[seam-issues] [JBoss JIRA] Resolved: (JBSEAM-3942) LdapIdentityStore should crypt password

Shane Bryzak (JIRA) jira-events at lists.jboss.org
Tue Oct 26 19:31:55 EDT 2010 

     [ https://jira.jboss.org/browse/JBSEAM-3942?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Shane Bryzak resolved JBSEAM-3942.
----------------------------------

    Resolution: Out of Date


We now use PicketLink for identity management

> LdapIdentityStore should crypt password
> ---------------------------------------
>
>                 Key: JBSEAM-3942
>                 URL: https://jira.jboss.org/browse/JBSEAM-3942
>             Project: Seam
>          Issue Type: Feature Request
>          Components: Security
>    Affects Versions: 2.1.0.SP1, 2.1.1.CR1, 2.1.1.CR2, 2.1.1.GA
>            Reporter: Raimund Hölle
>            Assignee: Shane Bryzak
>            Priority: Minor
>
> LdapIdentityStore.changePassword() stores the new password always as plain text in the LDAP database.
> To allow crypted passwords, i suggest the following modifications (currently tested only with OpenLDAP, MS AD may need encoding "UTF16-EL"):
> New bean properties (along with getter / setter):
>   private String passwordCryptAlgorithm   = ""; // Default: plain text as previous releases, set it to  "SHA", "MD5", ... in components.xml (see java.security.MessageDigest)
>   private String passwordEncoding         = "UTF-8"; // Needed only if algorithm != ""
> Extend changePassword() by one additional line:
>    public boolean changePassword(String name, String password) 
>    {
>       InitialLdapContext ctx = null;      
>       try
>       {
>          ctx = initialiseContext();
>          // crypt password if not already done
>          password = cryptPwIfNeeded(password);
>          
>          BasicAttribute passwordAttrib = new BasicAttribute(getUserPasswordAttribute(), password);
> New Helpers method:
>   private Pattern cryptedPwRegexp = Pattern.compile("^[{].+[}].+");
>   private String cryptPwIfNeeded(String password) {
>     // only crypt if requested by algorithm and not already done!
>     if (getPasswordCryptAlgorithm() != null
>         && ! getPasswordCryptAlgorithm().equals("")
>         && ! cryptedPwRegexp.matcher(password).matches()) {
>       
>       try {
>         MessageDigest md;
>         md = MessageDigest.getInstance(getPasswordCryptAlgorithm());
>         
>         md.reset();
>         md.update(password.getBytes(getPasswordEncoding()));
>         
>         byte[] result = md.digest();
>         password = "{" + getPasswordCryptAlgorithm() + "}" + (new BASE64Encoder()).encode(result);
>         
>       } catch ( NoSuchAlgorithmException e ) {
>         throw new IdentityManagementException(
>                     "Configuration problem - can not crypt password with algorithm " + getPasswordCryptAlgorithm(), e);
>       } catch ( UnsupportedEncodingException e ) {
>         throw new IdentityManagementException(
>                     "Configuration problem - can not encode password with " + getPasswordEncoding(), e);
>       }
>     }
>     
>     return password;
>   }
> Many regards, Raimund

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the seam-issues mailing list