geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Jencks (JIRA)" <>
Subject [jira] Updated: (GERONIMO-1565) Ldap Login Module should handle password hashing
Date Fri, 26 Oct 2007 16:00:58 GMT


David Jencks updated GERONIMO-1565:

    Summary: Ldap Login Module should handle password hashing  (was: PASSWORD hashing to be
considered during declarative security management)

I don't see a way to generically deal with password hashing since only the login module sees
the user's input and the backing store.  However we could certainly have the ldap login module
deal with hashing and encrypting passwords like the properties file  login module does.

> Ldap Login Module should handle password hashing
> ------------------------------------------------
>                 Key: GERONIMO-1565
>                 URL:
>             Project: Geronimo
>          Issue Type: Wish
>      Security Level: public(Regular issues) 
>          Components: security
>    Affects Versions: 1.0
>         Environment: All supported platforms
>            Reporter: Phani Balaji Madgula
>             Fix For: Wish List
> If a J2EE application is configured for declarative security management, and uses a security
realm deployed on Apache Directory Server user registry for role mappings, container fails
to authenticate users if the passwords are hashed in LDAP registry using any standard Hashing
techniques MD5, SHA.etc.
> Container authenticates successfully, if the passwords are stored plain.
> The following information might help out in resolving the issue.
> I developed a small application that uses pure programmatic security login, using Nescape
> When I store password in MD5/SHA, I applied corresponding hashing on password sent by
user and compared with the passoword retrieved from the LDAP server. To know how the password
is stored in LDAP, we can check for prefix "{md5}" for MD5, and "{sha}" for SHA. 
> The following is the code snippet
>      String   uname  = req.getParameter("userName"); 
>      String   password   = req.getParameter("password"); 
>      boolean loginSucceed = false;
>    String hashMethod = "PLAIN";
>    String hashedPassword = password;
>    String ldapPassword = getLdapPassword(uname); //Retrieve password from LDAP for the
>    if(ldapPassword.startsWith("{md5}")){
>     hashMethod = "MD5";
>    }else if(ldapPassword.startsWith ("{sha}")){
>     hashMethod = "SHA";
>    }
>    if(hashMethod.equals("SHA")){
>     hashedPassword = getSHAHashedPassword(password);
>    }else if(hashMethod.equals("MD5")){
>     hashedPassword = getMD5HashedPassword(password);
>    }
>    System.out.println("AuthenticateServlet:service:hashedPassword:"+hashedPassword);
>    System.out.println("AuthenticateServlet:service:ldapPassword:"+ldapPassword);
>    if(hashedPassword.equals (ldapPassword))loginSucceed=true;
> .
> So, with programmatic login, we can solve the problem. 
> I guess hashing is not part of specification while using container managed security authentication.

> With declarative/container security management, I guess, current application login implementation
must consider Hashing of passwords also.
> Thanks
> phani 

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message