geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Matt Hogstrom (JIRA)" <j...@apache.org>
Subject [jira] Updated: (GERONIMO-1565) PASSWORD hashing to be considered during declarative security management
Date Fri, 17 Nov 2006 06:14:37 GMT
     [ http://issues.apache.org/jira/browse/GERONIMO-1565?page=all ]

Matt Hogstrom updated GERONIMO-1565:
------------------------------------

       Issue Type: Wish  (was: Bug)
    Fix Version/s: Wish List
                       (was: 1.2)

> PASSWORD hashing to be considered during declarative security management
> ------------------------------------------------------------------------
>
>                 Key: GERONIMO-1565
>                 URL: http://issues.apache.org/jira/browse/GERONIMO-1565
>             Project: Geronimo
>          Issue Type: Wish
>      Security Level: public(Regular issues) 
>          Components: security
>    Affects Versions: 1.0
>         Environment: All supported platforms
>            Reporter: Phani Balaji Madgula
>             Fix For: Wish List
>
>
> If a J2EE application is configured for declarative security management, and uses a security
realm deployed on Apache Directory Server user registry for role mappings, container fails
to authenticate users if the passwords are hashed in LDAP registry using any standard Hashing
techniques MD5, SHA.etc.
> Container authenticates successfully, if the passwords are stored plain.
> The following information might help out in resolving the issue.
> I developed a small application that uses pure programmatic security login, using Nescape
Java LDAP SDK. 
> When I store password in MD5/SHA, I applied corresponding hashing on password sent by
user and compared with the passoword retrieved from the LDAP server. To know how the password
is stored in LDAP, we can check for prefix "{md5}" for MD5, and "{sha}" for SHA. 
> The following is the code snippet
>  
>      String   uname  = req.getParameter("userName"); 
>      String   password   = req.getParameter("password"); 
>  
>      boolean loginSucceed = false;
>    String hashMethod = "PLAIN";
>    String hashedPassword = password;
>    String ldapPassword = getLdapPassword(uname); //Retrieve password from LDAP for the
user
>    if(ldapPassword.startsWith("{md5}")){
>     hashMethod = "MD5";
>    }else if(ldapPassword.startsWith ("{sha}")){
>     hashMethod = "SHA";
>    }
>    if(hashMethod.equals("SHA")){
>     hashedPassword = getSHAHashedPassword(password);
>    }else if(hashMethod.equals("MD5")){
>     hashedPassword = getMD5HashedPassword(password);
>    }
>    System.out.println("AuthenticateServlet:service:hashedPassword:"+hashedPassword);
>    System.out.println("AuthenticateServlet:service:ldapPassword:"+ldapPassword);
>    if(hashedPassword.equals (ldapPassword))loginSucceed=true;
> .
>  
> So, with programmatic login, we can solve the problem. 
> I guess hashing is not part of specification while using container managed security authentication.

> With declarative/container security management, I guess, current application login implementation
must consider Hashing of passwords also.
> Thanks
> phani 

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message