[jbossseam-issues] [JBoss JIRA] Commented: (JBSEAM-3762) Make it possible to select password salt without overriding IdentityStore

Nikolay Elenkov (JIRA) jira-events at lists.jboss.org
Thu Dec 4 03:00:36 EST 2008 

    [ https://jira.jboss.org/jira/browse/JBSEAM-3762?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12441061#action_12441061 ] 

Nikolay Elenkov commented on JBSEAM-3762:
-----------------------------------------

Here is a patch that implements random salt generation. I tested it a bit with the seamspace example, and seems to be OK (at least does what I need :)). 
One problem with it is, that there is currently no way to set the salt property value for createUser when 'generate=false'. Since createUser instantiates the 
user entity, and an event is raised after the password is generated ('prePersistUser'), we don't get a chance to set properties on the user entity. 
If we stick with the current design, there should be a 'prePasswordGeneration' event or some such, so that one could modify the entity before the hash is generated. 
Another alternative is to extract salt generation to a new class and make it pluggable. 

How to apply:

1. main.patch
 * go to src/main/
 * run patch -p0 < main.patch
2. seapspace patch
 * go to examples/
 * run patch -p0 < seamspace.patch

> Make it possible to select password salt without overriding IdentityStore
> -------------------------------------------------------------------------
>
>                 Key: JBSEAM-3762
>                 URL: https://jira.jboss.org/jira/browse/JBSEAM-3762
>             Project: Seam
>          Issue Type: Feature Request
>          Components: Security
>         Environment: Seam 2.1
>            Reporter: Nikolay Elenkov
>            Assignee: Shane Bryzak
>
> Currently, JpaIdentityStore uses the username as salt when hashing the user password. If you want to use a different property as salt, you need to override JpaIdentityStore.
> Since the salt is usually stored together with the user principal, it would be easier to select the property used as salt by annotating it, without having to override the IdentityStore component. 
> Using a randomly generated salt is a generally accepted practice, so it should also be possible to generate the salt value automatically when creating the user via IdentityManager's API.
> Suggestion:
> A new annotation, UserPasswordSalt, to annotate property used as salt. Attributes:
>   * generate=true|false -- whether to generate random value
>   * length=salt length in bits (used when generate=true)
> Example usage:
> class User {
>   @UserPasswordSalt(generate=true, length=64)
>   String getSalt() {..}
>  @UserPassword(hash="sha1"
>  String getPasswordHash() {...}
> }

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the seam-issues mailing list