this to work, however, the method that encrypts the password needs access to the user's salt value. (Actually, for a few other reasons, it's actually better if the method can see the entire user record (more on that later).) Jetspeed 1's current setup makes this pretty difficult, since JetspeedSecurity.encryptPassword is .not. passed a JetspeedUser object (though it's caller has one). Which brings me to my question: 1) As far as I can tell, while the JetspeedSecurityService can be configured to use a different class in the properties files, this is not true of JetspeedSecurity. I'd love for someone to tell me I'm wrong here. Am I? (If not, I'm going to have to override much larger part of Jetspeed's security system than I really want, all because of one missing argument to a method. Either that, or I need to hack Jetspeed itself, which I find loathsome.) 2) Has anyone out there built a user specific password system under Jetspeed? If so, would you be willing to share your code? Or, at least, your experience? Oh... I mentioned above that it's best to pass the whole user object to the encryption method, rather than just the salt. This allows the encryption method to use any field of the user, and allows for the following: o User specific encryption algorithms. o Very easy migration to new encryption systems, without having to reset passwords. o Variable strength (i.e. more repetitions) per user. Thanks, Wordman --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
