Password Recognition and Parsing Framework ------------------------------------------ Key: ELY-41 URL: https://issues.jboss.org/browse/ELY-41 Project: WildFly Elytron Issue Type: Task Components: API / SPI Reporter: Darran Lofthouse Assignee: Darran Lofthouse Fix For: 1.1.0.CR2 I don't think having a single PasswordUtils that recognises and parses all password types is going to be a good idea long term - I think a lot of the responsibility for what is supported needs to come from the realm. A scenario I am thinking is an LDAP server is configured to support clear text passwords, that server verifies the strength of the password before letting a user set it - this could be circumvented by setting the password value to something we would parse as one of the other password types. The problem is the user could just hash 'password' - this would pass the LDAP servers dictionary attack check. The second issue is that different formats could be realm specific, e.g. LDAP supports trival digests in formats slightly different to those we already support. One idea I am starting to think about it a password parser that a realm can build up with a set of supported password types, working on LDAP it is apparent realms potentially need configuration for the credential types they will claim to support before the RealmIdentity is identified so not a major deviation from the work I am already finding necessary. Looking at the current PasswordUtils.java the following public utility methods are exposed: - {code} org.wildfly.security.password.PasswordUtils org.wildfly.security.password.PasswordUtils.identifyAlgorithm(char[]) org.wildfly.security.password.PasswordUtils.identifyAlgorithm(String) org.wildfly.security.password.PasswordUtils.getCryptStringChars(PasswordSpec) org.wildfly.security.password.PasswordUtils.getCryptString(PasswordSpec) org.wildfly.security.password.PasswordUtils.parseCryptString(String) org.wildfly.security.password.PasswordUtils.parseCryptString(char[]) {code} From the perspective of a realm the primary task I am trying to achieve is to take a password string and convert it to a PasswordSpec. Algorithm identification seems to be used primarily by tests, not convinced it is justified in an API.