Re: [Wicket-user] Encrytption of password data

Wed, 19 Apr 2006 04:38:02 -0700

But how to use that? Because we only have 1 crypt instance/factory that could be used
for crypting/decrypting stuff in wicket itself (like password or cookies)
So there you can't just set one that works only one way.

johan

On 4/19/06, Juergen Donnerstag <[EMAIL PROTECTED]> wrote:
Johan, may be you can create a little ICrypt implementation for that?
As it is one way, decrypt should probably throw an exception

Juergen

On 4/19/06, Rüdiger Schulz < [EMAIL PROTECTED]> wrote:
> Johan Compagner wrote on 19.04.2006 at 12:11:
>
> > it is not just the =
> > we use a different base64 set where + and / are - and _ so that urls can handle them.
>
> > http://www.faqs.org/rfcs/rfc3548.html
>
> > The best thing to do is convert to SHA one way encryption for passwords.
>
> You're probably right with that, and pre-Wicket I did always use SHA
> or MD5 for storing passwords in databases. I didn't really look very
> hard why I got an encrypted password from getModelValue(), I just
> thought "great, no need for me to do this by myself" and used it :)
>
> So, for anyone not knowing how to get a SHA hash out of a string,
> here's a little function doing just that:
>
>  /**
>   * Encrypt a string using SHA one-way algorithm.
>   * @param s the string to be encrypted.
>   * @return the encrypted string as a 40 character hex string
>   * @throws NoSuchAlgorithmException if no implementation of SHA is available
>   */
>  public static String getSHAHash(String s) throws NoSuchAlgorithmException {
>    MessageDigest messagedigest = MessageDigest.getInstance("SHA");
>    messagedigest.update(s.getBytes());
>    byte[] hash = messagedigest.digest();
>    // hexstring conversion copied from com.Ostermiller.util.MD5#toHex(byte hash[]) (GNU licensed)
>    StringBuffer buf = new StringBuffer(hash.length * 2);
>    for (int i=0; i<hash.length; i++){
>      int intVal = hash[i] & 0xff;
>      if (intVal < 0x10){
>        // append a zero before a one digit hex number to make it two digits.
>        buf.append("0");
>      }
>      buf.append(Integer.toHexString(intVal));
>    }
>    return buf.toString();
>  }
>
> The exception should really only be thrown if your JDK has no SHA
> included. AFAIK, the ones from Sun have it since JDK 1.2.
>
> Maybe this could be incorporated somewhere in Wicket, as storing SHA
> encrypted passwords is so common in web applications...
>
>
>
> --
> greetings from Berlin,
>
> Rüdiger Schulz
>
>
> > On 4/19/06, Rüdiger Schulz < [EMAIL PROTECTED]> wrote:
> > ok, great!
>
> > I think I can wait for the next RC, as this app is still in
> > development, and I can remove (and later re-add) those = in the
> > database manually for now.
>
>
> > --
> > greetings from Berlin,
>
> > Rüdiger Schulz
>
>
>
> > Martijn Dashorst wrote on 19.04.2006 at 00:29:
>
> >> In the next RC this problem will be fixed, and you'll get the = back in the string.
>
> >> If you need it earlier, you can check out wicket trunk and build your own wicket version.
>
> >> Martijn
>
>
> >> On 4/18/06, Rüdiger Schulz <[EMAIL PROTECTED]> wrote:
> >> Hello list,
>
> >> for a Wicket-application requiring a signed-in user I use
> >> PasswordTextField.getModelObject() for acquiring the entered data.
> >> Going the easy way, I simply stored this in the database, as it was
> >> already encrypted, and comparison during login is also very easy to
> >> do.
>
> >> Now I upgraded from wicket 1.1.1 to 1.2rc1. This method still works,
> >> but something has changed. Before, all passwords had a '=' as their
> >> last character, which they now lack. Apart from that, the encryption
> >> seems to produce the same encrypted strings out of the source strings.
>
> >> If this is not a bug, it should be stated in the migration guide
> >> somewhere...
>
> >> --
> >> greetings from Berlin,
>
> >> Rüdiger Schulz
>
>
>
> >> -------------------------------------------------------
> >> This SF.Net email is sponsored by xPML, a groundbreaking scripting language
> >> that extends applications into web and mobile media. Attend the live webcast
> >> and join the prime developer group breaking into this new coding territory!
> >> http://sel.as-us.falkag.net/sel?cmdlnk kid0944 bid$1720 dat1642
> >> _______________________________________________
> >> Wicket-user mailing list
> >> Wicket-user@lists.sourceforge.net
> >> https://lists.sourceforge.net/lists/listinfo/wicket-user
>
>
>
>
> > -------------------------------------------------------
> > This SF.Net email is sponsored by xPML, a groundbreaking scripting language
> > that extends applications into web and mobile media. Attend the live webcast
> > and join the prime developer group breaking into this new coding territory!
> > http://sel.as-us.falkag.net/sel?cmdlnk kid0944 bid$1720 dat1642
> > _______________________________________________
> > Wicket-user mailing list
> > Wicket-user@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/wicket-user
>
>
>
>
>
>
>
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by xPML, a groundbreaking scripting language
> that extends applications into web and mobile media. Attend the live webcast
> and join the prime developer group breaking into this new coding territory!
> http://sel.as-us.falkag.net/sel?cmdlnk&kid0944&bid$1720&dat1642
> _______________________________________________
> Wicket-user mailing list
> Wicket-user@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/wicket-user
>


-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmdlnk&kid0944&bid$1720&dat1642
_______________________________________________
Wicket-user mailing list
Wicket-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/wicket-user

Reply via email to