If we have to, we have to--but how will people be able to upgrade from
5.0.x to 5.1 without everyone's password being lost and hence locked out
(i.e., if blogs.oracle.com tried this all users would be locked out,
right?) Perhaps we can support both algorithms in 5.1
(http://stackoverflow.com/a/17450276).
But if we have to break it, let's use moving forward the best algorithm,
from the above link the BCCrypt() one apparently (unless you know
otherwise). Also, we don't have to use Spring here if plain Java offers
corresponding libraries (less likely to deprecate).
Also, Greg, please answer this question I put in the comments (if you
know it), in case you missed it:
https://issues.apache.org/jira/browse/ROL-1795, we have the closing of a
JIRA issue (always a good thing :) on the line...
Glen
On 01/27/2014 05:23 AM, Greg Huber wrote:
Gentlemen,
The class
org.springframework.security.authentication.encoding.PasswordEncoder SHA
and MD5 in RollerContext has been depreciated, it can be replaced by
StandardPasswordEncoder(), BCryptPasswordEncoder() and NoOpPasswordEncoder.
The down side is the encryption is based on the username and password
(rather than just the password), so all passwords will need to be reset.
Any objections on doing this upgrade?
Cheers Greg.
