[jbossseam-issues] [JBoss JIRA] Commented: (JBSEAM-3762) Make it possible to select password salt without overriding IdentityStore

Shane Bryzak (JIRA) jira-events at lists.jboss.org
Wed Apr 15 02:47:22 EDT 2009 

    [ https://jira.jboss.org/jira/browse/JBSEAM-3762?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12462250#action_12462250 ] 

Shane Bryzak commented on JBSEAM-3762:
--------------------------------------

You're right, and there don't seem to be any decent algorithms in JDK5.  I've added a drop-in PKCS#5 implementation which I found, this will be used if passwordHash.hashAlgorithm isn't specified (otherwise if it _is_ specified, then JCE will be used instead, and it will be up to the user to register their own JCE provider).

The salt length can be overridden by configuring passwordHash.saltLength in components.xml.

> Make it possible to select password salt without overriding IdentityStore
> -------------------------------------------------------------------------
>
>                 Key: JBSEAM-3762
>                 URL: https://jira.jboss.org/jira/browse/JBSEAM-3762
>             Project: Seam
>          Issue Type: Feature Request
>          Components: Security
>         Environment: Seam 2.1
>            Reporter: Nikolay Elenkov
>            Assignee: Shane Bryzak
>             Fix For: 2.1.2.CR1
>
>         Attachments: main.patch, seamspace.patch
>
>
> Currently, JpaIdentityStore uses the username as salt when hashing the user password. If you want to use a different property as salt, you need to override JpaIdentityStore.
> Since the salt is usually stored together with the user principal, it would be easier to select the property used as salt by annotating it, without having to override the IdentityStore component. 
> Using a randomly generated salt is a generally accepted practice, so it should also be possible to generate the salt value automatically when creating the user via IdentityManager's API.
> Suggestion:
> A new annotation, UserPasswordSalt, to annotate property used as salt. Attributes:
>   * generate=true|false -- whether to generate random value
>   * length=salt length in bits (used when generate=true)
> Example usage:
> class User {
>   @UserPasswordSalt(generate=true, length=64)
>   String getSalt() {..}
>  @UserPassword(hash="sha1"
>  String getPasswordHash() {...}
> }

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the seam-issues mailing list