A new Two-way password encoding service allowing decoding of encoded passwords
------------------------------------------------------------------------------
Key: JS2-550
URL: http://issues.apache.org/jira/browse/JS2-550
Project: Jetspeed 2
Type: New Feature
Components: Security
Versions: 2.1, 2.1-dev
Reporter: Ate Douma
Assigned to: Ate Douma
Fix For: 2.1, 2.1-dev
For password encoding Jetspeed currently only provides the
MessageDigestCredentialPasswordEncoder in the security component.
While highly secure, this encoding solution cannot be used when you would like
to be able to recover lost passwords, like providing the clear text value back
to the user to a know/trusted email address. Or for an trusted administrator to
be able to do the same manually.
Therefore, I'll provide a new two-way encoding solution based on PKCS #5 PBE
(Password Based Encryption), which uses a cipher generated from a secure
password to encode user passwords. For this solution I'll provide a service
which both implements the security component SPI CredentialPasswordEncoder as
well as a decode method to retrieve the clear text value of an encoded password.
Thus, I'll add a new PasswordEncodingService interface to the jetspeed-api and
a PBEPasswordService implementation in the security component.
The PBEPasswordService both extends a POJO PBEPasswordTool class, which also
can be used standalone through a main method, as well as the
CredentialPasswordEncoder.
This way, this new service can both be made available as a portlet service
through the Jetspeed Spring configuration for usage from specialized Portlet
Applications, as well be used as a replacement for the default
MessageDigestCredentialPasswordEncoder.
Example Jetspeed Spring configuration how to make use of the new service could
be as follows.
In security-spi-atn.xml:
<!-- A Two-way encoding password service which also implements
CredentialPasswordEncoder
this Service can be used instead of for example the default provided
MessageDigestCredentialPasswordEncoder -->
<bean id="org.apache.jetspeed.security.PasswordEncodingService"
name="org.apache.jetspeed.security.spi.CredentialPasswordEncoder"
class="org.apache.jetspeed.security.spi.impl.PBEPasswordService">
<constructor-arg index="0">
<!-- secret PBE key password -->
<value>********</value>
</constructor-arg>
</bean>
In jetspeed-services.xml:
<bean id="PortalServices"
class="org.apache.jetspeed.services.JetspeedPortletServices">
<constructor-arg>
<map>
<entry key="PortletRegistryComponent">
<ref
bean="org.apache.jetspeed.components.portletregistry.PortletRegistry" />
</entry>
...
<entry key="PasswordEncodingService">
<ref bean="org.apache.jetspeed.security.PasswordEncodingService" />
</entry>
...
<map>
<constructor-arg>
</bean>
Using the PBEPasswordTool standalone is possible as follows.
Running the following command
java -cp
jetspeed-api-2.1-dev.jar:jetspeed-security-2.1-dev.jar:commons-codec-1.3.jar
org.apache.jetspeed.security.util.PBEPasswordTool
gives the following output:
Encode/Decode a user password using Password Based Encryption
Usage: PBEPasswordTool <encode|decode> <encoding-password> <username>
<password>
encode|decode : specify if to encode or decode the provided password
encoding-password: the password to be used for encoding and decoding
username : the name of the user to which the provided
password belongs
password : the cleartext password to encode, or the
encoded password to decode
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
