On 28/03/2012 17:25, Colm O hEigeartaigh wrote:
Is there any reason why MD5 is used (or even supported) as the
password cipher algorithm? MD5 is deprecated and is not even allowed
by many security products.
Hi Colm,
not any particular reason: default cipher algorithm (key
'password.cipher.algorithm') is part of configuration and can be
customized at every deployment.
Actually, MD5 is part of test configuration (no problems here, I guess)
[1] and production configuration [2], and this can be harmful. We should
change this ASAP to one of other algorithms supported [3].
I don't see any particular reason to keep MD5, anyway: anyone else's
thought?
Regards.
[1]
https://svn.us.apache.org/repos/asf/incubator/syncope/trunk/core/src/test/resources/content.xml
[2]
https://svn.us.apache.org/repos/asf/incubator/syncope/trunk/core/src/main/resources/content.xml
[3]
https://svn.us.apache.org/repos/asf/incubator/syncope/trunk/client/src/main/java/org/syncope/types/CipherAlgorithm.java
--
Francesco Chicchiriccò
Apache Cocoon PMC and Apache Syncope PPMC Member
http://people.apache.org/~ilgrosso/
