Return-Path: Delivered-To: apmail-portals-jetspeed-dev-archive@www.apache.org Received: (qmail 71732 invoked from network); 29 Jun 2006 21:00:11 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 29 Jun 2006 21:00:11 -0000 Received: (qmail 31260 invoked by uid 500); 29 Jun 2006 21:00:09 -0000 Delivered-To: apmail-portals-jetspeed-dev-archive@portals.apache.org Received: (qmail 31229 invoked by uid 500); 29 Jun 2006 21:00:09 -0000 Mailing-List: contact jetspeed-dev-help@portals.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Jetspeed Developers List" Delivered-To: mailing list jetspeed-dev@portals.apache.org Received: (qmail 31218 invoked by uid 500); 29 Jun 2006 21:00:09 -0000 Delivered-To: apmail-jakarta-jetspeed-dev@jakarta.apache.org Received: (qmail 31215 invoked by uid 99); 29 Jun 2006 21:00:09 -0000 Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 29 Jun 2006 14:00:09 -0700 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests= X-Spam-Check-By: apache.org Received: from [209.237.227.198] (HELO brutus.apache.org) (209.237.227.198) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 29 Jun 2006 14:00:08 -0700 Received: from brutus (localhost [127.0.0.1]) by brutus.apache.org (Postfix) with ESMTP id 97F4F410123 for ; Thu, 29 Jun 2006 20:58:30 +0000 (GMT) Message-ID: <6245630.1151614710619.JavaMail.jira@brutus> Date: Thu, 29 Jun 2006 20:58:30 +0000 (GMT+00:00) From: "Ate Douma (JIRA)" To: jetspeed-dev@jakarta.apache.org Subject: [jira] Resolved: (JS2-550) A new Two-way password encoding service allowing decoding of encoded passwords In-Reply-To: <13355417.1151614229854.JavaMail.jira@brutus> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N [ http://issues.apache.org/jira/browse/JS2-550?page=all ] Ate Douma resolved JS2-550: --------------------------- Resolution: Fixed Feature committed > A new Two-way password encoding service allowing decoding of encoded passwords > ------------------------------------------------------------------------------ > > Key: JS2-550 > URL: http://issues.apache.org/jira/browse/JS2-550 > Project: Jetspeed 2 > Type: New Feature > Components: Security > Versions: 2.1, 2.1-dev > Reporter: Ate Douma > Assignee: Ate Douma > Fix For: 2.1, 2.1-dev > > For password encoding Jetspeed currently only provides the MessageDigestCredentialPasswordEncoder in the security component. > While highly secure, this encoding solution cannot be used when you would like to be able to recover lost passwords, like providing the clear text value back to the user to a know/trusted email address. Or for an trusted administrator to be able to do the same manually. > Therefore, I'll provide a new two-way encoding solution based on PKCS #5 PBE (Password Based Encryption), which uses a cipher generated from a secure password to encode user passwords. For this solution I'll provide a service which both implements the security component SPI CredentialPasswordEncoder as well as a decode method to retrieve the clear text value of an encoded password. > Thus, I'll add a new PasswordEncodingService interface to the jetspeed-api and a PBEPasswordService implementation in the security component. > The PBEPasswordService both extends a POJO PBEPasswordTool class, which also can be used standalone through a main method, as well as the CredentialPasswordEncoder. > This way, this new service can both be made available as a portlet service through the Jetspeed Spring configuration for usage from specialized Portlet Applications, as well be used as a replacement for the default MessageDigestCredentialPasswordEncoder. > Example Jetspeed Spring configuration how to make use of the new service could be as follows. > In security-spi-atn.xml: > > > > > ******** > > > In jetspeed-services.xml: > > > > > > > ... > > > > ... > > > > Using the PBEPasswordTool standalone is possible as follows. > Running the following command > java -cp jetspeed-api-2.1-dev.jar:jetspeed-security-2.1-dev.jar:commons-codec-1.3.jar org.apache.jetspeed.security.util.PBEPasswordTool > gives the following output: > Encode/Decode a user password using Password Based Encryption > Usage: PBEPasswordTool > encode|decode : specify if to encode or decode the provided password > encoding-password: the password to be used for encoding and decoding > username : the name of the user to which the provided password belongs > password : the cleartext password to encode, or the encoded password to decode -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira --------------------------------------------------------------------- To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org For additional commands, e-mail: jetspeed-dev-help@portals.apache.org