]
Nikolay Elenkov commented on JBSEAM-3762:
-----------------------------------------
PBKDF2WithHmacSHA1 is seems to be a Java 6 feature (Cf. [1]), but seems to work with Java
1.5.0_14. There might be issues with older JDK's though.
[1]
Make it possible to select password salt without overriding
IdentityStore
-------------------------------------------------------------------------
Key: JBSEAM-3762
URL:
https://jira.jboss.org/jira/browse/JBSEAM-3762
Project: Seam
Issue Type: Feature Request
Components: Security
Environment: Seam 2.1
Reporter: Nikolay Elenkov
Assignee: Shane Bryzak
Fix For: 2.1.2.CR1
Attachments: main.patch, seamspace.patch
Currently, JpaIdentityStore uses the username as salt when hashing the user password. If
you want to use a different property as salt, you need to override JpaIdentityStore.
Since the salt is usually stored together with the user principal, it would be easier to
select the property used as salt by annotating it, without having to override the
IdentityStore component.
Using a randomly generated salt is a generally accepted practice, so it should also be
possible to generate the salt value automatically when creating the user via
IdentityManager's API.
Suggestion:
A new annotation, UserPasswordSalt, to annotate property used as salt. Attributes:
* generate=true|false -- whether to generate random value
* length=salt length in bits (used when generate=true)
Example usage:
class User {
@UserPasswordSalt(generate=true, length=64)
String getSalt() {..}
@UserPassword(hash="sha1"
String getPasswordHash() {...}
}
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: