[ http://issues.apache.org/jira/browse/JS2-550?page=comments#action_12418584 ]
Michael Lipp commented on JS2-550: ---------------------------------- Well, as you are around this area: how about the opposite -- less security. I have just packaged Jetspeed2 as EAR for JBoss. JBoss comes with a "simple" password encryption algorithm in its database-based JAAS module. After setting up the queries for this module (I had to make the Jetspeed tables look like simple User/Password and User/Roles tables), I found that I still could not log in because although I specified the same algorithm, the password as encoded by JBoss did not match the password as encoded by Jetspeed. I quickly found out about Jetspeed's "advanced" hashing for password copy protection. As I did not want to write a new JBoss JAAS module, I wrote a new MessageDigestCredentialPasswordEncoder that does "simple" password hashing. The additional user name hashing could easily be made optional using a configuration property for the default MessageDigestCredentialPasswordEncoder. This would save me from maintaining my extra class ;-). > A new Two-way password encoding service allowing decoding of encoded passwords > ------------------------------------------------------------------------------ > > Key: JS2-550 > URL: http://issues.apache.org/jira/browse/JS2-550 > Project: Jetspeed 2 > Type: New Feature > Components: Security > Versions: 2.1, 2.1-dev > Reporter: Ate Douma > Assignee: Ate Douma > Fix For: 2.1, 2.1-dev > > For password encoding Jetspeed currently only provides the > MessageDigestCredentialPasswordEncoder in the security component. > While highly secure, this encoding solution cannot be used when you would > like to be able to recover lost passwords, like providing the clear text > value back to the user to a know/trusted email address. Or for an trusted > administrator to be able to do the same manually. > Therefore, I'll provide a new two-way encoding solution based on PKCS #5 PBE > (Password Based Encryption), which uses a cipher generated from a secure > password to encode user passwords. For this solution I'll provide a service > which both implements the security component SPI CredentialPasswordEncoder as > well as a decode method to retrieve the clear text value of an encoded > password. > Thus, I'll add a new PasswordEncodingService interface to the jetspeed-api > and a PBEPasswordService implementation in the security component. > The PBEPasswordService both extends a POJO PBEPasswordTool class, which also > can be used standalone through a main method, as well as the > CredentialPasswordEncoder. > This way, this new service can both be made available as a portlet service > through the Jetspeed Spring configuration for usage from specialized Portlet > Applications, as well be used as a replacement for the default > MessageDigestCredentialPasswordEncoder. > Example Jetspeed Spring configuration how to make use of the new service > could be as follows. > In security-spi-atn.xml: > <!-- A Two-way encoding password service which also implements > CredentialPasswordEncoder > this Service can be used instead of for example the default provided > MessageDigestCredentialPasswordEncoder --> > <bean id="org.apache.jetspeed.security.PasswordEncodingService" > name="org.apache.jetspeed.security.spi.CredentialPasswordEncoder" > class="org.apache.jetspeed.security.spi.impl.PBEPasswordService"> > <constructor-arg index="0"> > <!-- secret PBE key password --> > <value>********</value> > </constructor-arg> > </bean> > In jetspeed-services.xml: > <bean id="PortalServices" > class="org.apache.jetspeed.services.JetspeedPortletServices"> > <constructor-arg> > <map> > <entry key="PortletRegistryComponent"> > <ref > bean="org.apache.jetspeed.components.portletregistry.PortletRegistry" /> > </entry> > ... > <entry key="PasswordEncodingService"> > <ref bean="org.apache.jetspeed.security.PasswordEncodingService" /> > </entry> > ... > <map> > <constructor-arg> > </bean> > Using the PBEPasswordTool standalone is possible as follows. > Running the following command > java -cp > jetspeed-api-2.1-dev.jar:jetspeed-security-2.1-dev.jar:commons-codec-1.3.jar > org.apache.jetspeed.security.util.PBEPasswordTool > gives the following output: > Encode/Decode a user password using Password Based Encryption > Usage: PBEPasswordTool <encode|decode> <encoding-password> <username> > <password> > encode|decode : specify if to encode or decode the provided password > encoding-password: the password to be used for encoding and decoding > username : the name of the user to which the provided > password belongs > password : the cleartext password to encode, or the > encoded password to decode -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
