Re: [Wicket-user] Encrytption of password data

Tue, 18 Apr 2006 13:14:04 -0700

I propose the following:
  • introduce wicket.util.crypt.Base64Rfc3548, implementing the current Base64 as in rc1
  • make wicket.util.crypt.Base64 class Rfc2045 compliant as it was before rc1
  • create a new method on AbstractCrypt that does the url-safe encoding using Base64Rfc3548
  • document that it is not intended for storing passwords in a persistent store
  • alter all calls to the crypt method inside Wicket where url-safe encoding is necessary to use the method just introduced
  • deprecate current crypt method on AbstractCrypt, noting that the use is not intended for storing passwords in databases and that users should migrate away from its use
  • remove deprecated crypt method in the next Wicket release.
Martijn


On 4/18/06, Johan Compagner < [EMAIL PROTECTED] > wrote:
yes crypting and base encoding shouldn't be the same thing

Or is it that we use it always where crypting is used? For example cookie values
must those be encoded or not (i do think that we should be secure by default and always encrypt them)

If we come to the conclusion that we do use encoding everytime when we encrypt then i am with eelco and
let it be what it is now. If we come to the conclusion that this isn't the case then remove it completely.

johan




On 4/18/06, Juergen Donnerstag <[EMAIL PROTECTED]> wrote:
That is not true. We introduced base64 because the encrypted strings
weren't URL compliant. And than we detected that sun/apache/rfc2054
base64 encoding doesn't do the job either. But you agree with removing
it completely out of Crypt and not doing any base64 in AbstractCrypt.

Juergen

On 4/18/06, Martijn Dashorst < [EMAIL PROTECTED]> wrote:
> The bug is introduced by the fix for the url encoding. Not the other way
> round. This one should be rolled back, and the URL encoding should be fixed
> in a different manner.
>
> Also, the Wicket 1.1 encryption used the Sun BASE64Encoding, which is also
> RFC2045 compliant. Our base64 implementation should reflect that and we
> should implement a separate encryption schema for URL's.
>
> Martijn
>
>
> On 4/18/06, Eelco Hillenius <[EMAIL PROTECTED] > wrote:
> > I don't know whether it is such a good idea to 'unfix' a bug just for
> > compatibility. It was fixed because people were experiencing problems
> > with it, right? So unfixing it will give those users those problems
> > again.
> >
> > Eelco
> >
> > On 4/18/06, Juergen Donnerstag <[EMAIL PROTECTED]> wrote:
> > > Yes that is true. We most likely change it back. The reason it has
> > > been changed is because / and + are not allowed in URLs and we use the
> > > same encryption algorithm for URL encryption .... Though we used a
> > > (old) standards compliant base64 encoder/decoder it is not URL
> > > compliant. The new standard (RFC 3xxx) is slightly different and the
> > > one rc1 is using. rc2 will be out pretty soon I guess and I assume we
> > > change it back (for compatibility reasons only) and find some other
> > > solution for URLs
> > >
> > > Juergen
> > >
> > > On 4/18/06, Rüdiger Schulz < [EMAIL PROTECTED]> wrote:
> > > > Hello list,
> > > >
> > > > for a Wicket-application requiring a signed-in user I use
> > > > PasswordTextField.getModelObject() for acquiring the
> entered data.
> > > > Going the easy way, I simply stored this in the database, as it was
> > > > already encrypted, and comparison during login is also very easy to
> > > > do.
> > > >
> > > > Now I upgraded from wicket 1.1.1 to 1.2rc1. This method still works,
> > > > but something has changed. Before, all passwords had a '=' as their
> > > > last character, which they now lack. Apart from that, the encryption
> > > > seems to produce the same encrypted strings out of the source strings.
> > > >
> > > > If this is not a bug, it should be stated in the migration guide
> > > > somewhere...
> > > >
> > > > --
> > > > greetings from Berlin,
> > > >
> > > > Rüdiger Schulz
> > > >
> > > >
> > > >
> > > >
> -------------------------------------------------------
> > > > This SF.Net email is sponsored by xPML, a groundbreaking scripting
> language
> > > > that extends applications into web and mobile media. Attend the live
> webcast
> > > > and join the prime developer group breaking into this new coding
> territory!
> > > >
> http://sel.as-us.falkag.net/sel?cmdlnk&kid0944&bid$1720&dat1642
> > > > _______________________________________________
> > > > Wicket-user mailing list
> > > > Wicket-user@lists.sourceforge.net
> > > >
> https://lists.sourceforge.net/lists/listinfo/wicket-user
> > > >
> > >
> > >
> > > -------------------------------------------------------
> > > This SF.Net email is sponsored by xPML, a groundbreaking scripting
> language
> > > that extends applications into web and mobile media. Attend the live
> webcast
> > > and join the prime developer group breaking into this new coding
> territory!
> > >
> http://sel.as-us.falkag.net/sel?cmdlnk&kid0944&bid$1720&dat1642
> > > _______________________________________________
> > > Wicket-user mailing list
> > > Wicket-user@lists.sourceforge.net
> > >
> https://lists.sourceforge.net/lists/listinfo/wicket-user
> > >
> >
> >
> > -------------------------------------------------------
> > This SF.Net email is sponsored by xPML, a groundbreaking scripting
> language
> > that extends applications into web and mobile media. Attend the live
> webcast
> > and join the prime developer group breaking into this new coding
> territory!
> >
> http://sel.as-us.falkag.net/sel?cmdlnk&kid0944&bid$1720&dat1642
> > _______________________________________________
> > Wicket-user mailing list
> > Wicket-user@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/wicket-user
> >
>
>
>
>
> --
> Wicket 1.2 is coming! Write Ajax applications without touching _javascript_!
> -- http://wicketframework.org


-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmdlnk&kid0944&bid$1720&dat1642
_______________________________________________
Wicket-user mailing list
Wicket-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/wicket-user




--
Wicket 1.2 is coming! Write Ajax applications without touching _javascript_!
-- http://wicketframework.org

Reply via email to