[jira] [Commented] (ARTEMIS-786) Store user's password in hash form by default
[ https://issues.apache.org/jira/browse/ARTEMIS-786?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15630830#comment-15630830 ] ASF subversion and git services commented on ARTEMIS-786: - Commit 5965a458945c98f61f1e1e3db418082b68e9df62 in activemq-artemis's branch refs/heads/master from Clebert Suconic [ https://git-wip-us.apache.org/repos/asf?p=activemq-artemis.git;h=5965a45 ] ARTEMIS-786 Using RandomUtil instead of SecureRandom.. This was introducing several performance hits. I was running the examples and they were not completing at all on my environment. > Store user's password in hash form by default > - > > Key: ARTEMIS-786 > URL: https://issues.apache.org/jira/browse/ARTEMIS-786 > Project: ActiveMQ Artemis > Issue Type: Improvement > Components: Broker >Affects Versions: 1.4.0 >Reporter: Howard Gao >Assignee: Howard Gao > Fix For: 1.5.0 > > > Artemis use plaintext to store user's password. To enhance security it should > be using hash value instead. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ARTEMIS-786) Store user's password in hash form by default
[ https://issues.apache.org/jira/browse/ARTEMIS-786?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15630237#comment-15630237 ] ASF subversion and git services commented on ARTEMIS-786: - Commit 119476ddcc77cfc7a2192f8ba87101dcbd7b44b1 in activemq-artemis's branch refs/heads/master from Clebert Suconic [ https://git-wip-us.apache.org/repos/asf?p=activemq-artemis.git;h=119476d ] ARTEMIS-786 checking for inputs and some reorg of the class model on user actions > Store user's password in hash form by default > - > > Key: ARTEMIS-786 > URL: https://issues.apache.org/jira/browse/ARTEMIS-786 > Project: ActiveMQ Artemis > Issue Type: Improvement > Components: Broker >Affects Versions: 1.4.0 >Reporter: Howard Gao >Assignee: Howard Gao > Fix For: 1.5.0 > > > Artemis use plaintext to store user's password. To enhance security it should > be using hash value instead. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ARTEMIS-786) Store user's password in hash form by default
[ https://issues.apache.org/jira/browse/ARTEMIS-786?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15630238#comment-15630238 ] ASF GitHub Bot commented on ARTEMIS-786: Github user asfgit closed the pull request at: https://github.com/apache/activemq-artemis/pull/835 > Store user's password in hash form by default > - > > Key: ARTEMIS-786 > URL: https://issues.apache.org/jira/browse/ARTEMIS-786 > Project: ActiveMQ Artemis > Issue Type: Improvement > Components: Broker >Affects Versions: 1.4.0 >Reporter: Howard Gao >Assignee: Howard Gao > Fix For: 1.5.0 > > > Artemis use plaintext to store user's password. To enhance security it should > be using hash value instead. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ARTEMIS-786) Store user's password in hash form by default
[ https://issues.apache.org/jira/browse/ARTEMIS-786?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15630236#comment-15630236 ] ASF subversion and git services commented on ARTEMIS-786: - Commit cd7b838952dcc654527cb2d2cdd00b3d0f269bd1 in activemq-artemis's branch refs/heads/master from [~gaohoward] [ https://git-wip-us.apache.org/repos/asf?p=activemq-artemis.git;h=cd7b838 ] ARTEMIS-786 Store user's password in hash form by default - user passwords for PropertiesLoginModule stored using PBKDF2 algothrim by default - implements cli user command to help create and manage user/roles - adds a mask cli command to mask passwords > Store user's password in hash form by default > - > > Key: ARTEMIS-786 > URL: https://issues.apache.org/jira/browse/ARTEMIS-786 > Project: ActiveMQ Artemis > Issue Type: Improvement > Components: Broker >Affects Versions: 1.4.0 >Reporter: Howard Gao >Assignee: Howard Gao > Fix For: 1.5.0 > > > Artemis use plaintext to store user's password. To enhance security it should > be using hash value instead. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ARTEMIS-786) Store user's password in hash form by default
[
https://issues.apache.org/jira/browse/ARTEMIS-786?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15629874#comment-15629874
]
ASF GitHub Bot commented on ARTEMIS-786:
Github user jbertram commented on a diff in the pull request:
https://github.com/apache/activemq-artemis/pull/835#discussion_r86208017
--- Diff:
artemis-cli/src/main/java/org/apache/activemq/artemis/cli/commands/user/UserAction.java
---
@@ -0,0 +1,107 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.activemq.artemis.cli.commands.user;
+
+import io.airlift.airline.Option;
+import org.apache.activemq.artemis.cli.commands.InputAbstract;
+import
org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoginModule;
+import org.apache.activemq.artemis.util.FileBasedSecStoreConfig;
+
+import javax.security.auth.login.AppConfigurationEntry;
+import javax.security.auth.login.Configuration;
+import java.io.File;
+import java.util.List;
+
+import static
org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoginModule.ROLE_FILE_PROP_NAME;
+import static
org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoginModule.USER_FILE_PROP_NAME;
+
+public abstract class UserAction extends InputAbstract {
+
+ @Option(name = "--user", description = "The user name")
+ String username = null;
+
+ /**
+* Adding a new user
+* @param hash the password
+* @param role the role
+* @throws IllegalArgumentException if user exists
+*/
+ protected void add(String hash, String... role) throws Exception {
+ FileBasedSecStoreConfig config = getConfiguration();
+ config.addNewUser(username, hash, role);
+ config.save();
+ context.out.println("User added successfully.");
+ }
+
+ /**
+* list a single user or all users
+* if username is not specified
+*/
+ protected void list() throws Exception {
+ FileBasedSecStoreConfig config = getConfiguration();
+ List result = config.listUser(username);
+ for (String str : result) {
+ context.out.println(str);
+ }
+ }
+
+ protected void remove() throws Exception {
+ FileBasedSecStoreConfig config = getConfiguration();
+ config.removeUser(username);
+ config.save();
+ context.out.println("User removed.");
+ }
+
+ protected void reset(String password, String[] roles) throws Exception {
+ if (password == null && roles == null) {
+ context.err.println("Nothing to update.");
+ return;
+ }
+ FileBasedSecStoreConfig config = getConfiguration();
+ config.updateUser(username, password, roles);
+ config.save();
+ context.out.println("User updated");
+ }
+
+ private FileBasedSecStoreConfig getConfiguration() throws Exception {
+
+ Configuration securityConfig = Configuration.getConfiguration();
+ AppConfigurationEntry[] entries =
securityConfig.getAppConfigurationEntry("activemq");
--- End diff --
This should be configurable or if not it should be documented as only
working for app config entries named "activemq". The app config entry in
login.config is completely arbitrary. It doesn't have to be named "activemq".
> Store user's password in hash form by default
> -
>
> Key: ARTEMIS-786
> URL: https://issues.apache.org/jira/browse/ARTEMIS-786
> Project: ActiveMQ Artemis
> Issue Type: Improvement
> Components: Broker
>Affects Versions: 1.4.0
>Reporter: Howard Gao
>Assignee: Howard Gao
> Fix For: 1.5.0
>
>
> Artemis use plaintext to store user's password. To enhance security it should
> be using hash value instead.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (ARTEMIS-786) Store user's password in hash form by default
[ https://issues.apache.org/jira/browse/ARTEMIS-786?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15627355#comment-15627355 ] ASF GitHub Bot commented on ARTEMIS-786: Github user clebertsuconic commented on the issue: https://github.com/apache/activemq-artemis/pull/835 @jbertram is this ready to be merged? I should release this week (I'm a week late already). and this seems a nice feature. > Store user's password in hash form by default > - > > Key: ARTEMIS-786 > URL: https://issues.apache.org/jira/browse/ARTEMIS-786 > Project: ActiveMQ Artemis > Issue Type: Improvement > Components: Broker >Affects Versions: 1.4.0 >Reporter: Howard Gao >Assignee: Howard Gao > Fix For: 1.5.0 > > > Artemis use plaintext to store user's password. To enhance security it should > be using hash value instead. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ARTEMIS-786) Store user's password in hash form by default
[ https://issues.apache.org/jira/browse/ARTEMIS-786?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15611631#comment-15611631 ] ASF GitHub Bot commented on ARTEMIS-786: Github user gaohoward commented on the issue: https://github.com/apache/activemq-artemis/pull/835 @jbertram I added the command, pls take a look. > Store user's password in hash form by default > - > > Key: ARTEMIS-786 > URL: https://issues.apache.org/jira/browse/ARTEMIS-786 > Project: ActiveMQ Artemis > Issue Type: Improvement > Components: Broker >Affects Versions: 1.4.0 >Reporter: Howard Gao >Assignee: Howard Gao > Fix For: 1.5.0 > > > Artemis use plaintext to store user's password. To enhance security it should > be using hash value instead. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ARTEMIS-786) Store user's password in hash form by default
[ https://issues.apache.org/jira/browse/ARTEMIS-786?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15608777#comment-15608777 ] ASF GitHub Bot commented on ARTEMIS-786: Github user gaohoward commented on the issue: https://github.com/apache/activemq-artemis/pull/835 ok got it. I'll add a command for that, maybe with options allowing user to do one-way hashing or 2way masking. Thanks. > Store user's password in hash form by default > - > > Key: ARTEMIS-786 > URL: https://issues.apache.org/jira/browse/ARTEMIS-786 > Project: ActiveMQ Artemis > Issue Type: Improvement > Components: Broker >Affects Versions: 1.4.0 >Reporter: Howard Gao >Assignee: Howard Gao > Fix For: 1.5.0 > > > Artemis use plaintext to store user's password. To enhance security it should > be using hash value instead. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ARTEMIS-786) Store user's password in hash form by default
[ https://issues.apache.org/jira/browse/ARTEMIS-786?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15608746#comment-15608746 ] ASF GitHub Bot commented on ARTEMIS-786: Github user jbertram commented on the issue: https://github.com/apache/activemq-artemis/pull/835 Just doing the masking and spitting it std-out is fine with me. Will be simple to cut/paste from there. > Store user's password in hash form by default > - > > Key: ARTEMIS-786 > URL: https://issues.apache.org/jira/browse/ARTEMIS-786 > Project: ActiveMQ Artemis > Issue Type: Improvement > Components: Broker >Affects Versions: 1.4.0 >Reporter: Howard Gao >Assignee: Howard Gao > Fix For: 1.5.0 > > > Artemis use plaintext to store user's password. To enhance security it should > be using hash value instead. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ARTEMIS-786) Store user's password in hash form by default
[ https://issues.apache.org/jira/browse/ARTEMIS-786?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15608689#comment-15608689 ] ASF GitHub Bot commented on ARTEMIS-786: Github user gaohoward commented on the issue: https://github.com/apache/activemq-artemis/pull/835 good idea. If you mean just doing the masking that could be done easily. If you mean also update the broker.xml with the command, I think it'll need some thinking and should be done in a separate JIRA. what do you think? > Store user's password in hash form by default > - > > Key: ARTEMIS-786 > URL: https://issues.apache.org/jira/browse/ARTEMIS-786 > Project: ActiveMQ Artemis > Issue Type: Improvement > Components: Broker >Affects Versions: 1.4.0 >Reporter: Howard Gao >Assignee: Howard Gao > Fix For: 1.5.0 > > > Artemis use plaintext to store user's password. To enhance security it should > be using hash value instead. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ARTEMIS-786) Store user's password in hash form by default
[ https://issues.apache.org/jira/browse/ARTEMIS-786?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15608681#comment-15608681 ] ASF GitHub Bot commented on ARTEMIS-786: Github user jbertram commented on the issue: https://github.com/apache/activemq-artemis/pull/835 I think having a command in the CLI to do that would be ideal, similar to what we have for one-way hashing. > Store user's password in hash form by default > - > > Key: ARTEMIS-786 > URL: https://issues.apache.org/jira/browse/ARTEMIS-786 > Project: ActiveMQ Artemis > Issue Type: Improvement > Components: Broker >Affects Versions: 1.4.0 >Reporter: Howard Gao >Assignee: Howard Gao > Fix For: 1.5.0 > > > Artemis use plaintext to store user's password. To enhance security it should > be using hash value instead. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ARTEMIS-786) Store user's password in hash form by default
[ https://issues.apache.org/jira/browse/ARTEMIS-786?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15608672#comment-15608672 ] ASF GitHub Bot commented on ARTEMIS-786: Github user gaohoward commented on the issue: https://github.com/apache/activemq-artemis/pull/835 yes, the old "java -cp org.apache.activemq.artemis.utils.DefaultSensitiveStringCodec " still works as before. > Store user's password in hash form by default > - > > Key: ARTEMIS-786 > URL: https://issues.apache.org/jira/browse/ARTEMIS-786 > Project: ActiveMQ Artemis > Issue Type: Improvement > Components: Broker >Affects Versions: 1.4.0 >Reporter: Howard Gao >Assignee: Howard Gao > Fix For: 1.5.0 > > > Artemis use plaintext to store user's password. To enhance security it should > be using hash value instead. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ARTEMIS-786) Store user's password in hash form by default
[ https://issues.apache.org/jira/browse/ARTEMIS-786?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15608659#comment-15608659 ] ASF GitHub Bot commented on ARTEMIS-786: Github user jbertram commented on the issue: https://github.com/apache/activemq-artemis/pull/835 I'm talking about a command to *encode* a password to put into the broker.xml (e.g. for clusterpassword). > Store user's password in hash form by default > - > > Key: ARTEMIS-786 > URL: https://issues.apache.org/jira/browse/ARTEMIS-786 > Project: ActiveMQ Artemis > Issue Type: Improvement > Components: Broker >Affects Versions: 1.4.0 >Reporter: Howard Gao >Assignee: Howard Gao > Fix For: 1.5.0 > > > Artemis use plaintext to store user's password. To enhance security it should > be using hash value instead. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ARTEMIS-786) Store user's password in hash form by default
[ https://issues.apache.org/jira/browse/ARTEMIS-786?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15608657#comment-15608657 ] ASF GitHub Bot commented on ARTEMIS-786: Github user jbertram commented on the issue: https://github.com/apache/activemq-artemis/pull/835 Right, but isn't that the one-way hash that goes into a properties file for the PropertiesLoginModule? > Store user's password in hash form by default > - > > Key: ARTEMIS-786 > URL: https://issues.apache.org/jira/browse/ARTEMIS-786 > Project: ActiveMQ Artemis > Issue Type: Improvement > Components: Broker >Affects Versions: 1.4.0 >Reporter: Howard Gao >Assignee: Howard Gao > Fix For: 1.5.0 > > > Artemis use plaintext to store user's password. To enhance security it should > be using hash value instead. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ARTEMIS-786) Store user's password in hash form by default
[ https://issues.apache.org/jira/browse/ARTEMIS-786?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15608651#comment-15608651 ] ASF GitHub Bot commented on ARTEMIS-786: Github user gaohoward commented on the issue: https://github.com/apache/activemq-artemis/pull/835 There is a command AddUser which takes a user name and password and put them in the config (you can choose plaintext or hash to store the password). > Store user's password in hash form by default > - > > Key: ARTEMIS-786 > URL: https://issues.apache.org/jira/browse/ARTEMIS-786 > Project: ActiveMQ Artemis > Issue Type: Improvement > Components: Broker >Affects Versions: 1.4.0 >Reporter: Howard Gao >Assignee: Howard Gao > Fix For: 1.5.0 > > > Artemis use plaintext to store user's password. To enhance security it should > be using hash value instead. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ARTEMIS-786) Store user's password in hash form by default
[ https://issues.apache.org/jira/browse/ARTEMIS-786?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15608614#comment-15608614 ] ASF GitHub Bot commented on ARTEMIS-786: Github user jbertram commented on the issue: https://github.com/apache/activemq-artemis/pull/835 Is there a command to generate an encoded password so that you can put that into your configuration? I didn't see anything related to that. > Store user's password in hash form by default > - > > Key: ARTEMIS-786 > URL: https://issues.apache.org/jira/browse/ARTEMIS-786 > Project: ActiveMQ Artemis > Issue Type: Improvement > Components: Broker >Affects Versions: 1.4.0 >Reporter: Howard Gao >Assignee: Howard Gao > Fix For: 1.5.0 > > > Artemis use plaintext to store user's password. To enhance security it should > be using hash value instead. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ARTEMIS-786) Store user's password in hash form by default
[ https://issues.apache.org/jira/browse/ARTEMIS-786?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15604001#comment-15604001 ] ASF GitHub Bot commented on ARTEMIS-786: Github user gaohoward commented on the issue: https://github.com/apache/activemq-artemis/pull/835 @jbertram So I did some refactoring: * Now DefaultSensitiveStringCodec supports 2 kinds of masking one-way hashing and two-way encoding/decoding * one-way hashing is used by cli and PropertiesLoginModule, it also has a verify method to help checking passwords * two-way is used by other password masking in artemis. (existing feature) * Other utils like HashProcessor doesn't do hashing or encoding. They are used to facilitate password management (either plaintext or hashed). * Cli commands is used for user management and manual changing is not needed (although user can use raw DefaultSensitiveStringCodec to to it). > Store user's password in hash form by default > - > > Key: ARTEMIS-786 > URL: https://issues.apache.org/jira/browse/ARTEMIS-786 > Project: ActiveMQ Artemis > Issue Type: Improvement > Components: Broker >Affects Versions: 1.4.0 >Reporter: Howard Gao >Assignee: Howard Gao > Fix For: 1.5.0 > > > Artemis use plaintext to store user's password. To enhance security it should > be using hash value instead. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ARTEMIS-786) Store user's password in hash form by default
[ https://issues.apache.org/jira/browse/ARTEMIS-786?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15587397#comment-15587397 ] ASF GitHub Bot commented on ARTEMIS-786: Github user gaohoward commented on the issue: https://github.com/apache/activemq-artemis/pull/835 ok, let me think about it. Thanks. > Store user's password in hash form by default > - > > Key: ARTEMIS-786 > URL: https://issues.apache.org/jira/browse/ARTEMIS-786 > Project: ActiveMQ Artemis > Issue Type: Improvement > Components: Broker >Affects Versions: 1.4.0 >Reporter: Howard Gao >Assignee: Howard Gao > Fix For: 1.5.0 > > > Artemis use plaintext to store user's password. To enhance security it should > be using hash value instead. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ARTEMIS-786) Store user's password in hash form by default
[ https://issues.apache.org/jira/browse/ARTEMIS-786?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15586753#comment-15586753 ] ASF GitHub Bot commented on ARTEMIS-786: Github user jbertram commented on the issue: https://github.com/apache/activemq-artemis/pull/835 The whole masking/hashing process still seems like a bit of a jumble to me. To mask a password there's a raw Java command (e.g. "java -cporg.apache.activemq.artemis.utils.DefaultSensitiveStringCodec ") and then there's a new command you've added to hash a password. I think it would provide a much better user experience to unify both, if possible. > Store user's password in hash form by default > - > > Key: ARTEMIS-786 > URL: https://issues.apache.org/jira/browse/ARTEMIS-786 > Project: ActiveMQ Artemis > Issue Type: Improvement > Components: Broker >Affects Versions: 1.4.0 >Reporter: Howard Gao >Assignee: Howard Gao > Fix For: 1.5.0 > > > Artemis use plaintext to store user's password. To enhance security it should > be using hash value instead. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ARTEMIS-786) Store user's password in hash form by default
[ https://issues.apache.org/jira/browse/ARTEMIS-786?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15565310#comment-15565310 ] ASF GitHub Bot commented on ARTEMIS-786: Github user gaohoward commented on the issue: https://github.com/apache/activemq-artemis/pull/835 hmm, sth wrong with Jenkins I think. My local run is ok. > Store user's password in hash form by default > - > > Key: ARTEMIS-786 > URL: https://issues.apache.org/jira/browse/ARTEMIS-786 > Project: ActiveMQ Artemis > Issue Type: Improvement > Components: Broker >Affects Versions: 1.4.0 >Reporter: Howard Gao >Assignee: Howard Gao > Fix For: 1.5.0 > > > Artemis use plaintext to store user's password. To enhance security it should > be using hash value instead. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ARTEMIS-786) Store user's password in hash form by default
[ https://issues.apache.org/jira/browse/ARTEMIS-786?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15565243#comment-15565243 ] ASF GitHub Bot commented on ARTEMIS-786: Github user gaohoward commented on the issue: https://github.com/apache/activemq-artemis/pull/835 @jbertram I move the hash factory api into the same PasswordMaskingUtil to reduce confusion, so that both 2-way encryption and one-way hashing APIs are in the same util class. But I'm not sure what's the benefit of bring in Jasypt. The PasswordMaskingUtil provides a general API which enables user to use customized password encoder/decoder like Jasypt, if he really want it. What do you think? > Store user's password in hash form by default > - > > Key: ARTEMIS-786 > URL: https://issues.apache.org/jira/browse/ARTEMIS-786 > Project: ActiveMQ Artemis > Issue Type: Improvement > Components: Broker >Affects Versions: 1.4.0 >Reporter: Howard Gao >Assignee: Howard Gao > Fix For: 1.5.0 > > > Artemis use plaintext to store user's password. To enhance security it should > be using hash value instead. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ARTEMIS-786) Store user's password in hash form by default
[ https://issues.apache.org/jira/browse/ARTEMIS-786?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15564213#comment-15564213 ] ASF GitHub Bot commented on ARTEMIS-786: Github user gaohoward commented on the issue: https://github.com/apache/activemq-artemis/pull/835 Good point. I was aware of this but didn't think it clearly. We can introduce Jasypt to replace current encrypt/decript util for 2 ways, but I'm not sure this 2-way is suitable for this, which is the only place where hashing seems the preferred way (other places for password need a 2-way algorithm because the broker needs to decrypt them at runtime). I'll talk to you before I do any changes. > Store user's password in hash form by default > - > > Key: ARTEMIS-786 > URL: https://issues.apache.org/jira/browse/ARTEMIS-786 > Project: ActiveMQ Artemis > Issue Type: Improvement > Components: Broker >Affects Versions: 1.4.0 >Reporter: Howard Gao >Assignee: Howard Gao > Fix For: 1.5.0 > > > Artemis use plaintext to store user's password. To enhance security it should > be using hash value instead. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ARTEMIS-786) Store user's password in hash form by default
[ https://issues.apache.org/jira/browse/ARTEMIS-786?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15563732#comment-15563732 ] ASF GitHub Bot commented on ARTEMIS-786: Github user jbertram commented on the issue: https://github.com/apache/activemq-artemis/pull/835 There are other places in the configuration where passwords can be masked (e.g. using org.apache.activemq.artemis.utils.PasswordMaskingUtil). It would be ideal to have a unified approach to all password masking/hashing if possible. Otherwise we will need to support multiple commands for masking/hashing. For what it's worth, 5.x uses an encryption/decryption scheme using Jasypt which is pretty simple and effective. > Store user's password in hash form by default > - > > Key: ARTEMIS-786 > URL: https://issues.apache.org/jira/browse/ARTEMIS-786 > Project: ActiveMQ Artemis > Issue Type: Improvement > Components: Broker >Affects Versions: 1.4.0 >Reporter: Howard Gao >Assignee: Howard Gao > Fix For: 1.5.0 > > > Artemis use plaintext to store user's password. To enhance security it should > be using hash value instead. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ARTEMIS-786) Store user's password in hash form by default
[ https://issues.apache.org/jira/browse/ARTEMIS-786?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15563648#comment-15563648 ] ASF GitHub Bot commented on ARTEMIS-786: Github user clebertsuconic commented on the issue: https://github.com/apache/activemq-artemis/pull/835 @jbertram I will let you handle it then... please run the whole testsuite, including examples? > Store user's password in hash form by default > - > > Key: ARTEMIS-786 > URL: https://issues.apache.org/jira/browse/ARTEMIS-786 > Project: ActiveMQ Artemis > Issue Type: Improvement > Components: Broker >Affects Versions: 1.4.0 >Reporter: Howard Gao >Assignee: Howard Gao > Fix For: 1.5.0 > > > Artemis use plaintext to store user's password. To enhance security it should > be using hash value instead. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ARTEMIS-786) Store user's password in hash form by default
[ https://issues.apache.org/jira/browse/ARTEMIS-786?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15563625#comment-15563625 ] ASF GitHub Bot commented on ARTEMIS-786: Github user jbertram commented on the issue: https://github.com/apache/activemq-artemis/pull/835 I still need to review so please wait till you hear from me before merging. Thanks! > Store user's password in hash form by default > - > > Key: ARTEMIS-786 > URL: https://issues.apache.org/jira/browse/ARTEMIS-786 > Project: ActiveMQ Artemis > Issue Type: Improvement > Components: Broker >Affects Versions: 1.4.0 >Reporter: Howard Gao >Assignee: Howard Gao > Fix For: 1.5.0 > > > Artemis use plaintext to store user's password. To enhance security it should > be using hash value instead. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ARTEMIS-786) Store user's password in hash form by default
[ https://issues.apache.org/jira/browse/ARTEMIS-786?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15563577#comment-15563577 ] ASF GitHub Bot commented on ARTEMIS-786: Github user clebertsuconic commented on the issue: https://github.com/apache/activemq-artemis/pull/835 looks nice... Let me run the whole testsuite before merging though.. I want also to run the examples. Have you done it? I'm a bit concerned with the examples as this will touch configurations. > Store user's password in hash form by default > - > > Key: ARTEMIS-786 > URL: https://issues.apache.org/jira/browse/ARTEMIS-786 > Project: ActiveMQ Artemis > Issue Type: Improvement > Components: Broker >Affects Versions: 1.4.0 >Reporter: Howard Gao >Assignee: Howard Gao > Fix For: 1.5.0 > > > Artemis use plaintext to store user's password. To enhance security it should > be using hash value instead. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (ARTEMIS-786) Store user's password in hash form by default
[ https://issues.apache.org/jira/browse/ARTEMIS-786?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15562497#comment-15562497 ] ASF GitHub Bot commented on ARTEMIS-786: GitHub user gaohoward opened a pull request: https://github.com/apache/activemq-artemis/pull/835 ARTEMIS-786 Store user's password in hash form by default - passwords stored using PBKDF2 algothrim - implements cli user command to help create and manage user/roles You can merge this pull request into a Git repository by running: $ git pull https://github.com/gaohoward/activemq-artemis master_hash_password Alternatively you can review and apply these changes as the patch at: https://github.com/apache/activemq-artemis/pull/835.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #835 commit e86ef9571c16bf4886fbbf466b33f6427a5d0509 Author: Howard Gao Date: 2016-10-10T13:57:07Z ARTEMIS-786 Store user's password in hash form by default - passwords stored using PBKDF2 algothrim - implements cli user command to help create and manage user/roles > Store user's password in hash form by default > - > > Key: ARTEMIS-786 > URL: https://issues.apache.org/jira/browse/ARTEMIS-786 > Project: ActiveMQ Artemis > Issue Type: Improvement > Components: Broker >Affects Versions: 1.4.0 >Reporter: Howard Gao >Assignee: Howard Gao > Fix For: 1.5.0 > > > Artemis use plaintext to store user's password. To enhance security it should > be using hash value instead. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
