geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Aaron Mulder" <ammul...@alumni.princeton.edu>
Subject Re: Obscuring passwords in new ways
Date Sat, 15 Sep 2007 12:09:11 GMT
Sounds nice!

Aaron

On 9/14/07, David Jencks <david_jencks@yahoo.com> wrote:
> Periodically users show up who want their passwords obscured in new
> ways that allow their systems to break by removing the key used to
> obscure them :-)  (how's that for a biased view of the situation :-)
>
> They don't like SimpleEncryption because the key is hardcoded and
> thus the same for all geronimo instances.
>
> See GERONIMO-2925
>
> I've implemented something for this request that allows you to
> register "encryptors" with the EncryptionManager.  By default you get
> the current SimpleEncryption which uses AES with a hardcoded key.
>
> There's also a ConfiguredEncryption gbean that will generate and save
> a key if not present or use a saved one.
>
> You can register any number of Encryption instances with
> EncrptionManager but only the first one you register will be used for
> encryption.  Others might be used for decryption.
>
> If you try to encrypt a string that is already encrypted under a
> different registered Encryption instance it will decrypt using the
> old Encryption and re-encrypt using the registered Encryption.  For
> instance the properties file login module used to use {Standard} as
> the prefix instead of {Simple} so I registered the SimpleEncryption
> instance under both prefixes: the property files are re-encrypted
> with the {Simple} prefix.
>
> If you want to use the ConfiguredEncryption you can add this to
> config.xml under rmi-naming module:
>
> <gbean name="org.apache.geronimo.configs/rmi-naming/2.1-SNAPSHOT/car?
> name=ConfiguredEncryption,j2eeType=GBean"
> gbeanInfo="org.apache.geronimo.system.util.ConfiguredEncryption">
> <attribute name="path">var/security/ConfiguredSecretKey.ser</attribute>
> <reference name="ServerInfo"><pattern><name>ServerInfo</name></
> pattern></reference>
> </gbean>
>
> I haven't tried this with app clients yet but I assume that adding
> this gbean to client would work.
>
> I'd appreciate review on this both for the idea of pluggable
> Encryption and even more for my use of crypto which I am definitely
> not an expert in.
>
> thanks
> david jencks
>
>
>

Mime
View raw message