[ http://issues.apache.org/jira/browse/GERONIMO-1565?page=all ]
Aaron Mulder updated GERONIMO-1565:
-----------------------------------
Fix Version/s: 1.2
Affects Version/s: (was: 1.1)
(was: 1.2)
> PASSWORD hashing to be considered during declarative security management
> ------------------------------------------------------------------------
>
> Key: GERONIMO-1565
> URL: http://issues.apache.org/jira/browse/GERONIMO-1565
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: security
> Affects Versions: 1.0
> Environment: All supported platforms
> Reporter: Phani Balaji Madgula
> Fix For: 1.2
>
>
> If a J2EE application is configured for declarative security management, and
> uses a security realm deployed on Apache Directory Server user registry for
> role mappings, container fails to authenticate users if the passwords are
> hashed in LDAP registry using any standard Hashing techniques MD5, SHA.etc.
> Container authenticates successfully, if the passwords are stored plain.
> The following information might help out in resolving the issue.
> I developed a small application that uses pure programmatic security login,
> using Nescape Java LDAP SDK.
> When I store password in MD5/SHA, I applied corresponding hashing on password
> sent by user and compared with the passoword retrieved from the LDAP server.
> To know how the password is stored in LDAP, we can check for prefix "{md5}"
> for MD5, and "{sha}" for SHA.
> The following is the code snippet
>
> String uname = req.getParameter("userName");
> String password = req.getParameter("password");
>
> boolean loginSucceed = false;
> String hashMethod = "PLAIN";
> String hashedPassword = password;
> String ldapPassword = getLdapPassword(uname); //Retrieve password from
> LDAP for the user
> if(ldapPassword.startsWith("{md5}")){
> hashMethod = "MD5";
> }else if(ldapPassword.startsWith ("{sha}")){
> hashMethod = "SHA";
> }
> if(hashMethod.equals("SHA")){
> hashedPassword = getSHAHashedPassword(password);
> }else if(hashMethod.equals("MD5")){
> hashedPassword = getMD5HashedPassword(password);
> }
>
> System.out.println("AuthenticateServlet:service:hashedPassword:"+hashedPassword);
>
> System.out.println("AuthenticateServlet:service:ldapPassword:"+ldapPassword);
> if(hashedPassword.equals (ldapPassword))loginSucceed=true;
> .
>
> So, with programmatic login, we can solve the problem.
> I guess hashing is not part of specification while using container managed
> security authentication.
> With declarative/container security management, I guess, current application
> login implementation must consider Hashing of passwords also.
> Thanks
> phani
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
