[jbossseam-issues] [JBoss JIRA] Updated: (JBSEAM-3942) LdapIdentityStore should crypt password

Raimund Hölle (JIRA) jira-events at lists.jboss.org
Sun Feb 8 08:17:49 EST 2009 

     [ https://jira.jboss.org/jira/browse/JBSEAM-3942?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Raimund Hölle updated JBSEAM-3942:
----------------------------------

    Description: 
LdapIdentityStore.changePassword() stores the new password always as plain text in the LDAP database.

To allow crypted passwords, i suggest the following modifications (currently tested only with OpenLDAP, MS AD may need encoding "UTF16-EL"):

New bean properties (along with getter / setter):

  private String passwordCryptAlgorithm   = ""; // Default: plain text as previous releases, set it to  "SHA", "MD5", ... in components.xml (see java.security.MessageDigest)
  private String passwordEncoding         = "UTF-8"; // Needed only if algorithm != ""

Extend changePassword() by one additional line:

   public boolean changePassword(String name, String password) 
   {
      InitialLdapContext ctx = null;      
      try
      {
         ctx = initialiseContext();

         // crypt password if not already done
         password = cryptPwIfNeeded(password);
         
         BasicAttribute passwordAttrib = new BasicAttribute(getUserPasswordAttribute(), password);


New Helpers method:

  private Pattern cryptedPwRegexp = Pattern.compile("^[{].+[}].+");

  private String cryptPwIfNeeded(String password) {
    // only crypt if requested by algorithm and not already done!
    if (getPasswordCryptAlgorithm() != null
        && ! getPasswordCryptAlgorithm().equals("")
        && ! cryptedPwRegexp.matcher(password).matches()) {
      
      try {
        MessageDigest md;
        md = MessageDigest.getInstance(getPasswordCryptAlgorithm());
        
        md.reset();
        md.update(password.getBytes(getPasswordEncoding()));
        
        byte[] result = md.digest();
        password = "{" + getPasswordCryptAlgorithm() + "}" + (new BASE64Encoder()).encode(result);
        
      } catch ( NoSuchAlgorithmException e ) {
        throw new IdentityManagementException(
                    "Configuration problem - can not crypt password with algorithm " + getPasswordCryptAlgorithm(), e);
      } catch ( UnsupportedEncodingException e ) {
        throw new IdentityManagementException(
                    "Configuration problem - can not encode password with " + getPasswordEncoding(), e);
      }
    }
    
    return password;
  }

Many regards, Raimund

  was:
LdapIdentityStore.changePassword() stores the new password always as plain text in the LDAP database.

To allow crypted passwords, i suggest the following modifications:

New bean properties (along with getter / setter):

  private String passwordCryptAlgorithm   = "SHA";    // Or "" for plain text, "MD5", ...
  private String passwordEncoding         = "UTF-8"; 

Extend changePassword() by one additional line:

   public boolean changePassword(String name, String password) 
   {
      InitialLdapContext ctx = null;      
      try
      {
         ctx = initialiseContext();

         // crypt password if not already done
         password = cryptPwIfNeeded(password);
         
         BasicAttribute passwordAttrib = new BasicAttribute(getUserPasswordAttribute(), password);


New Helpers method:

  private Pattern cryptedPwRegexp = Pattern.compile("^[{].+[}].+");

  private String cryptPwIfNeeded(String password) {
    // only crypt if requested by algorithm and not already done!
    if (getPasswordCryptAlgorithm() != null
        && ! getPasswordCryptAlgorithm().equals("")
        && ! cryptedPwRegexp.matcher(password).matches()) {
      
      try {
        MessageDigest md;
        md = MessageDigest.getInstance(getPasswordCryptAlgorithm());
        
        md.reset();
        md.update(password.getBytes(getPasswordEncoding()));
        
        byte[] result = md.digest();
        password = "{" + getPasswordCryptAlgorithm() + "}" + (new BASE64Encoder()).encode(result);
        
      } catch ( NoSuchAlgorithmException e ) {
        throw new IdentityManagementException(
                    "Configuration problem - can not crypt password with algorithm " + getPasswordCryptAlgorithm(), e);
      } catch ( UnsupportedEncodingException e ) {
        throw new IdentityManagementException(
                    "Configuration problem - can not encode password with " + getPasswordEncoding(), e);
      }
    }
    
    return password;
  }

Many regards, Raimund

     Complexity: Low


> LdapIdentityStore should crypt password
> ---------------------------------------
>
>                 Key: JBSEAM-3942
>                 URL: https://jira.jboss.org/jira/browse/JBSEAM-3942
>             Project: Seam
>          Issue Type: Feature Request
>          Components: Security
>    Affects Versions: 2.1.0.SP1, 2.1.1.CR1, 2.1.1.CR2, 2.1.1.GA
>            Reporter: Raimund Hölle
>            Priority: Minor
>
> LdapIdentityStore.changePassword() stores the new password always as plain text in the LDAP database.
> To allow crypted passwords, i suggest the following modifications (currently tested only with OpenLDAP, MS AD may need encoding "UTF16-EL"):
> New bean properties (along with getter / setter):
>   private String passwordCryptAlgorithm   = ""; // Default: plain text as previous releases, set it to  "SHA", "MD5", ... in components.xml (see java.security.MessageDigest)
>   private String passwordEncoding         = "UTF-8"; // Needed only if algorithm != ""
> Extend changePassword() by one additional line:
>    public boolean changePassword(String name, String password) 
>    {
>       InitialLdapContext ctx = null;      
>       try
>       {
>          ctx = initialiseContext();
>          // crypt password if not already done
>          password = cryptPwIfNeeded(password);
>          
>          BasicAttribute passwordAttrib = new BasicAttribute(getUserPasswordAttribute(), password);
> New Helpers method:
>   private Pattern cryptedPwRegexp = Pattern.compile("^[{].+[}].+");
>   private String cryptPwIfNeeded(String password) {
>     // only crypt if requested by algorithm and not already done!
>     if (getPasswordCryptAlgorithm() != null
>         && ! getPasswordCryptAlgorithm().equals("")
>         && ! cryptedPwRegexp.matcher(password).matches()) {
>       
>       try {
>         MessageDigest md;
>         md = MessageDigest.getInstance(getPasswordCryptAlgorithm());
>         
>         md.reset();
>         md.update(password.getBytes(getPasswordEncoding()));
>         
>         byte[] result = md.digest();
>         password = "{" + getPasswordCryptAlgorithm() + "}" + (new BASE64Encoder()).encode(result);
>         
>       } catch ( NoSuchAlgorithmException e ) {
>         throw new IdentityManagementException(
>                     "Configuration problem - can not crypt password with algorithm " + getPasswordCryptAlgorithm(), e);
>       } catch ( UnsupportedEncodingException e ) {
>         throw new IdentityManagementException(
>                     "Configuration problem - can not encode password with " + getPasswordEncoding(), e);
>       }
>     }
>     
>     return password;
>   }
> Many regards, Raimund

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the seam-issues mailing list