[gatein-commits] gatein SVN: r8258 - in portal/trunk/docs/reference-guide/en-US/modules: AuthenticationAndIdentity and 1 other directory.

Friday, 16 December 2011


Author: mposolda
Date: 2011-12-16 06:48:35 -0500 (Fri, 16 Dec 2011)
New Revision: 8258

Added:
  
portal/trunk/docs/reference-guide/en-US/modules/AuthenticationAndIdentity/PasswordEncryption.xml
Modified:
   portal/trunk/docs/reference-guide/en-US/modules/AuthenticationAndIdentity.xml
Log:
GTNPORTAL-2313 Port documentation about password encryption from EPP

Added:
portal/trunk/docs/reference-guide/en-US/modules/AuthenticationAndIdentity/PasswordEncryption.xml
===================================================================
---
portal/trunk/docs/reference-guide/en-US/modules/AuthenticationAndIdentity/PasswordEncryption.xml	
                       (rev 0)
+++
portal/trunk/docs/reference-guide/en-US/modules/AuthenticationAndIdentity/PasswordEncryption.xml	2011-12-16
11:48:35 UTC (rev 8258)
@@ -0,0 +1,144 @@
+<?xml version='1.0' encoding='utf-8' ?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+        <!ENTITY % BOOK_ENTITIES SYSTEM "../../Reference_Guide.ent">
+        %BOOK_ENTITIES;
+        ]>
+<section
id="sect-Reference_Guide-Authentication_and_Identity-Password_Encryption">
+    <title>Password Encryption</title>
+    <!--       The warning and first listitem below were relocated from
sect-Reference_Guide-Authentication_Token_Configuration as security and plain-text
password issues were being expanded on (from JBEPP-610)       --> <warning>
+    <title>Username and passwords stored in clear text</title>
+    <para>
+        The <emphasis>Remember Me</emphasis> feature of JBoss Enterprise
Portal Platform uses a token mechanism to be able to authenticate returning users without
requiring an explicit login. However, to be able to authenticate these users, the token
needs to store the username and password in clear text in the JCR.
+    </para>
+
+</warning>
+    <para>
+        Administrators have two options available to ameliorate this risk:
+    </para>
+    <orderedlist>
+        <listitem>
+            <para>
+                The <emphasis>Remember Me</emphasis> feature can be disabled
by removing the corresponding checkbox in:
<filename><replaceable>&lt;JBOSS_HOME&gt;</replaceable>/server/<replaceable>&lt;PROFILE&gt;</replaceable>/deploy/gatein.ear/02portal.war/login/jsp/login.jsp</filename>
and
<filename><replaceable>&lt;JBOSS_HOME&gt;</replaceable>/server/<replaceable>&lt;PROFILE&gt;</replaceable>/deploy/gatein.ear/02portal.war/groovy/portal/webui/UILoginForm.gtmpl</filename>.
+            </para>
+
+        </listitem>
+        <listitem>
+            <para>
+                Passwords can be encoded prior to being saved to the JCR. This option
requires administrators to provide a custom subclass of
<parameter>org.exoplatform.web.security.security.AbstractCodec</parameter> and
set up a codec implementation with <parameter>CookieTokenService</parameter>:
+            </para>
+            <procedure
id="proc-Reference_Guide-Password_Encryption-Encrypt_Password_in_JCR">
+                <title>Encrypt Password in JCR</title>
+                <step>
+                    <para>
+                        Create a javaclass similar to:
+                    </para>
+
+                    <programlisting language="Java"
role="Java">
+                        <![CDATA[
+package org.example.codec;
+
+import org.exoplatform.container.xml.InitParams;
+import org.exoplatform.web.security.security.AbstractCodec;
+import org.exoplatform.web.security.security.CookieTokenService;
+import org.picocontainer.Startable;
+
+public class ExampleCodec extends AbstractCodec implements Startable
+{
+   private String simpleParam;
+   private CookieTokenService cookieTokenService;
+
+   public ExampleCodec(InitParams params, CookieTokenService cookieTokenService)
+   {
+      simpleParam = params.getValueParam("encodingParam").getValue();
+      this.cookieTokenService = cookieTokenService;
+   }
+
+   public void start()
+   {
+      cookieTokenService.setupCodec(this);
+   }
+
+   public void stop()
+   {
+   }
+
+   /**
+    * Very simple encoding algorithm used only for demonstration purposes.
+    * You should use stronger algorithm in real production environment.
+    */
+   public String encode(String plainInput)
+   {
+      return plainInput + simpleParam;
+   }
+
+   public String decode(String encodedInput)
+   {
+      return encodedInput.substring(0, encodedInput.length() - simpleParam.length());
+   }
+
+}
+
+]]>
+                    </programlisting>
+
+                </step>
+                <step>
+                    <para>
+                        Compile the class and package it into a jar file. For this
example we will call the jar file <filename>codec-example.jar</filename>.
+                    </para>
+
+                </step>
+                <step>
+                    <para>
+                        Create a
<filename>conf/portal/configuration.xml</filename> file within the
<filename>codec-example.jar</filename> similar to the example below. This
allows the portal kernel to find and use the new codec implementation.
+                    </para>
+
+                    <programlisting language="XML" role="XML">
+                        <![CDATA[
+<?xml version="1.0" encoding="ISO-8859-1"?>
+
+<configuration xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+xsi:schemaLocation="http://www.exoplaform.org/xml/ns/kernel_1_2.xsd
http://www.exoplaform.org/xml/ns/kernel_1_2.xsd"
+xmlns="http://www.exoplaform.org/xml/ns/kernel_1_2.xsd">
+
+<component>
+   <key>org.example.codec.ExampleCodec</key>
+   <type>org.example.codec.ExampleCodec</type>
+   <init-params>
+      <value-param>
+         <name>encodingParam</name>
+         <value>aaa</value>
+      </value-param>
+   </init-params>
+</component>
+
+</configuration>
+]]>
+                    </programlisting>
+
+                </step>
+                <step>
+                    <para>
+                        Deploy the <filename>codec-example.jar</filename>
into your
<filename><replaceable>&lt;JBOSS_HOME&gt;</replaceable>/server/<replaceable>&lt;PROFILE&gt;</replaceable>/deploy/gatein.ear/lib/</filename>
directory.
+                    </para>
+
+                </step>
+                <step>
+                    <para>
+                        Start (or restart) your JBoss Enterprise Portal Platform.
+                    </para>
+                    <para>
+                        Any passwords written to the JCR will now be encoded and not
plain text.
+                    </para>
+
+                </step>
+
+            </procedure>
+
+
+        </listitem>
+
+    </orderedlist>
+
+</section>
+

Modified: portal/trunk/docs/reference-guide/en-US/modules/AuthenticationAndIdentity.xml
===================================================================
---
portal/trunk/docs/reference-guide/en-US/modules/AuthenticationAndIdentity.xml	2011-12-15
20:21:49 UTC (rev 8257)
+++
portal/trunk/docs/reference-guide/en-US/modules/AuthenticationAndIdentity.xml	2011-12-16
11:48:35 UTC (rev 8258)
@@ -5,6 +5,7 @@
 ]>
 <chapter id="chap-Reference_Guide-Authentication_And_Identity">
    <title>Authentication and Identity</title>
+   <xi:include href="AuthenticationAndIdentity/PasswordEncryption.xml"
xmlns:xi="http://www.w3.org/2001/XInclude" />
    <xi:include
href="AuthenticationAndIdentity/PredefinedUserConfiguration.xml"
xmlns:xi="http://www.w3.org/2001/XInclude" />
    <xi:include
href="AuthenticationAndIdentity/AuthenticationTokenConfiguration.xml"
xmlns:xi="http://www.w3.org/2001/XInclude" />
    <xi:include href="AuthenticationAndIdentity/BackendConfiguration.xml"
xmlns:xi="http://www.w3.org/2001/XInclude" />


    

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

[gatein-commits] gatein SVN: r8258 - in portal/trunk/docs/reference-guide/en-US/modules: AuthenticationAndIdentity and 1 other directory.