cayenne-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From conflue...@apache.org
Subject [CONF] Apache Cayenne > Password Encoding
Date Fri, 27 Nov 2009 17:11:00 GMT
<html>
<head>
    <base href="http://cwiki.apache.org/confluence">
            <link rel="stylesheet" href="/confluence/s/1519/1/25/_/styles/combined.css?spaceKey=CAY&amp;forWysiwyg=true"
type="text/css">
    </head>
<body style="background-color: white" bgcolor="white">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
     <h2><a href="http://cwiki.apache.org/confluence/display/CAY/Password+Encoding">Password
Encoding</a></h2>
     <h4>Page <b>edited</b> by             <a href="http://cwiki.apache.org/confluence/display/~blacknext">Michael
Gentry</a>
    </h4>
     Updated for Cayenne 3.0.
          <div id="versionComment" class="noteMacro" style="display:none; padding: 5px;">
     Updated for Cayenne 3.0.<br />
     </div>
          <br/>
     <div class="notificationGreySide">
         <h3><a name="PasswordEncoding-Modeler"></a>Modeler</h3>

<p>Password encoding offers a mechanism to better control the way in which Cayenne obtains
and stores database passwords.  The default method is to store the password in plain text
inside the model.  This approach might be acceptable for a lot of organizations, but some
companies have different security standards for how this information is stored.</p>

<p>The password encoding feature is defined under the <b>Password Encoding</b>
tab in Cayenne Modeler's DataNode definition.  (This option is only available when the DataSource
Factory under the <b>Main</b> tab is <tt>org.apache.cayenne.conf.DriverDataSourceFactory</tt>.)
 This screenshot shows the options available for encoding:</p>

<p><span class="error">Unable to render embedded object: File (PasswordEncoder.png)
not found.</span></p>

<p>The fields are:</p>

<ul>
	<li><b>Password Encoder</b> The class used to encode and decode database
passwords.  Cayenne includes three standard encoders: <tt>PlainTextPasswordEncoder</tt>,
<tt>Rot13PasswordEncoder</tt>, and <tt>Rot47PasswordEncoder</tt>.
 The plain text encoder is the Cayenne default &#8211; passwords are stored in plain text.
 The <a href="http://en.wikipedia.org/wiki/ROT13" rel="nofollow">ROT-13</a> encoder
does a simple Caesar cipher of the password, which is easily unscrambled, but provides a slight
degree of obfuscation.  The <a href="http://en.wikipedia.org/wiki/ROT47#Variants" rel="nofollow">ROT-47</a>
encoder is a variant of ROT-13 that includes symbols and numbers (ROT-13 only includes letters).
 This field is user-editable and a different/custom class can be entered.  <b>NOTE:
If you specify your own class to handle the encoding, be sure it is in Cayenne Modeler's class
path in the Preferences.</b></li>
</ul>


<ul>
	<li><b>Password Encoder Key</b> The <a href="http://en.wikipedia.org/wiki/Key_(cryptography)"
rel="nofollow">key</a> to use when encrypting/decrypting the password.  The standard
encoders ignore this value.</li>
</ul>


<ul>
	<li><b>Password Location</b> A pulldown list specifying where the password
is stored.  The default is inside the Cayenne model.  Other options include the Java CLASSPATH,
from an Executable Program (run a command to obtain the password), and URL (file: or perhaps
even http:&#41;.  <b>NOTE: Cayenne Modeler will use the password encoder to save
passwords in the model, but not outside of it.  If you choose an external location, you have
to create and maintain the password yourself.</b></li>
</ul>


<ul>
	<li><b>Password Source</b> This field morphs a bit.  It is unused if the
Password Location is Model.  If the Password Location is Classpath, Executable Program, or
URL, then it is used to specify the filename to find in the CLASSPATH, the program to run
(with all parameters), or the URL.</li>
</ul>


<h3><a name="PasswordEncoding-API"></a>API</h3>

<p>Password encoders implement the <tt>PasswordEncoding</tt> interface:</p>

<div class="code panel" style="border-style: solid;border-width: 1px;"><div class="codeHeader
panelHeader" style="border-bottom-width: 1px;border-bottom-style: solid;"><b>PasswordEncoding.java</b></div><div
class="codeContent panelContent">
<pre class="code-java">
<span class="code-keyword">public</span> <span class="code-keyword">interface</span>
PasswordEncoding
{
  <span class="code-keyword">final</span> <span class="code-object">String</span>[]
standardEncoders =
    <span class="code-keyword">new</span> <span class="code-object">String</span>[]
{ PlainTextPasswordEncoder.class.getName(),
                   Rot13PasswordEncoder.class.getName() };

  /**
   * Decodes an encoded database password.
   * 
   * @param encodedPassword - The encoded password to be decoded
   * @param salt - An optional data element which can be used to salt the algorithm.
   * @<span class="code-keyword">return</span> The decoded normal/plain plassword.
   */
  <span class="code-keyword">public</span> <span class="code-object">String</span>
decodePassword(<span class="code-object">String</span> encodedPassword, <span
class="code-object">String</span> salt);

  /**
   * Encodes a normal/plain database password.
   * 
   * @param normalPassword - The normal/plain password to be encoded
   * @param salt - An optional data element which can be used to salt the algorithm.
   * @<span class="code-keyword">return</span> The encoded password.
   */
  <span class="code-keyword">public</span> <span class="code-object">String</span>
encodePassword(<span class="code-object">String</span> normalPassword, <span
class="code-object">String</span> salt);
}
</pre>
</div></div>

<p>When loading the model, the retrieved password is passed through the <tt>decodePassword(encodedPassword,
salt)</tt> method to obtain the actual password.  When saving the model, if the <b>Password
Location</b> is in the Cayenne Model the <tt>encodePassword(normalPassword, salt)</tt>
method is called and the returned value is saved.</p>

<p>The standard encoders, such as the plain text encoder, are trival:</p>

<div class="code panel" style="border-style: solid;border-width: 1px;"><div class="codeHeader
panelHeader" style="border-bottom-width: 1px;border-bottom-style: solid;"><b>PlainTextPasswordEncoder.java</b></div><div
class="codeContent panelContent">
<pre class="code-java">
<span class="code-keyword">package</span> org.objectstyle.cayenne.conf;

<span class="code-keyword">public</span> class PlainTextPasswordEncoder <span
class="code-keyword">implements</span> PasswordEncoding
{
  <span class="code-keyword">public</span> <span class="code-object">String</span>
decodePassword(<span class="code-object">String</span> encodedPassword, <span
class="code-object">String</span> salt)
  {
    <span class="code-keyword">return</span> encodedPassword;
  }

  <span class="code-keyword">public</span> <span class="code-object">String</span>
encodePassword(<span class="code-object">String</span> normalPassword, <span
class="code-object">String</span> salt)
  {
    <span class="code-keyword">return</span> normalPassword;
  }
}
</pre>
</div></div>

<p>If your organization requires something more advanced, such as Triple DES, then you
can write an encoder to handle it and plug it into Cayenne (don't forget to add the JAR with
your custom encoder to the Modeler's Classpath Preferences settings and to the Java Classpath
at runtime).</p>

<p>Encoders implementing strong encryption algorithms are not supplied as part of the
standard Apache Cayenne framework due to US export restrictions.</p>

<div class='panelMacro'><table class='infoMacro'><colgroup><col width='24'><col></colgroup><tr><td
valign='top'><img src="/confluence/images/icons/emoticons/information.gif" width="16"
height="16" align="absmiddle" alt="" border="0"></td><td><b>Useful Information</b><br
/><p>The encoding is only applied to the database password on the Cayenne side. 
The data stream between the application and database is unaffected, so the password could
(and usually will) be transmitted in-the-clear over the network to the database.</p></td></tr></table></div>
     </div>
     <div id="commentsSection" class="wiki-content pageSection">
       <div style="float: right;">
            <a href="http://cwiki.apache.org/confluence/users/viewnotifications.action"
class="grey">Change Notification Preferences</a>
       </div>

       <a href="http://cwiki.apache.org/confluence/display/CAY/Password+Encoding">View
Online</a>
       |
       <a href="http://cwiki.apache.org/confluence/pages/diffpagesbyversion.action?pageId=29725&revisedVersion=5&originalVersion=4">View
Change</a>
              |
       <a href="http://cwiki.apache.org/confluence/display/CAY/Password+Encoding?showComments=true&amp;showCommentArea=true#addcomment">Add
Comment</a>
            </div>
</div>
</div>
</div>
</div>
</body>
</html>

Mime
View raw message