[seam-issues] [JBoss JIRA] Closed: (JBSEAM-3942) LdapIdentityStore should crypt password

Fri, 29 Jul 2011 12:45:43 -0700 

     [ 
https://issues.jboss.org/browse/JBSEAM-3942?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Marek Novotny closed JBSEAM-3942.
---------------------------------



closing as cleanup

> LdapIdentityStore should crypt password
> ---------------------------------------
>
>                 Key: JBSEAM-3942
>                 URL: https://issues.jboss.org/browse/JBSEAM-3942
>             Project: Seam 2
>          Issue Type: Feature Request
>          Components: Security
>    Affects Versions: 2.1.0.SP1, 2.1.1.CR1, 2.1.1.CR2, 2.1.1.GA
>            Reporter: Raimund Hölle
>            Assignee: Shane Bryzak
>            Priority: Minor
>
> LdapIdentityStore.changePassword() stores the new password always as plain 
> text in the LDAP database.
> To allow crypted passwords, i suggest the following modifications (currently 
> tested only with OpenLDAP, MS AD may need encoding "UTF16-EL"):
> New bean properties (along with getter / setter):
>   private String passwordCryptAlgorithm   = ""; // Default: plain text as 
> previous releases, set it to  "SHA", "MD5", ... in components.xml (see 
> java.security.MessageDigest)
>   private String passwordEncoding         = "UTF-8"; // Needed only if 
> algorithm != ""
> Extend changePassword() by one additional line:
>    public boolean changePassword(String name, String password) 
>    {
>       InitialLdapContext ctx = null;      
>       try
>       {
>          ctx = initialiseContext();
>          // crypt password if not already done
>          password = cryptPwIfNeeded(password);
>          
>          BasicAttribute passwordAttrib = new 
> BasicAttribute(getUserPasswordAttribute(), password);
> New Helpers method:
>   private Pattern cryptedPwRegexp = Pattern.compile("^[{].+[}].+");
>   private String cryptPwIfNeeded(String password) {
>     // only crypt if requested by algorithm and not already done!
>     if (getPasswordCryptAlgorithm() != null
>         && ! getPasswordCryptAlgorithm().equals("")
>         && ! cryptedPwRegexp.matcher(password).matches()) {
>       
>       try {
>         MessageDigest md;
>         md = MessageDigest.getInstance(getPasswordCryptAlgorithm());
>         
>         md.reset();
>         md.update(password.getBytes(getPasswordEncoding()));
>         
>         byte[] result = md.digest();
>         password = "{" + getPasswordCryptAlgorithm() + "}" + (new 
> BASE64Encoder()).encode(result);
>         
>       } catch ( NoSuchAlgorithmException e ) {
>         throw new IdentityManagementException(
>                     "Configuration problem - can not crypt password with 
> algorithm " + getPasswordCryptAlgorithm(), e);
>       } catch ( UnsupportedEncodingException e ) {
>         throw new IdentityManagementException(
>                     "Configuration problem - can not encode password with " + 
> getPasswordEncoding(), e);
>       }
>     }
>     
>     return password;
>   }
> Many regards, Raimund

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

_______________________________________________
seam-issues mailing list
[email protected]
https://lists.jboss.org/mailman/listinfo/seam-issues

Reply via email to