[jbossseam-issues] [JBoss JIRA] Created: (JBSEAM-3942) LdapIdentityStore should crypt password
by Raimund Hölle (JIRA)
LdapIdentityStore should crypt password
---------------------------------------
Key: JBSEAM-3942
URL: https://jira.jboss.org/jira/browse/JBSEAM-3942
Project: Seam
Issue Type: Feature Request
Components: Security
Affects Versions: 2.1.1.GA, 2.1.1.CR2, 2.1.1.CR1, 2.1.0.SP1
Reporter: Raimund Hölle
Priority: Minor
LdapIdentityStore.changePassword() stores the new password always as plain text in the LDAP database.
To allow crypted passwords, i suggest the following modifications:
New bean properties (along with getter / setter):
private String passwordCryptAlgorithm = "SHA"; // Or "" for plain text, "MD5", ...
private String passwordEncoding = "UTF-8";
Extend changePassword() by one additional line:
public boolean changePassword(String name, String password)
{
InitialLdapContext ctx = null;
try
{
ctx = initialiseContext();
// crypt password if not already done
password = cryptPwIfNeeded(password);
BasicAttribute passwordAttrib = new BasicAttribute(getUserPasswordAttribute(), password);
New Helpers method:
private Pattern cryptedPwRegexp = Pattern.compile("^[{].+[}].+");
private String cryptPwIfNeeded(String password) {
// only crypt if requested by algorithm and not already done!
if (getPasswordCryptAlgorithm() != null
&& ! getPasswordCryptAlgorithm().equals("")
&& ! cryptedPwRegexp.matcher(password).matches()) {
try {
MessageDigest md;
md = MessageDigest.getInstance(getPasswordCryptAlgorithm());
md.reset();
md.update(password.getBytes(getPasswordEncoding()));
byte[] result = md.digest();
password = "{" + getPasswordCryptAlgorithm() + "}" + (new BASE64Encoder()).encode(result);
} catch ( NoSuchAlgorithmException e ) {
throw new IdentityManagementException(
"Configuration problem - can not crypt password with algorithm " + getPasswordCryptAlgorithm(), e);
} catch ( UnsupportedEncodingException e ) {
throw new IdentityManagementException(
"Configuration problem - can not encode password with " + getPasswordEncoding(), e);
}
}
return password;
}
Many regards, Raimund
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
13 years, 5 months
[jbossseam-issues] [JBoss JIRA] Created: (JBSEAM-4350) Enable/Disable a Role
by Sand Lee (JIRA)
Enable/Disable a Role
---------------------
Key: JBSEAM-4350
URL: https://jira.jboss.org/jira/browse/JBSEAM-4350
Project: Seam
Issue Type: Feature Request
Components: Security
Affects Versions: 2.2.0.GA
Reporter: Sand Lee
Enable/Disable a Role
Is it possible to disable/enable a role by annotation configuration in the same way like @RoleConditional is configured.
Adding a Boolean property in the role class and annote it with @RoleEnabled. This property holds the status of the role (active/inactive).
If a role is disabled it should not be returned when JpaIdentityStore.listRoles() or JpaIdentityStore.getImpliedRoles() is called.
that also requires a new method in getJpaIdentityStore().setRoleStatus(String roleName Boolean status) to set the Role status.
If this Method is called, all permissions which have this role as recipient should be deactivated by setting a flag in each permission object.
So that JpaPermissionStore.listPermissions() only returns permissions that not belongs to deactivated roles.
It also raises an RoleDisabled event and the identity objects (from already loggedin users) are listen to this event and then it checks if the identity has this role.
If an already loggedin user has this role it will be removed from identity object.
Is it possible to include a mechanism like this?
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
13 years, 5 months