Return-Path: Delivered-To: apmail-geronimo-dev-archive@www.apache.org Received: (qmail 1656 invoked from network); 27 Aug 2005 18:48:01 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 27 Aug 2005 18:48:01 -0000 Received: (qmail 89736 invoked by uid 500); 27 Aug 2005 18:48:00 -0000 Delivered-To: apmail-geronimo-dev-archive@geronimo.apache.org Received: (qmail 89165 invoked by uid 500); 27 Aug 2005 18:47:57 -0000 Mailing-List: contact dev-help@geronimo.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: List-Post: Reply-To: dev@geronimo.apache.org List-Id: Delivered-To: mailing list dev@geronimo.apache.org Received: (qmail 89152 invoked by uid 99); 27 Aug 2005 18:47:57 -0000 Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 27 Aug 2005 11:47:57 -0700 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_HELO_PASS,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (asf.osuosl.org: domain of jgenender@savoirtech.com designates 209.181.65.237 as permitted sender) Received: from [209.181.65.237] (HELO sun.savoirtech.com) (209.181.65.237) by apache.org (qpsmtpd/0.29) with SMTP; Sat, 27 Aug 2005 11:48:12 -0700 Received: from [206.197.197.10] ([206.197.197.10]) by sun.savoirtech.com (8.12.11/8.12.11) with ESMTP id j7RIlqOq002795 for ; Sat, 27 Aug 2005 12:47:52 -0600 Message-ID: <4310B553.8050100@savoirtech.com> Date: Sat, 27 Aug 2005 12:47:47 -0600 From: Jeff Genender User-Agent: Mozilla Thunderbird 1.0.2 (Macintosh/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: dev@geronimo.apache.org Subject: Re: [jira] Updated: (GERONIMO-411) Add Hash Password Rewrite to File Realm References: <27281962.1125167765470.JavaMail.jira@ajax.apache.org> In-Reply-To: <27281962.1125167765470.JavaMail.jira@ajax.apache.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Checker-Version: SpamAssassin 3.0.3 (2005-04-27) on sun.savoirtech.com X-Virus-Scanned: clamd / ClamAV version 0.74, clamav-milter version 0.74a on sun.savoirtech.com X-Virus-Status: Clean X-Virus-Checked: Checked by ClamAV on apache.org X-Old-Spam-Status: No, score=-105.6 required=5.6 tests=ALL_TRUSTED,AWL,BAYES_00, USER_IN_WHITELIST autolearn=ham version=3.0.3 X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N Is this something we should do in the plans as well (i.e. SSL certs, etc)? Aaron Mulder (JIRA) wrote: > [ http://issues.apache.org/jira/browse/GERONIMO-411?page=all ] > > Aaron Mulder updated GERONIMO-411: > ---------------------------------- > > Fix Version: 1.0 > Description: > It would be nice if the properties file realm could rewrite your properties file with hashed passwords when it reads it. We would need to be able to recognize hashed vs. unhashed entries and perhaps even different algorithms. Perhaps it could go like this: > > user1=plaintext > user2=MD5{...} > user3=SHA1{...} > > Anyway, the idea is that this could be a reasonably secure alternative, but you still wouldn't need to manually hash things to add or update entries -- just put a plain text entry in and the next time the server reads the file it would hash it for you. > > I guess we'd need to synchronize on the hash operation to avoid threading problems if multiple apps or whatever use the same properties file, but it shouldn't be bad if we only rewrite the file if we find any plain text entries. > > was: > It would be nice if the properties file realm could rewrite your properties file with hashed passwords when it reads it. We would need to be able to recognize hashed vs. unhashed entries and perhaps even different algorithms. Perhaps it could go like this: > > user1=plaintext > user2=MD5{...} > user3=SHA1{...} > > Anyway, the idea is that this could be a reasonably secure alternative, but you still wouldn't need to manually hash things to add or update entries -- just put a plain text entry in and the next time the server reads the file it would hash it for you. > > I guess we'd need to synchronize on the hash operation to avoid threading problems if multiple apps or whatever use the same properties file, but it shouldn't be bad if we only rewrite the file if we find any plain text entries. > > Environment: > > >>Add Hash Password Rewrite to File Realm >>--------------------------------------- >> >> Key: GERONIMO-411 >> URL: http://issues.apache.org/jira/browse/GERONIMO-411 >> Project: Geronimo >> Type: Improvement >> Components: security >> Versions: 1.0-M2 >> Reporter: Aaron Mulder >> Priority: Minor >> Fix For: 1.0 > > >>It would be nice if the properties file realm could rewrite your properties file with hashed passwords when it reads it. We would need to be able to recognize hashed vs. unhashed entries and perhaps even different algorithms. Perhaps it could go like this: >>user1=plaintext >>user2=MD5{...} >>user3=SHA1{...} >>Anyway, the idea is that this could be a reasonably secure alternative, but you still wouldn't need to manually hash things to add or update entries -- just put a plain text entry in and the next time the server reads the file it would hash it for you. >>I guess we'd need to synchronize on the hash operation to avoid threading problems if multiple apps or whatever use the same properties file, but it shouldn't be bad if we only rewrite the file if we find any plain text entries. > >