geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Aaron Mulder (JIRA)" <>
Subject [jira] Commented: (GERONIMO-411) Add Hash Password Rewrite to File Realm
Date Mon, 01 Nov 2004 18:41:32 GMT
     [ ]
Aaron Mulder commented on GERONIMO-411:

I don't like requiring entries to be hashed to begin with, because then you need to tool to
edit the file.  In my experience, it's nicer to put plain text in the file and let the server
replace that with the hashed version.

But... if we were not going to rewrite, but we still want hashes, then I think we need to
provide a tool to add or update entries in the file, so you still get everything you need
in the Geronimo download.  Some products just have you use htpasswd, but I don't like that
approach much (and I thought that used crypt instead of MD5 anyway, though I don't really

What is it about rewriting that bothers you?

> Add Hash Password Rewrite to File Realm
> ---------------------------------------
>          Key: GERONIMO-411
>          URL:
>      Project: Apache Geronimo
>         Type: Improvement
>   Components: security
>     Versions: 1.0-M2
>     Reporter: Aaron Mulder
>     Priority: Minor

> It would be nice if the properties file realm could rewrite your properties file with
hashed passwords when it reads it.  We would need to be able to recognize hashed vs. unhashed
entries and perhaps even different algorithms.  Perhaps it could go like this:
> user1=plaintext
> user2=MD5{...}
> user3=SHA1{...}
> Anyway, the idea is that this could be a reasonably secure alternative, but you still
wouldn't need to manually hash things to add or update entries -- just put a plain text entry
in and the next time the server reads the file it would hash it for you.
> I guess we'd need to synchronize on the hash operation to avoid threading problems if
multiple apps or whatever use the same properties file, but it shouldn't be bad if we only
rewrite the file if we find any plain text entries.

This message is automatically generated by JIRA.
If you think it was sent incorrectly contact one of the administrators:
If you want more information on JIRA, or have a bug to report see:

View raw message