[jira] [Commented] (OAK-3626) Provide bind credentials callback

Thu, 21 Apr 2016 03:37:38 -0700 

    [ 
https://issues.apache.org/jira/browse/OAK-3626?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15251690#comment-15251690
 ] 

Chetan Mehrotra commented on OAK-3626:
--------------------------------------

[~alfu] Have a look at 
[comment|https://issues.apache.org/jira/browse/OAK-3761?focusedCommentId=15110173&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-15110173]
 which has most details around what we require for this usecase. In brief

# Define a new API {{CryptoSupport}} extension point as Oak SPI
{code}
interface CryptoSupport{
        /**
         * Determines weather the given config value is encrypted 
         * 
         * @param value possibly encrypted string
         * @return true if the passed config value is encrypted
         */
        boolean isProtected(String value);

        /**
         * Decrypts the encrypted value and returns the unencrypted 
         * content
         * 
         * @param value encrypted value
         * @return unencrypted value
         */
        byte[] unprotect(String value);
    }
{code}
# Use that in activate method of LdapIdentityProvider
{code}
@Reference
private CryptoSupport cryptoSupport;
private String ldapPassword;

private void activate(Map<String,Object> config){
        String password = (String)config.get("ldapPassword");

        if (cryptoSupport.isProtected(password)){
                byte[] passwordBytes =  cryptoSupport.unprotect(password);
        } 
        ...
}
{code}
# And then have a simple implementation Oak say under new package in plugins 
which provide an implementation for that



> Provide bind credentials callback
> ---------------------------------
>
>                 Key: OAK-3626
>                 URL: https://issues.apache.org/jira/browse/OAK-3626
>             Project: Jackrabbit Oak
>          Issue Type: New Feature
>          Components: auth-ldap
>            Reporter: Tobias Bocanegra
>
> The ldap identity provider reads the admin bind credentials from the given 
> config which might originate from a un-encrypted source (eg. osgi config).
> in order to facilitate secure provisioning of the bind credentials, the ldap 
> idp should offer some sort of credentials provider callback.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to