Hi, The CAS documentation <https://wiki.jasig.org/display/CASUM/JDBC> indicates that you can use any of the MACs listed on the JDK Javadoc <http://download.oracle.com/javase/1.5.0/docs/guide/security/jce/JCERefGuide.html#AppA> for the password encoder's encodingAlgorithm attribute; this list includes "HmacSHA512", which is what I want to use. (I confess I don't know the difference, if any, between SHA512 and HmacSHA512 in the context of hashing passwords.)
I have used the following in my deployerConfigContext.xml file: <bean id="passwordEncoder" class="org.jasig.cas.authentication.handler.DefaultPasswordEncoder" c:encodingAlgorithm="SHA1" p:characterEncoding="UTF-8" /> and it worked. However, neither of the following two variants works: <bean id="passwordEncoder" class="org.jasig.cas.authentication.handler.DefaultPasswordEncoder" c:encodingAlgorithm="HmacSHA512" p:characterEncoding="UTF-8" /> and <bean id="passwordEncoder" class="org.jasig.cas.authentication.handler.DefaultPasswordEncoder" c:encodingAlgorithm="SHA512" p:characterEncoding="UTF-8" /> Each of these results in something in the log such as: 2014-07-10 15:13:01,251 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN ============================================================= WHO: audit:unknown WHAT: java.security.NoSuchAlgorithmException: SHA512 MessageDigest not available ACTION: TICKET_GRANTING_TICKET_NOT_CREATED APPLICATION: CAS WHEN: Thu Jul 10 15:13:01 BST 2014 CLIENT IP ADDRESS: 10.255.240.6 SERVER IP ADDRESS: cas.zion.bt.co.uk ============================================================= This suggests that I have to provide an implementation of SHA512. However, I have no idea where to get one or how to make it available once I do! (I assume I would get a JAR file and put it in WEB-INF/lib - but I don't know how I would specify the implementing class name in deployerConfigContext.xml.) Also, even if I do find an implementation, what I really need is one that lets me specify a salt for each password. And I need to get the salt from the database containing the hashed passwords. Is this an unrealistic or naively optimistic notion? Should I really be thinking about implementing a bean or other Java class and (somehow) using that instead of CAS's built in JDBC options? If I should, what's the preferred/easiest approach? Any advice would be much appreciated! Many thanks. -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
