11:18 p.m.
Author: aakanksha_writer
Date: 2013-01-22 00:18:26 -0500 (Tue, 22 Jan 2013)
New Revision: 9071
Modified:
epp/docs/branches/6.0/Reference_Guide/en-US/Revision_History.xml
epp/docs/branches/6.0/Reference_Guide/en-US/modules/AuthenticationAndIdentity/BackendConfiguration.xml
epp/docs/branches/6.0/Reference_Guide/en-US/modules/AuthenticationAndIdentity/PasswordEncryption.xml
Log:
Updated Chapter Password Encryption and
Modified: epp/docs/branches/6.0/Reference_Guide/en-US/Revision_History.xml
===================================================================
--- epp/docs/branches/6.0/Reference_Guide/en-US/Revision_History.xml 2013-01-22 05:16:43
UTC (rev 9070)
+++ epp/docs/branches/6.0/Reference_Guide/en-US/Revision_History.xml 2013-01-22 05:18:26
UTC (rev 9071)
@@ -7,6 +7,22 @@
<title>Revision History</title>
<simpara>
<revhistory>
+ <revision>
+ <revnumber>6.0.0-31</revnumber>
+ <date>Thu Jan 22 2013</date>
+ <author>
+ <firstname>Aakanksha</firstname>
+ <surname>Singh</surname>
+ <email/>
+ </author>
+ <revdescription>
+ <simplelist>
+ <member>Imported raw content for chapters for Password Encryption and
PicketLink IDM integration.</member>
+ <member>Rebased changes for
https://docs.jboss.org/author/display/GTNPORTAL35/PicketLink+IDM+integrat...
+ <member>Rebased changes for
https://docs.jboss.org/author/display/GTNPORTAL35/Password+Encryption<...
+ </simplelist>
+ </revdescription>
+ </revision>
<revision>
<revnumber>6.0.0-30</revnumber>
<date>Thu Jan 17 2013</date>
Modified:
epp/docs/branches/6.0/Reference_Guide/en-US/modules/AuthenticationAndIdentity/BackendConfiguration.xml
===================================================================
---
epp/docs/branches/6.0/Reference_Guide/en-US/modules/AuthenticationAndIdentity/BackendConfiguration.xml 2013-01-22
05:16:43 UTC (rev 9070)
+++
epp/docs/branches/6.0/Reference_Guide/en-US/modules/AuthenticationAndIdentity/BackendConfiguration.xml 2013-01-22
05:18:26 UTC (rev 9071)
@@ -1,4 +1,5 @@
<?xml version='1.0' encoding='UTF-8'?>
+<!-- This document was created with Syntext Serna Free. -->
<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY % BOOK_ENTITIES SYSTEM "../../Reference_Guide.ent">
%BOOK_ENTITIES;
@@ -389,4 +390,357 @@
<programlisting language="XML" role="XML"><xi:include
href="../../extras/Authentication_Identity_BackendConfiguration/default97.xml"
parse="text" xmlns:xi="http://www.w3.org/2001/XInclude"
/></programlisting>
- </section> --></chapter>
+ </section> -->
+
+<section id="sid-54264613_PicketLinkIDMintegration-Configurationfiles">
+
+ <title>Configuration files</title>
+ <para>
+ The main configuration file is
+
<code>JBOSS_HOME/gatein/gatein.ear/portal.war/WEB-INF/conf/organization/idm-configuration.xml</code>
+ :
+ </para>
+ <informalexample>
+ <programlisting><configuration
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://www.exoplaform.org/xml/ns/kernel_1_2.xsd
http://www.exoplaform.org/xml/ns/kernel_1_2.xsd"
+ xmlns="http://www.exoplaform.org/xml/ns/kernel_1_2.xsd">
+
+ <component>
+
<key>org.exoplatform.services.organization.idm.PicketLinkIDMService</key>
+
<type>org.exoplatform.services.organization.idm.PicketLinkIDMServiceImpl</type>
+ <init-params>
+ <value-param>
+ <name>config</name>
+
<value>war:/conf/organization/idm-config.xml</value>
+ </value-param>
+ <value-param>
+ <name>portalRealm</name>
+ <value>realm${container.name.suffix}</value>
+ </value-param>
+ </init-params>
+ </component>
+
+
+ <component>
+
<key>org.exoplatform.services.organization.OrganizationService</key>
+
<type>org.exoplatform.services.organization.idm.PicketLinkIDMOrganizationServiceImpl</type>
+ <init-params>
+ <object-param>
+ <name>configuration</name>
+ <object
type="org.exoplatform.services.organization.idm.Config">
+ <field name="useParentIdAsGroupType">
+ <boolean>true</boolean>
+ </field>
+
+ <field name="forceMembershipOfMappedTypes">
+ <boolean>true</boolean>
+ </field>
+
+ <field name="pathSeparator">
+ <string>.</string>
+ </field>
+
+ <field name="rootGroupName">
+ <string>GTN_ROOT_GROUP</string>
+ </field>
+
+ <field name="groupTypeMappings">
+ <map type="java.util.HashMap">
+ <entry>
+
<key><string>/</string></key>
+
<value><string>root_type</string></value>
+ </entry>
+
+ <!-- Sample mapping -->
+ <!--
+ <entry>
+
<key><string>/platform/*</string></key>
+
<value><string>platform_type</string></value>
+ </entry>
+ <entry>
+
<key><string>/organization/*</string></key>
+
<value><string>organization_type</string></value>
+ </entry>
+ -->
+
+ </map>
+ </field>
+
+ <field name="associationMembershipType">
+ <string>member</string>
+ </field>
+
+ <field name="ignoreMappedMembershipType">
+ <boolean>false</boolean>
+ </field>
+ </object>
+ </object-param>
+ </init-params>
+
+
+ </component>
+
+</configuration>
+</programlisting>
+ </informalexample>
+ <section
id="sid-54264613_PicketLinkIDMintegration-PicketlinkIDMServiceImpl">
+
+ <title>PicketlinkIDMServiceImpl</title>
+ <para>
+ The
+
<code>org.exoplatform.services.organization.idm.PicketLinkIDMServiceImpl</code>
+ service has the following options:
+ </para>
+ <itemizedlist>
+ <listitem>
+ <para>
+ <code>config</code>
+ (value-param) The PicketLink IDM configuration file.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <code>hibernate.properties</code>
+ (properties-param) A list of hibernate properties used to create
SessionFactory that will be injected to JBoss Identity IDM configuration registry.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <code>hibernate.annotations</code>
+ A list of annotated classes that will be added to Hibernate configuration.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <code>hibernate.mappings</code>
+ A list of
+ <code>.xml</code>
+ files that will be added to hibernate configuration as mapping files.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <code>jndiName</code>
+ (value-param) If the 'config' parameter is not provided, this
parameter will be used to perform JNDI lookup for
+ <code>IdentitySessionFactory</code>
+ .
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <code>portalRealm</code>
+ (value-param) The realm name that should be used to obtain proper
+ <code>IdentitySession</code>
+ . The default is
+ <code>'PortalRealm'</code>
+ .
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <code>apiCacheConfig</code>
+ (value-param) The infinispan configuration file with cache configuration for
Picketlink IDM API. It's different for cluster and non-cluster because infinispan
needs to be replicated in cluster environment.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <code>storeCacheConfig</code>
+ (value-param)
+
+ The infinispan configuration file with cache configuration for Picketlink IDM
IdentityStore. Actually it's used only for LDAP store (not used with default DB
configuration). It's different for cluster and non-cluster because infinispan needs to
be replicated in cluster environment.
+ </para>
+ </listitem>
+ </itemizedlist>
+ </section>
+ <section
id="sid-54264613_PicketLinkIDMintegration-PicketlinkIDMOrganizationServiceImpl">
+
+ <title>PicketlinkIDMOrganizationServiceImpl</title>
+ <para>
+ The
+
<code>org.exoplatform.services.organization.idm.PicketLinkIDMOrganizationServiceImpl</code>
+ key is a main entrypoint implementing
+
<code>org.exoplatform.services.organization.OrganizationService</code>
+ and is dependent on
+
<code>org.exoplatform.services.organization.idm.PicketLinkIDMService</code>
+ .
+ </para>
+ <para>
+ The
+
<code>org.exoplatform.services.organization.idm.PicketLinkIDMOrganizationServiceImpl</code>
+ service has the following options defined as fields of object-param of the
+ <code>org.exoplatform.services.organization.idm.Config</code>
+ type:
+ </para>
+ <itemizedlist>
+ <listitem>
+ <para>
+ <code>defaultGroupType</code>
+ The name of the PicketLink IDM GroupType that will be used to store groups.
The default is
+ <code>'GTN_GROUP_TYPE'</code>
+ .
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <code>rootGroupName</code>
+ The name of the PicketLink IDM Group that will be used as a root parent. The
default is
+ <code>'GTN_ROOT_GROUP'</code>
+ .
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <code>passwordAsAttribute</code>
+ This parameter specifies if a password should be stored using PicketLink IDM
Credential object or as a plain attribute. The default is
+ <code>false</code>
+ .
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <code>useParentIdAsGroupType</code>
+ This parameter stores the parent ID path as a group type in PicketLink IDM
for any IDs not mapped with a specific type in 'groupTypeMappings'. If this option
is set to
+ <code>false</code>
+ , and no mappings are provided under 'groupTypeMappings', then only
one group with the given name can exist in the portal group tree.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <code>pathSeparator</code>
+ When 'userParentIdAsGroupType is set to
+ <code>true</code>
+ , this value will be used to replace all "/" characters in IDs. The
"/" character is not allowed to be used in group type name in PicketLink IDM.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <code>associationMembershipType</code>
+ If this option is used, then each Membership, created with MembrshipType that
is equal to the value specified here, will be stored in PicketLink IDM as simple
Group-User association.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <code>groupTypeMappings</code>
+ This parameter maps groups added with portal API as children of a given group
ID, and stores them with a given group type name in PicketLink IDM.
+
+ If the parent ID ends with "/*", then all child groups will have
the mapped group type. Otherwise, only direct (first level) children will use this type.
+
+ This can be leveraged by LDAP if LDAP DN is configured in PicketLink IDM to
only store a specific group type. This will then store the given branch in portal group
tree, while all other groups will remain in the database.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <code>forceMembershipOfMappedTypes</code>
+ Groups stored in PicketLink IDM with a type mapped in
'groupTypeMappings' will automatically be members under the mapped parent. Group
relationships linked by PicketLink IDM group association will not be necessary.
+
+ This parameter can be set to false if all groups are added via portal APIs.
This may be useful with LDAP configuration as, when set to true, it will make every entry
added to LDAP appear in portal. This, however, is not true for entries added via GateIn
Portal management UI.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <code>ignoreMappedMembershipType</code>
+ If "associationMembershipType" option is used, and this option is
set to true, then Membership with MembershipType configured to be stored as PicketLink IDM
association will not be stored as PicketLink IDM Role.
+ </para>
+ </listitem>
+ </itemizedlist>
+ <para>
+ Additionally,
+ <emphasis
role="italics">PicketlinkIDMOrganizationServiceImpl</emphasis>
+ uses those defaults to perform identity management operations.
+ </para>
+ <itemizedlist>
+ <listitem>
+ <para>GateIn Portal User interface properties fields are persisted in
Picketlink IDM using those attributes names: firstName, lastName, email, createdDate,
lastLoginTime, organizationId, password (if password is configured to be stored as
attribute).</para>
+ </listitem>
+ <listitem>
+ <para>GateIn Portal Group interface properties fields are persisted in
Picketlink IDM using those attributes names: label, description.</para>
+ </listitem>
+ <listitem>
+ <para>
+ GateIn Portal MembershipType interface properties fields are persisted in
JBoss Identity IDM using those RoleType properties: description, owner, create_date,
modified_date.
+
+ A sample
+ <emphasis role="italics">PicketLink IDM</emphasis>
+ configuration file is shown below. To understand all the options it contains,
please refer to the PicketLink IDM Reference Guide.
+ </para>
+ </listitem>
+ </itemizedlist>
+ <informalexample>
+ <programlisting><jboss-identity
xmlns="urn:jboss:identity:idm:config:v1_0_beta"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="urn:jboss:identity:idm:config:v1_0_alpha
identity-config.xsd">
+ <realms>
+ <realm>
+ <id>PortalRealm</id>
+
<repository-id-ref>PortalRepository</repository-id-ref>
+ <identity-type-mappings>
+ <user-mapping>USER</user-mapping>
+ </identity-type-mappings>
+ </realm>
+ </realms>
+ <repositories>
+ <repository>
+ <id>PortalRepository</id>
+
<class>org.jboss.identity.idm.impl.repository.WrapperIdentityStoreRepository</class>
+ <external-config/>
+
<default-identity-store-id>HibernateStore</default-identity-store-id>
+
<default-attribute-store-id>HibernateStore</default-attribute-store-id>
+ </repository>
+ </repositories>
+ <stores>
+ <attribute-stores/>
+ <identity-stores>
+ <identity-store>
+ <id>HibernateStore</id>
+
<class>org.jboss.identity.idm.impl.store.hibernate.HibernateIdentityStoreImpl</class>
+ <external-config/>
+ <supported-relationship-types>
+
<relationship-type>JBOSS_IDENTITY_MEMBERSHIP</relationship-type>
+
<relationship-type>JBOSS_IDENTITY_ROLE</relationship-type>
+ </supported-relationship-types>
+ <supported-identity-object-types>
+ <identity-object-type>
+ <name>USER</name>
+ <relationships/>
+ <credentials>
+
<credential-type>PASSWORD</credential-type>
+ </credentials>
+ <attributes/>
+ <options/>
+ </identity-object-type>
+ </supported-identity-object-types>
+ <options>
+ <option>
+
<name>hibernateSessionFactoryRegistryName</name>
+
<value>hibernateSessionFactory</value>
+ </option>
+ <option>
+
<name>allowNotDefinedIdentityObjectTypes</name>
+ <value>true</value>
+ </option>
+ <option>
+
<name>populateRelationshipTypes</name>
+ <value>true</value>
+ </option>
+ <option>
+
<name>populateIdentityObjectTypes</name>
+ <value>true</value>
+ </option>
+ <option>
+
<name>allowNotDefinedAttributes</name>
+ <value>true</value>
+ </option>
+ <option>
+ <name>isRealmAware</name>
+ <value>true</value>
+ </option>
+ </options>
+ </identity-store>
+ </identity-stores>
+ </stores>
+</jboss-identity>
+</programlisting>
+ </informalexample>
+ </section>
+ </section>
+</chapter>
Modified:
epp/docs/branches/6.0/Reference_Guide/en-US/modules/AuthenticationAndIdentity/PasswordEncryption.xml
===================================================================
---
epp/docs/branches/6.0/Reference_Guide/en-US/modules/AuthenticationAndIdentity/PasswordEncryption.xml 2013-01-22
05:16:43 UTC (rev 9070)
+++
epp/docs/branches/6.0/Reference_Guide/en-US/modules/AuthenticationAndIdentity/PasswordEncryption.xml 2013-01-22
05:18:26 UTC (rev 9071)
@@ -1,62 +1,185 @@
<?xml version='1.0' encoding='UTF-8'?>
-<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+<!-- This document was created with Syntext Serna Free. --><!DOCTYPE section
PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY % BOOK_ENTITIES SYSTEM "../../Reference_Guide.ent">
%BOOK_ENTITIES;
]>
<chapter
id="sect-Reference_Guide-Authentication_and_Identity-Password_Encryption">
<title>Password Encryption</title>
- <warning>
- <title>Username and passwords stored in clear text</title>
+ <section
id="sid-54264610_PasswordEncryption-HashingandsaltingofpasswordsinPicketlinkIDM">
+ <title>Hashing and salting of passwords in Picketlink IDM</title>
<para>
+ GateIn Portal is using
+ <ulink url="http://www.jboss.org/picketlink/IDM">Picketlink
IDM</ulink>
+ framework to store information about identity objects (users/groups/memberships)
and more info about this is in
+ <ulink
url="https://docs.jboss.org/author/pages/viewpage.action?pageId=5426...
IDM integration</ulink>
+ . For better security, Picketlink IDM does not save user passwords into database in
plain-text, but it uses
+ <code>CredentialEncoder</code>
+ , which encode password and save the encoded form into Picketlink IDM database.
+
+ Later when user want to authenticate, he needs to provide his password in
plain-text via web login form. Provided password is then encoded and compared with encoded
password from Picketlink IDM database. GateIn Portal is then able to authenticate user
based on this comparison.
+ </para>
+ <para>
+ Default implementation of
+ <code>CredentialEncoder</code>
+ is using password hashing with MD5 algorithm and storing those MD5 hashes in
database. It does not use any salting of passwords. This is not safest solution, but
it's backward compatible with previous releases of GateIn Portal before version
3.5, where MD5 password hashing was only possible encoding form. So if you migrate from
older release of GateIn Portal, your users will be still able to authenticate.
+ </para>
+ <para>However if you are starting from fresh database (no migration from
previous GateIn Portal release), you may increase security by using better hashing
algorithm and especially by enable password salting. See below for details.</para>
+ <section
id="sid-54264610_PasswordEncryption-ChoosingCredentialEncoderimplementation">
+ <title>Choosing CredentialEncoder implementation</title>
+ <para>
+ The implementation of CredentialEncoder is configured in file
+
<code>GATEIN_HOME/gatein/gatein.ear/portal.war/WEB-INF/conf/organization/picketlink-idm/picketlink-idm-config.xml</code>
+ . Usually the most important are options of realm
+ <code>idm_portal</code>
+ starting with prefix
+ <code>credentialEncoder.</code>
+ . Possible implementations are:
+ </para>
+ <section id="sid-54264610_PasswordEncryption-HashingEncoder">
+ <title>HashingEncoder</title>
+ <para>This is the default choice. It uses only hashing of passwords with
MD5 algorithm without salting. As mentioned previously, it's not safest solution
but it's backward compatible with previous GateIn Portal releases, so there are
no issues with database migration from previous release. Configuration looks like
this:</para>
+ <informalexample>
+ <programlisting>
+<option>
+ <name>credentialEncoder.class</name>
+
<value>org.picketlink.idm.impl.credential.HashingEncoder</value>
+</option>
+<option>
+ <name>credentialEncoder.hashAlgorithm</name>
+ <value>MD5</value>
+</option>
+</programlisting>
+ </informalexample>
+ </section>
+ <section
id="sid-54264610_PasswordEncryption-DatabaseReadingSaltEncoder">
+ <title>DatabaseReadingSaltEncoder</title>
+ <para>This implementation provides salting of password in addition to
hashing. The salt is unique for each user, so it's much more complicated to
decrypt password via brute force, if some attacker steal encoded passwords from your
database. The salt is generated randomly for each user and stored in Picketlink IDM
database as attribute. Random generation of salt ensure that all users have different
salts, so even if two users have same password, the encoded password in database will be
different for them. Here is configuration example, which is using SHA-256 algorithm for
hashing (more secure than MD5) and algorithm SHA1PRNG for generation of random
salts.</para>
+ <informalexample>
+ <programlisting>
+<option>
+ <name>credentialEncoder.class</name>
+
<value>org.picketlink.idm.impl.credential.DatabaseReadingSaltEncoder</value>
+</option>
+<option>
+ <name>credentialEncoder.hashAlgorithm</name>
+ <value>SHA-256</value>
+</option>
+<option>
+ <name>credentialEncoder.secureRandomAlgorithm</name>
+ <value>SHA1PRNG</value>
+</option>
+</programlisting>
+ </informalexample>
+ </section>
+ <section
id="sid-54264610_PasswordEncryption-FileReadingSaltEncoder">
+ <title>FileReadingSaltEncoder</title>
+ <para>
+ It also uses hashing and salting, so it's similar like previous
encoder. But it's theoretically even more secure, because salts are not stored in
Picketlink IDM database together with passwords. Salt of each user is generated from
+ <emphasis role="italics">saltPrefix</emphasis>
+ and user's username. And
+ <emphasis role="italics">saltPrefix</emphasis>
+ is read from some file in your filesystem. Configuration can look like this:
+ </para>
+ <informalexample>
+ <programlisting>
+<option>
+ <name>credentialEncoder.class</name>
+
<value>org.picketlink.idm.impl.credential.FileReadingSaltEncoder</value>
+</option>
+<option>
+ <name>credentialEncoder.hashAlgorithm</name>
+ <value>SHA-256</value>
+</option>
+<option>
+ <name>credentialEncoder.fileLocation</name>
+ <value>/salt/mysalt.txt</value>
+</option>
+</programlisting>
+ </informalexample>
+ <para>
+ Please note that specified file
+ <code>/salt/mysalt.txt</code>
+ must exist and must be readable by user, which executed GateIn Portal. But file
should be properly secured to not be readable by every user of your OS. The file can have
some random content phrase, for example
+ <emphasis
role="italics">a4564dac2aasddsklklkajdgnioiow</emphasis>
+ .
+ </para>
+ <para>
+ So the
+ <code>FileReadingSaltEncoder</code>
+ is probably most secure of all options, but in addition to
+ <code>DatabaseReadingSaltEncoder</code>
+ you need to set the file with salt.
+ </para>
+ <important>
+ <title>Important</title>
+ <para>
+ The
+ <code>CredentialEncoder</code>
+ from above is actually used only for encoding of passwords in Picketlink IDM
database. It's not used for LDAP. Picketlink IDM LDAP implementation (
+ <code>LDAPIdentityStore</code>
+ ) is sending passwords to LDAP server in plain form, because password
encoding is usually provided by LDAP server itself. For example OpenDS 2 is using SHA1
based hashing of passwords with random generation of user salt (so actually something
similar to our
+ <code>DatabaseReadingSaltEncoder</code>
+ implementation).
+ </para>
+ </important>
+ </section>
+ </section>
+ </section>
+ <section>
+ <title>Password Encryption of Rememberme Passwords</title>
+ <warning>
+ <title>Username and passwords stored in clear text</title>
+ <para>
The <emphasis>Remember Me</emphasis> feature of JBoss Portal
Platform uses a token mechanism to be able to authenticate returning users without
requiring an explicit login. However, to be able to authenticate these users, the token
needs to store the username and password in clear text in the JCR.
</para>
- </warning>
- <para>
+ </warning>
+ <para>
Administrators have two options available to ameliorate this risk:
</para>
- <orderedlist>
- <listitem>
- <para>
+ <orderedlist>
+ <listitem>
+ <para>
The <emphasis>Remember Me</emphasis> feature can be disabled
by removing the corresponding checkbox in:
<filename><replaceable>JPP_DIST</replaceable>/jboss-as/server/<replaceable>PROFILE</replaceable>/deploy/gatein.ear/02portal.war/login/jsp/login.jsp</filename>
and
<filename><replaceable>JPP_DIST</replaceable>/jboss-as/server/<replaceable>PROFILE</replaceable>/deploy/gatein.ear/02portal.war/groovy/portal/webui/UILoginForm.gtmpl</filename>.
</para>
- </listitem>
- <listitem>
- <para>
+ </listitem>
+ <listitem>
+ <para>
Passwords can be encoded prior to being saved to the JCR. This option
requires administrators to provide a custom subclass of
<parameter>org.exoplatform.web.security.security.AbstractCodec</parameter> and
set up a codec implementation with <parameter>CookieTokenService</parameter>:
</para>
- <procedure
id="proc-Reference_Guide-Password_Encryption-Encrypt_Password_in_JCR">
- <title>Encrypt Password in JCR</title>
- <step>
- <para>
+ <procedure
id="proc-Reference_Guide-Password_Encryption-Encrypt_Password_in_JCR">
+ <title>Encrypt Password in JCR</title>
+ <step>
+ <para>
Create a javaclass similar to:
</para>
- <programlisting language="Java"
role="Java"><xi:include
xmlns:xi="http://www.w3.org/2001/XInclude"
href="../../extras/Authentication_Identity/ExampleCodec.java"
parse="text"/></programlisting>
- </step>
- <step>
- <para>
+ <programlisting language="Java"
role="Java"><xi:include
xmlns:xi="http://www.w3.org/2001/XInclude"
href="../../extras/Authentication_Identity/ExampleCodec.java"
parse="text"/></programlisting>
+ </step>
+ <step>
+ <para>
Compile the class and package it into a jar file. For this
example we will call the jar file <filename>codec-example.jar</filename>.
</para>
- </step>
- <step>
- <para>
+ </step>
+ <step>
+ <para>
Create a
<filename>conf/portal/configuration.xml</filename> file within the
<filename>codec-example.jar</filename> similar to the example below. This
allows the portal kernel to find and use the new codec implementation.
</para>
- <programlisting language="XML"
role="XML"><xi:include
xmlns:xi="http://www.w3.org/2001/XInclude"
href="../../extras/Authentication_Identity/configuration.xml"
parse="text"/></programlisting>
- </step>
- <step>
- <para>
+ <programlisting language="XML"
role="XML"><xi:include
xmlns:xi="http://www.w3.org/2001/XInclude"
href="../../extras/Authentication_Identity/configuration.xml"
parse="text"/></programlisting>
+ </step>
+ <step>
+ <para>
Deploy the <filename>codec-example.jar</filename>
into your
<filename><replaceable>JPP_DIST</replaceable>/jboss-as/server/<replaceable>PROFILE</replaceable>/deploy/gatein.ear/lib/</filename>
directory.
</para>
- </step>
- <step>
- <para>
+ </step>
+ <step>
+ <para>
Start (or restart) your JBoss Portal Platform.
</para>
- <para>
+ <para>
Any passwords written to the JCR will now be encoded and not
plain text.
</para>
- </step>
- </procedure>
- </listitem>
- </orderedlist>
+ </step>
+ </procedure>
+ </listitem>
+ </orderedlist>
+ </section>
</chapter>