[ http://issues.apache.org/jira/browse/JS2-550?page=all ]
Ate Douma resolved JS2-550:
---------------------------
Resolution: Fixed
Feature committed
> A new Two-way password encoding service allowing decoding of encoded passwords
> ------------------------------------------------------------------------------
>
> Key: JS2-550
> URL: http://issues.apache.org/jira/browse/JS2-550
> Project: Jetspeed 2
> Type: New Feature
> Components: Security
> Versions: 2.1, 2.1-dev
> Reporter: Ate Douma
> Assignee: Ate Douma
> Fix For: 2.1, 2.1-dev
>
> For password encoding Jetspeed currently only provides the
> MessageDigestCredentialPasswordEncoder in the security component.
> While highly secure, this encoding solution cannot be used when you would
> like to be able to recover lost passwords, like providing the clear text
> value back to the user to a know/trusted email address. Or for an trusted
> administrator to be able to do the same manually.
> Therefore, I'll provide a new two-way encoding solution based on PKCS #5 PBE
> (Password Based Encryption), which uses a cipher generated from a secure
> password to encode user passwords. For this solution I'll provide a service
> which both implements the security component SPI CredentialPasswordEncoder as
> well as a decode method to retrieve the clear text value of an encoded
> password.
> Thus, I'll add a new PasswordEncodingService interface to the jetspeed-api
> and a PBEPasswordService implementation in the security component.
> The PBEPasswordService both extends a POJO PBEPasswordTool class, which also
> can be used standalone through a main method, as well as the
> CredentialPasswordEncoder.
> This way, this new service can both be made available as a portlet service
> through the Jetspeed Spring configuration for usage from specialized Portlet
> Applications, as well be used as a replacement for the default
> MessageDigestCredentialPasswordEncoder.
> Example Jetspeed Spring configuration how to make use of the new service
> could be as follows.
> In security-spi-atn.xml:
> <!-- A Two-way encoding password service which also implements
> CredentialPasswordEncoder
> this Service can be used instead of for example the default provided
> MessageDigestCredentialPasswordEncoder -->
> <bean id="org.apache.jetspeed.security.PasswordEncodingService"
> name="org.apache.jetspeed.security.spi.CredentialPasswordEncoder"
> class="org.apache.jetspeed.security.spi.impl.PBEPasswordService">
> <constructor-arg index="0">
> <!-- secret PBE key password -->
> <value>********</value>
> </constructor-arg>
> </bean>
> In jetspeed-services.xml:
> <bean id="PortalServices"
> class="org.apache.jetspeed.services.JetspeedPortletServices">
> <constructor-arg>
> <map>
> <entry key="PortletRegistryComponent">
> <ref
> bean="org.apache.jetspeed.components.portletregistry.PortletRegistry" />
> </entry>
> ...
> <entry key="PasswordEncodingService">
> <ref bean="org.apache.jetspeed.security.PasswordEncodingService" />
> </entry>
> ...
> <map>
> <constructor-arg>
> </bean>
> Using the PBEPasswordTool standalone is possible as follows.
> Running the following command
> java -cp
> jetspeed-api-2.1-dev.jar:jetspeed-security-2.1-dev.jar:commons-codec-1.3.jar
> org.apache.jetspeed.security.util.PBEPasswordTool
> gives the following output:
> Encode/Decode a user password using Password Based Encryption
> Usage: PBEPasswordTool <encode|decode> <encoding-password> <username>
> <password>
> encode|decode : specify if to encode or decode the provided password
> encoding-password: the password to be used for encoding and decoding
> username : the name of the user to which the provided
> password belongs
> password : the cleartext password to encode, or the
> encoded password to decode
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
