portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Michael Lipp (JIRA)" <jetspeed-...@portals.apache.org>
Subject [jira] Commented: (JS2-550) A new Two-way password encoding service allowing decoding of encoded passwords
Date Fri, 30 Jun 2006 08:23:31 GMT
    [ http://issues.apache.org/jira/browse/JS2-550?page=comments#action_12418584 ] 

Michael Lipp commented on JS2-550:
----------------------------------

Well, as you are around this area: how about the opposite -- less security.

I have just packaged Jetspeed2 as EAR for JBoss. JBoss comes with a "simple" password encryption
algorithm in its database-based JAAS module. After setting up the queries for this module
(I had to make the Jetspeed tables look like simple User/Password and User/Roles tables),
I found that I still could not log in because although I specified the same algorithm, the
password as encoded by JBoss did not match the password as encoded by Jetspeed.

I quickly found out about Jetspeed's "advanced" hashing for password copy protection. As I
did not want to write a new JBoss JAAS module, I wrote a new MessageDigestCredentialPasswordEncoder
that does "simple" password hashing.

The additional user name hashing could easily be made optional using a configuration property
for the default MessageDigestCredentialPasswordEncoder. This would save me from maintaining
my extra class ;-).

> A new Two-way password encoding service allowing decoding of encoded passwords
> ------------------------------------------------------------------------------
>
>          Key: JS2-550
>          URL: http://issues.apache.org/jira/browse/JS2-550
>      Project: Jetspeed 2
>         Type: New Feature

>   Components: Security
>     Versions: 2.1, 2.1-dev
>     Reporter: Ate Douma
>     Assignee: Ate Douma
>      Fix For: 2.1, 2.1-dev

>
> For password encoding Jetspeed currently only provides the MessageDigestCredentialPasswordEncoder
in the security component.
> While highly secure, this encoding solution cannot be used when you would like to be
able to recover lost passwords, like providing the clear text value back to the user to a
know/trusted email address. Or for an trusted administrator to be able to do the same manually.
> Therefore, I'll provide a new two-way encoding solution based on PKCS #5 PBE (Password
Based Encryption), which uses a cipher generated from a secure password to encode user passwords.
For this solution I'll provide a service which both implements the security component SPI
CredentialPasswordEncoder as well as a decode method to retrieve the clear text value of an
encoded password.
> Thus, I'll add a new PasswordEncodingService interface to the jetspeed-api and a PBEPasswordService
implementation in the security component.
> The PBEPasswordService both extends a POJO PBEPasswordTool class, which also can be used
standalone  through a main method, as well as the CredentialPasswordEncoder.
> This way, this new service can both be made available as a portlet service through the
Jetspeed Spring configuration for usage from specialized Portlet Applications, as well be
used as a replacement for the default MessageDigestCredentialPasswordEncoder.
> Example Jetspeed Spring configuration how to make use of the new service could be as
follows.
> In security-spi-atn.xml:
>   <!-- A Two-way encoding password service which also implements CredentialPasswordEncoder
>          this Service can be used instead of for example the default provided MessageDigestCredentialPasswordEncoder
--> 
>   <bean id="org.apache.jetspeed.security.PasswordEncodingService" name="org.apache.jetspeed.security.spi.CredentialPasswordEncoder"
class="org.apache.jetspeed.security.spi.impl.PBEPasswordService">
>     <constructor-arg index="0">
>       <!-- secret PBE key password -->
>       <value>********</value>
>     </constructor-arg>       
>   </bean>       
> In jetspeed-services.xml:
>   <bean id="PortalServices" class="org.apache.jetspeed.services.JetspeedPortletServices">
>      <constructor-arg>
>        <map>
>          <entry key="PortletRegistryComponent">
>            <ref bean="org.apache.jetspeed.components.portletregistry.PortletRegistry"
/>
>          </entry>
>          ...
>          <entry key="PasswordEncodingService">
>            <ref bean="org.apache.jetspeed.security.PasswordEncodingService" />
>          </entry>
>          ...
>        <map>
>      <constructor-arg>
>    </bean>
> Using the PBEPasswordTool standalone is possible as follows.
> Running the following command
>   java -cp jetspeed-api-2.1-dev.jar:jetspeed-security-2.1-dev.jar:commons-codec-1.3.jar
org.apache.jetspeed.security.util.PBEPasswordTool
> gives the following output:
>   Encode/Decode a user password using Password Based Encryption
>   Usage: PBEPasswordTool <encode|decode> <encoding-password> <username>
<password>
>     encode|decode       : specify if to encode or decode the provided password
>     encoding-password: the password to be used for encoding and decoding
>     username                 : the name of the user to which the provided password belongs
>     password                  : the cleartext password to encode, or the encoded password
to decode

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira


---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org


Mime
View raw message