[jboss-jira] [JBoss JIRA] (ELY-41) Password Recognition and Parsing Framework
David Lloyd (JIRA)
issues at jboss.org
Wed Oct 7 11:08:00 EDT 2015
[ https://issues.jboss.org/browse/ELY-41?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13116060#comment-13116060 ]
David Lloyd commented on ELY-41:
--------------------------------
The PasswordUtils class has evolved since this issue was filed, so here's an updated analysis of this issue as I see it.
Converting to a PasswordSpec approach requires:
* A {{ModularCryptPasswordSpec}} class consisting of a char[]
* Modifications to each password type to allow that spec to be passed in to {{generatePassword()}} and {{getKeySpec()}}
* Some kind of way to know what algorithm a password crypt string is
The last point is really the difficult one: if you know the algorithm in advance, everything works out, but the point of modular crypt is that it encodes the algorithm directly into the string.
One of the recent enhancements to PasswordUtil entailed removing the middle algorithm detection step, so a string is converted directly into a Password which can then be translated into the appropriate {{PasswordFactory}}. In order to be able to make this change, we would need to reintroduce some kind of algorithm detection mechanism and have it live somewhere (maybe even on the ModularCryptPasswordSpec class itself?).
> Password Recognition and Parsing Framework
> ------------------------------------------
>
> Key: ELY-41
> URL: https://issues.jboss.org/browse/ELY-41
> Project: WildFly Elytron
> Issue Type: Task
> Components: API / SPI
> Reporter: Darran Lofthouse
> Assignee: Darran Lofthouse
> Fix For: 1.1.0.Beta1
>
>
> I don't think having a single PasswordUtils that recognises and parses all password types is going to be a good idea long term - I think a lot of the responsibility for what is supported needs to come from the realm.
> A scenario I am thinking is an LDAP server is configured to support clear text passwords, that server verifies the strength of the password before letting a user set it - this could be circumvented by setting the password value to something we would parse as one of the other password types. The problem is the user could just hash 'password' - this would pass the LDAP servers dictionary attack check.
> The second issue is that different formats could be realm specific, e.g. LDAP supports trival digests in formats slightly different to those we already support.
> One idea I am starting to think about it a password parser that a realm can build up with a set of supported password types, working on LDAP it is apparent realms potentially need configuration for the credential types they will claim to support before the RealmIdentity is identified so not a major deviation from the work I am already finding necessary.
> Looking at the current PasswordUtils.java the following public utility methods are exposed: -
> {code}
> org.wildfly.security.password.PasswordUtils
> org.wildfly.security.password.PasswordUtils.identifyAlgorithm(char[])
> org.wildfly.security.password.PasswordUtils.identifyAlgorithm(String)
> org.wildfly.security.password.PasswordUtils.getCryptStringChars(PasswordSpec)
> org.wildfly.security.password.PasswordUtils.getCryptString(PasswordSpec)
> org.wildfly.security.password.PasswordUtils.parseCryptString(String)
> org.wildfly.security.password.PasswordUtils.parseCryptString(char[])
> {code}
> From the perspective of a realm the primary task I am trying to achieve is to take a password string and convert it to a PasswordSpec. Algorithm identification seems to be used primarily by tests, not convinced it is justified in an API.
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)
More information about the jboss-jira
mailing list