[jbossseam-issues] [JBoss JIRA] Created: (JBSEAM-3942) LdapIdentityStore should crypt password

Raimund Hölle (JIRA) jira-events at lists.jboss.org
Sun Feb 8 08:12:44 EST 2009 

LdapIdentityStore should crypt password
---------------------------------------

                 Key: JBSEAM-3942
                 URL: https://jira.jboss.org/jira/browse/JBSEAM-3942
             Project: Seam
          Issue Type: Feature Request
          Components: Security
    Affects Versions: 2.1.1.GA, 2.1.1.CR2, 2.1.1.CR1, 2.1.0.SP1
            Reporter: Raimund Hölle
            Priority: Minor


LdapIdentityStore.changePassword() stores the new password always as plain text in the LDAP database.

To allow crypted passwords, i suggest the following modifications:

New bean properties (along with getter / setter):

  private String passwordCryptAlgorithm   = "SHA";    // Or "" for plain text, "MD5", ...
  private String passwordEncoding         = "UTF-8"; 

Extend changePassword() by one additional line:

   public boolean changePassword(String name, String password) 
   {
      InitialLdapContext ctx = null;      
      try
      {
         ctx = initialiseContext();

         // crypt password if not already done
         password = cryptPwIfNeeded(password);
         
         BasicAttribute passwordAttrib = new BasicAttribute(getUserPasswordAttribute(), password);


New Helpers method:

  private Pattern cryptedPwRegexp = Pattern.compile("^[{].+[}].+");

  private String cryptPwIfNeeded(String password) {
    // only crypt if requested by algorithm and not already done!
    if (getPasswordCryptAlgorithm() != null
        && ! getPasswordCryptAlgorithm().equals("")
        && ! cryptedPwRegexp.matcher(password).matches()) {
      
      try {
        MessageDigest md;
        md = MessageDigest.getInstance(getPasswordCryptAlgorithm());
        
        md.reset();
        md.update(password.getBytes(getPasswordEncoding()));
        
        byte[] result = md.digest();
        password = "{" + getPasswordCryptAlgorithm() + "}" + (new BASE64Encoder()).encode(result);
        
      } catch ( NoSuchAlgorithmException e ) {
        throw new IdentityManagementException(
                    "Configuration problem - can not crypt password with algorithm " + getPasswordCryptAlgorithm(), e);
      } catch ( UnsupportedEncodingException e ) {
        throw new IdentityManagementException(
                    "Configuration problem - can not encode password with " + getPasswordEncoding(), e);
      }
    }
    
    return password;
  }

Many regards, Raimund

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the seam-issues mailing list