<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">As far as I'm aware we never ever store
a plain text password, and I'll be sure to recommend against it in
the documentation when it gets written. There's two parts to the
credential handler SPI, one side of it is the side that the
developer interacts with directly to validate or update a user's
(plain text) password credential. For this part it makes sense to
have the class called PlainTextPassword, because that's exactly
what is being passed. The other side is the actual persisting of
the credential, which is totally up to the IdentityStore and/or
CredentialHandler implementation. In the case of passwords, we
calculate and store a salted SHA-hash for the password
(represented by the SHASaltedPasswordHash class) which is what
gets stored by the IdentityStore in the database/wherever. If
there is any confusion about this then I'll make sure it's
explained clearly in the docs.<br>
<br>
On 08/01/13 00:18, Anil Saldhana wrote:<br>
</div>
<blockquote cite="mid:50EAD948.7000402@redhat.com" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<div class="moz-cite-prefix">Having a PlainTextPassword and
EncodedPassword separation at the class level is good. It
clearly tells the user/developer what type of password is being
stored. But if he chooses PTP, should we do the default
salting/hashing in the background? The EncodedPassword can
allow1 configuration of salting/hashing mechanisms.<br>
<br>
We should not at any cost save plain text passwords in the
tables.<br>
<br>
Wdyt?<br>
<br>
<br>
On 01/07/2013 08:14 AM, Pedro Igor Silva wrote:<br>
</div>
<blockquote
cite="mid:904791105.518178.1357568080995.JavaMail.root@redhat.com"
type="cite">
<div class="moz-text-plain" wrap="true" graphical-quote="true"
style="font-family: -moz-fixed; font-size: 12px;"
lang="x-western">
<pre wrap="">Yeah, the class name is not good and leads to confusion.
Today you do not need any extra code to get encoded passwords. The code you pointed out is already doing that:
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://github.com/picketlink/TODO/blob/master/server/src/main/java/org/aerogear/todo/server/security/register/RegistrationEndpoint.java#L85">https://github.com/picketlink/TODO/blob/master/server/src/main/java/org/aerogear/todo/server/security/register/RegistrationEndpoint.java#L85</a>
Behind the scenes it is using SHA-512 and a SecureRandom-1024 salt. Unfortunately, you can not change such configuration for now.
Regards.
Pedro Igor
----- Original Message -----
From: "Bruno Oliveira" <a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:bruno@abstractj.org"><bruno@abstractj.org></a>
To: "Pedro Igor Silva" <a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:psilva@redhat.com"><psilva@redhat.com></a>
Cc: <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:security-dev@lists.jboss.org">security-dev@lists.jboss.org</a>
Sent: Monday, January 7, 2013 11:49:08 AM
Subject: Re: [security-dev] SHA salted passwords
Hi Pedro, maybe the class name led me to some confusion and I missed the real concept here. So, the PlainTextPassword can be used to store encoded password which algorithm will be used behind the scenes?
Which extra code is necessary to have encoded passwords on PicketLink? Could you please provide some example?
+1 on EncodedPassword class.
<div class="moz-txt-sig">--
"The measure of a man is what he does with power" - Plato
-
@abstractj
-
Volenti Nihil Difficile
On Monday, January 7, 2013 at 10:20 AM, Pedro Igor Silva wrote:
</div></pre>
<blockquote type="cite" style="color: #C0C0C0;">
<pre wrap=""><span class="moz-txt-citetags">> </span>Actually, passwords are not stored in plain text by default. The PlainTextPassword is used to store both encoded and plain text passwords.
<span class="moz-txt-citetags">> </span>
<span class="moz-txt-citetags">> </span>Maybe we can change the API to better indicate whether you want to use encoded passwords or not. Something like this:
<span class="moz-txt-citetags">> </span>
<span class="moz-txt-citetags">> </span>Encoded : this.identityManager.updateCredential(user, new EncodedPassword(request.getPassword()));
<span class="moz-txt-citetags">> </span>
<span class="moz-txt-citetags">> </span>Plain Text: this.identityManager.updateCredential(user, new PlainTextPassword(request.getPassword()));
<span class="moz-txt-citetags">> </span>
<span class="moz-txt-citetags">> </span>Where for the EncodedPassword type you can specify the different configurations for the encoding such as supported algorithms, salt, etc.
<span class="moz-txt-citetags">> </span>
<span class="moz-txt-citetags">> </span>----- Original Message -----
<span class="moz-txt-citetags">> </span>From: "Bruno Oliveira" <a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:bruno@abstractj.org%28mailto:bruno@abstractj.org%29"><bruno@abstractj.org (mailto:bruno@abstractj.org)></a>
<span class="moz-txt-citetags">> </span>To: <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:security-dev@lists.jboss.org">security-dev@lists.jboss.org</a> (<a moz-do-not-send="true" class="moz-txt-link-freetext" href="mailto:security-dev@lists.jboss.org">mailto:security-dev@lists.jboss.org</a>)
<span class="moz-txt-citetags">> </span>Sent: Monday, January 7, 2013 7:49:58 AM
<span class="moz-txt-citetags">> </span>Subject: [security-dev] SHA salted passwords
<span class="moz-txt-citetags">> </span>
<span class="moz-txt-citetags">> </span>Good morning everyone.
<span class="moz-txt-citetags">> </span>
<span class="moz-txt-citetags">> </span>I'm planning to upgrade AeroGear to PicketLink, looking at the examples looks like the passwords will be stored in plain text
<span class="moz-txt-citetags">> </span>(<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://github.com/picketlink/TODO/blob/master/server/src/main/java/org/aerogear/todo/server/security/register/RegistrationEndpoint.java#L85">https://github.com/picketlink/TODO/blob/master/server/src/main/java/org/aerogear/todo/server/security/register/RegistrationEndpoint.java#L85</a>).
<span class="moz-txt-citetags">> </span>
<span class="moz-txt-citetags">> </span>I was just wondering if ShaSaltedPasswordHash (<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://github.com/picketlink/picketlink/blob/master/idm/impl/src/main/java/org/picketlink/idm/password/internal/SHASaltedPasswordHash.java#L13">https://github.com/picketlink/picketlink/blob/master/idm/impl/src/main/java/org/picketlink/idm/password/internal/SHASaltedPasswordHash.java#L13</a>)
<span class="moz-txt-citetags">> </span>could replace PlainTextPassword in this example, because I don't want to provide examples to our users with passwords stored in plain text.
<span class="moz-txt-citetags">> </span>
<span class="moz-txt-citetags">> </span>Is it possible?
<span class="moz-txt-citetags">> </span>
<span class="moz-txt-citetags">> </span>
<span class="moz-txt-citetags">> </span>--
<span class="moz-txt-citetags">> </span>"The measure of a man is what he does with power" - Plato
<span class="moz-txt-citetags">> </span>-
<span class="moz-txt-citetags">> </span>@abstractj
<span class="moz-txt-citetags">> </span>-
<span class="moz-txt-citetags">> </span>Volenti Nihil Difficile
<span class="moz-txt-citetags">> </span>
<span class="moz-txt-citetags">> </span>
<span class="moz-txt-citetags">> </span>
<span class="moz-txt-citetags">> </span>_______________________________________________
<span class="moz-txt-citetags">> </span>security-dev mailing list
<span class="moz-txt-citetags">> </span><a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:security-dev@lists.jboss.org">security-dev@lists.jboss.org</a> (<a moz-do-not-send="true" class="moz-txt-link-freetext" href="mailto:security-dev@lists.jboss.org">mailto:security-dev@lists.jboss.org</a>)
<span class="moz-txt-citetags">> </span><a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/security-dev">https://lists.jboss.org/mailman/listinfo/security-dev</a>
</pre>
</blockquote>
<pre wrap="">_______________________________________________
security-dev mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:security-dev@lists.jboss.org">security-dev@lists.jboss.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/security-dev">https://lists.jboss.org/mailman/listinfo/security-dev</a>
</pre>
</div>
</blockquote>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
security-dev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:security-dev@lists.jboss.org">security-dev@lists.jboss.org</a>
<a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/security-dev">https://lists.jboss.org/mailman/listinfo/security-dev</a>
</pre>
</blockquote>
<br>
</body>
</html>