[jbossseam-issues] [JBoss JIRA] Created: (JBSEAM-3762) Make it possible to select password salt without overriding IdentityStore
8:34 a.m.
Make it possible to select password salt without overriding IdentityStore
-------------------------------------------------------------------------
Key: JBSEAM-3762
URL: https://jira.jboss.org/jira/browse/JBSEAM-3762
Project: Seam
Issue Type: Feature Request
Components: Security
Environment: Seam 2.1
Reporter: Nikolay Elenkov
Currently, JpaIdentityStore uses the username as salt when hashing the user password. If
you want to use a different property as salt, you need to override JpaIdentityStore.
Since the salt is usually stored together with the user principal, it would be easier to
select the property used as salt by annotating it, without having to override the
IdentityStore component.
Using a randomly generated salt is a generally accepted practice, so it should also be
possible to generate the salt value automatically when creating the user via
IdentityManager's API.
Suggestion:
A new annotation, UserPasswordSalt, to annotate property used as salt. Attributes:
* generate=true|false -- whether to generate random value
* length=salt length in bits (used when generate=true)
Example usage:
class User {
@UserPasswordSalt(generate=true, length=64)
String getSalt() {..}
@UserPassword(hash="sha1"
String getPasswordHash() {...}
}
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
12:42 p.m.
New subject: [jbossseam-issues] [JBoss JIRA] Assigned: (JBSEAM-3762) Make it possible to select password salt without overriding IdentityStore
[
https://jira.jboss.org/jira/browse/JBSEAM-3762?page=com.atlassian.jira.pl...
]
Shane Bryzak reassigned JBSEAM-3762:
------------------------------------
Assignee: Shane Bryzak
Make it possible to select password salt without overriding
IdentityStore
-------------------------------------------------------------------------
Key: JBSEAM-3762
URL: https://jira.jboss.org/jira/browse/JBSEAM-3762
Project: Seam
Issue Type: Feature Request
Components: Security
Environment: Seam 2.1
Reporter: Nikolay Elenkov
Assignee: Shane Bryzak
Currently, JpaIdentityStore uses the username as salt when hashing the user password. If
you want to use a different property as salt, you need to override JpaIdentityStore.
Since the salt is usually stored together with the user principal, it would be easier to
select the property used as salt by annotating it, without having to override the
IdentityStore component.
Using a randomly generated salt is a generally accepted practice, so it should also be
possible to generate the salt value automatically when creating the user via
IdentityManager's API.
Suggestion:
A new annotation, UserPasswordSalt, to annotate property used as salt. Attributes:
* generate=true|false -- whether to generate random value
* length=salt length in bits (used when generate=true)
Example usage:
class User {
@UserPasswordSalt(generate=true, length=64)
String getSalt() {..}
@UserPassword(hash="sha1"
String getPasswordHash() {...}
}
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
9 a.m.
New subject: [jbossseam-issues] [JBoss JIRA] Commented: (JBSEAM-3762) Make it possible to select password salt without overriding IdentityStore
[
https://jira.jboss.org/jira/browse/JBSEAM-3762?page=com.atlassian.jira.pl...
]
Nikolay Elenkov commented on JBSEAM-3762:
-----------------------------------------
Here is a patch that implements random salt generation. I tested it a bit with the
seamspace example, and seems to be OK (at least does what I need :)).
One problem with it is, that there is currently no way to set the salt property value for
createUser when 'generate=false'. Since createUser instantiates the
user entity, and an event is raised after the password is generated
('prePersistUser'), we don't get a chance to set properties on the user
entity.
If we stick with the current design, there should be a 'prePasswordGeneration'
event or some such, so that one could modify the entity before the hash is generated.
Another alternative is to extract salt generation to a new class and make it pluggable.
How to apply:
1. main.patch
* go to src/main/
* run patch -p0 < main.patch
2. seapspace patch
* go to examples/
* run patch -p0 < seamspace.patch
Make it possible to select password salt without overriding
IdentityStore
-------------------------------------------------------------------------
Key: JBSEAM-3762
URL: https://jira.jboss.org/jira/browse/JBSEAM-3762
Project: Seam
Issue Type: Feature Request
Components: Security
Environment: Seam 2.1
Reporter: Nikolay Elenkov
Assignee: Shane Bryzak
Currently, JpaIdentityStore uses the username as salt when hashing the user password. If
you want to use a different property as salt, you need to override JpaIdentityStore.
Since the salt is usually stored together with the user principal, it would be easier to
select the property used as salt by annotating it, without having to override the
IdentityStore component.
Using a randomly generated salt is a generally accepted practice, so it should also be
possible to generate the salt value automatically when creating the user via
IdentityManager's API.
Suggestion:
A new annotation, UserPasswordSalt, to annotate property used as salt. Attributes:
* generate=true|false -- whether to generate random value
* length=salt length in bits (used when generate=true)
Example usage:
class User {
@UserPasswordSalt(generate=true, length=64)
String getSalt() {..}
@UserPassword(hash="sha1"
String getPasswordHash() {...}
}
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
9:02 a.m.
New subject: [jbossseam-issues] [JBoss JIRA] Updated: (JBSEAM-3762) Make it possible to select password salt without overriding IdentityStore
[
https://jira.jboss.org/jira/browse/JBSEAM-3762?page=com.atlassian.jira.pl...
]
Nikolay Elenkov updated JBSEAM-3762:
------------------------------------
Attachment: main.patch
adds UserPasswordSalt annotation, implements random salt generation in JpaIdentityStore
Make it possible to select password salt without overriding
IdentityStore
-------------------------------------------------------------------------
Key: JBSEAM-3762
URL: https://jira.jboss.org/jira/browse/JBSEAM-3762
Project: Seam
Issue Type: Feature Request
Components: Security
Environment: Seam 2.1
Reporter: Nikolay Elenkov
Assignee: Shane Bryzak
Attachments: main.patch
Currently, JpaIdentityStore uses the username as salt when hashing the user password. If
you want to use a different property as salt, you need to override JpaIdentityStore.
Since the salt is usually stored together with the user principal, it would be easier to
select the property used as salt by annotating it, without having to override the
IdentityStore component.
Using a randomly generated salt is a generally accepted practice, so it should also be
possible to generate the salt value automatically when creating the user via
IdentityManager's API.
Suggestion:
A new annotation, UserPasswordSalt, to annotate property used as salt. Attributes:
* generate=true|false -- whether to generate random value
* length=salt length in bits (used when generate=true)
Example usage:
class User {
@UserPasswordSalt(generate=true, length=64)
String getSalt() {..}
@UserPassword(hash="sha1"
String getPasswordHash() {...}
}
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
9:04 a.m.
New subject: [jbossseam-issues] [JBoss JIRA] Updated: (JBSEAM-3762) Make it possible to select password salt without overriding IdentityStore
[
https://jira.jboss.org/jira/browse/JBSEAM-3762?page=com.atlassian.jira.pl...
]
Nikolay Elenkov updated JBSEAM-3762:
------------------------------------
Attachment: seamspace.patch
patch the seamspace example to use @UserPasswordSalt; adds test for user
creation/authentication/password change
Make it possible to select password salt without overriding
IdentityStore
-------------------------------------------------------------------------
Key: JBSEAM-3762
URL: https://jira.jboss.org/jira/browse/JBSEAM-3762
Project: Seam
Issue Type: Feature Request
Components: Security
Environment: Seam 2.1
Reporter: Nikolay Elenkov
Assignee: Shane Bryzak
Attachments: main.patch, seamspace.patch
Currently, JpaIdentityStore uses the username as salt when hashing the user password. If
you want to use a different property as salt, you need to override JpaIdentityStore.
Since the salt is usually stored together with the user principal, it would be easier to
select the property used as salt by annotating it, without having to override the
IdentityStore component.
Using a randomly generated salt is a generally accepted practice, so it should also be
possible to generate the salt value automatically when creating the user via
IdentityManager's API.
Suggestion:
A new annotation, UserPasswordSalt, to annotate property used as salt. Attributes:
* generate=true|false -- whether to generate random value
* length=salt length in bits (used when generate=true)
Example usage:
class User {
@UserPasswordSalt(generate=true, length=64)
String getSalt() {..}
@UserPassword(hash="sha1"
String getPasswordHash() {...}
}
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
2 a.m.
New subject: [jbossseam-issues] [JBoss JIRA] Closed: (JBSEAM-3762) Make it possible to select password salt without overriding IdentityStore
[
https://jira.jboss.org/jira/browse/JBSEAM-3762?page=com.atlassian.jira.pl...
]
Shane Bryzak closed JBSEAM-3762.
--------------------------------
Fix Version/s: 2.1.2.CR1
Resolution: Done
I've added a @PasswordSalt annotation, which when present will cause JpaIdentityStore
to use a much more robust password hashing algorithm than the previous default.
Make it possible to select password salt without overriding
IdentityStore
-------------------------------------------------------------------------
Key: JBSEAM-3762
URL: https://jira.jboss.org/jira/browse/JBSEAM-3762
Project: Seam
Issue Type: Feature Request
Components: Security
Environment: Seam 2.1
Reporter: Nikolay Elenkov
Assignee: Shane Bryzak
Fix For: 2.1.2.CR1
Attachments: main.patch, seamspace.patch
Currently, JpaIdentityStore uses the username as salt when hashing the user password. If
you want to use a different property as salt, you need to override JpaIdentityStore.
Since the salt is usually stored together with the user principal, it would be easier to
select the property used as salt by annotating it, without having to override the
IdentityStore component.
Using a randomly generated salt is a generally accepted practice, so it should also be
possible to generate the salt value automatically when creating the user via
IdentityManager's API.
Suggestion:
A new annotation, UserPasswordSalt, to annotate property used as salt. Attributes:
* generate=true|false -- whether to generate random value
* length=salt length in bits (used when generate=true)
Example usage:
class User {
@UserPasswordSalt(generate=true, length=64)
String getSalt() {..}
@UserPassword(hash="sha1"
String getPasswordHash() {...}
}
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
4:39 a.m.
New subject: [jbossseam-issues] [JBoss JIRA] Commented: (JBSEAM-3762) Make it possible to select password salt without overriding IdentityStore
[
https://jira.jboss.org/jira/browse/JBSEAM-3762?page=com.atlassian.jira.pl...
]
Nikolay Elenkov commented on JBSEAM-3762:
-----------------------------------------
Thanks. Didn't now Java had support for PBKDF*, much cleaner this way.
Just one thing: SecretKeySpec(encoded, "AES").getEncoded() simply returns what
you passed in the constructor,
so it is not needed. Plus the reference to AES is confusing. Should simply be:
return Base64.encodeBytes(passwordKey.getEncoded());
Make it possible to select password salt without overriding
IdentityStore
-------------------------------------------------------------------------
Key: JBSEAM-3762
URL: https://jira.jboss.org/jira/browse/JBSEAM-3762
Project: Seam
Issue Type: Feature Request
Components: Security
Environment: Seam 2.1
Reporter: Nikolay Elenkov
Assignee: Shane Bryzak
Fix For: 2.1.2.CR1
Attachments: main.patch, seamspace.patch
Currently, JpaIdentityStore uses the username as salt when hashing the user password. If
you want to use a different property as salt, you need to override JpaIdentityStore.
Since the salt is usually stored together with the user principal, it would be easier to
select the property used as salt by annotating it, without having to override the
IdentityStore component.
Using a randomly generated salt is a generally accepted practice, so it should also be
possible to generate the salt value automatically when creating the user via
IdentityManager's API.
Suggestion:
A new annotation, UserPasswordSalt, to annotate property used as salt. Attributes:
* generate=true|false -- whether to generate random value
* length=salt length in bits (used when generate=true)
Example usage:
class User {
@UserPasswordSalt(generate=true, length=64)
String getSalt() {..}
@UserPassword(hash="sha1"
String getPasswordHash() {...}
}
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
4:47 a.m.
New subject: [jbossseam-issues] [JBoss JIRA] Commented: (JBSEAM-3762) Make it possible to select password salt without overriding IdentityStore
[
https://jira.jboss.org/jira/browse/JBSEAM-3762?page=com.atlassian.jira.pl...
]
Nikolay Elenkov commented on JBSEAM-3762:
-----------------------------------------
And being able to specify salt length would be great, if that's not too much to ask :)
Make it possible to select password salt without overriding
IdentityStore
-------------------------------------------------------------------------
Key: JBSEAM-3762
URL: https://jira.jboss.org/jira/browse/JBSEAM-3762
Project: Seam
Issue Type: Feature Request
Components: Security
Environment: Seam 2.1
Reporter: Nikolay Elenkov
Assignee: Shane Bryzak
Fix For: 2.1.2.CR1
Attachments: main.patch, seamspace.patch
Currently, JpaIdentityStore uses the username as salt when hashing the user password. If
you want to use a different property as salt, you need to override JpaIdentityStore.
Since the salt is usually stored together with the user principal, it would be easier to
select the property used as salt by annotating it, without having to override the
IdentityStore component.
Using a randomly generated salt is a generally accepted practice, so it should also be
possible to generate the salt value automatically when creating the user via
IdentityManager's API.
Suggestion:
A new annotation, UserPasswordSalt, to annotate property used as salt. Attributes:
* generate=true|false -- whether to generate random value
* length=salt length in bits (used when generate=true)
Example usage:
class User {
@UserPasswordSalt(generate=true, length=64)
String getSalt() {..}
@UserPassword(hash="sha1"
String getPasswordHash() {...}
}
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
5:55 a.m.
New subject: [jbossseam-issues] [JBoss JIRA] Commented: (JBSEAM-3762) Make it possible to select password salt without overriding IdentityStore
[
https://jira.jboss.org/jira/browse/JBSEAM-3762?page=com.atlassian.jira.pl...
]
Nikolay Elenkov commented on JBSEAM-3762:
-----------------------------------------
PBKDF2WithHmacSHA1 is seems to be a Java 6 feature (Cf. [1]), but seems to work with Java
1.5.0_14. There might be issues with older JDK's though.
[1] http://java.sun.com/javase/6/docs/technotes/guides/security/enhancements....
Make it possible to select password salt without overriding
IdentityStore
-------------------------------------------------------------------------
Key: JBSEAM-3762
URL: https://jira.jboss.org/jira/browse/JBSEAM-3762
Project: Seam
Issue Type: Feature Request
Components: Security
Environment: Seam 2.1
Reporter: Nikolay Elenkov
Assignee: Shane Bryzak
Fix For: 2.1.2.CR1
Attachments: main.patch, seamspace.patch
Currently, JpaIdentityStore uses the username as salt when hashing the user password. If
you want to use a different property as salt, you need to override JpaIdentityStore.
Since the salt is usually stored together with the user principal, it would be easier to
select the property used as salt by annotating it, without having to override the
IdentityStore component.
Using a randomly generated salt is a generally accepted practice, so it should also be
possible to generate the salt value automatically when creating the user via
IdentityManager's API.
Suggestion:
A new annotation, UserPasswordSalt, to annotate property used as salt. Attributes:
* generate=true|false -- whether to generate random value
* length=salt length in bits (used when generate=true)
Example usage:
class User {
@UserPasswordSalt(generate=true, length=64)
String getSalt() {..}
@UserPassword(hash="sha1"
String getPasswordHash() {...}
}
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
8:47 a.m.
New subject: [jbossseam-issues] [JBoss JIRA] Commented: (JBSEAM-3762) Make it possible to select password salt without overriding IdentityStore
[
https://jira.jboss.org/jira/browse/JBSEAM-3762?page=com.atlassian.jira.pl...
]
Shane Bryzak commented on JBSEAM-3762:
--------------------------------------
You're right, and there don't seem to be any decent algorithms in JDK5. I've
added a drop-in PKCS#5 implementation which I found, this will be used if
passwordHash.hashAlgorithm isn't specified (otherwise if it _is_ specified, then JCE
will be used instead, and it will be up to the user to register their own JCE provider).
The salt length can be overridden by configuring passwordHash.saltLength in
components.xml.
Make it possible to select password salt without overriding
IdentityStore
-------------------------------------------------------------------------
Key: JBSEAM-3762
URL: https://jira.jboss.org/jira/browse/JBSEAM-3762
Project: Seam
Issue Type: Feature Request
Components: Security
Environment: Seam 2.1
Reporter: Nikolay Elenkov
Assignee: Shane Bryzak
Fix For: 2.1.2.CR1
Attachments: main.patch, seamspace.patch
Currently, JpaIdentityStore uses the username as salt when hashing the user password. If
you want to use a different property as salt, you need to override JpaIdentityStore.
Since the salt is usually stored together with the user principal, it would be easier to
select the property used as salt by annotating it, without having to override the
IdentityStore component.
Using a randomly generated salt is a generally accepted practice, so it should also be
possible to generate the salt value automatically when creating the user via
IdentityManager's API.
Suggestion:
A new annotation, UserPasswordSalt, to annotate property used as salt. Attributes:
* generate=true|false -- whether to generate random value
* length=salt length in bits (used when generate=true)
Example usage:
class User {
@UserPasswordSalt(generate=true, length=64)
String getSalt() {..}
@UserPassword(hash="sha1"
String getPasswordHash() {...}
}
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
5744
days inactive
5883
days old
9 comments
2 participants
participants (2)
-
Nikolay Elenkov (JIRA) -
Shane Bryzak (JIRA)