Hi all,
I am currently reviewing [1] as part of SYNCOPE-276 and I've just
realized that, since SYNCOPE-51 removed support for MD5 (as password
cipher algorithm), we might have a considerable upgrade problem.
What about an existing 1.0.X installation with MD5 passwords? When
upgrading to 1.1.0, any user won't be able to authenticate any more
because the values of 'password' column in 'SyncopeUser' table cannot be
verified with any of available cipher algorithm.
What can we suggest as best practice in this case?
IMO we can provide a class extending SyncopeAuthenticationProvider [2],
able to check authentication for MD5 users and leaving to
SyncopeAuthenticationProvider for the rest. This new authenticator can
be then configured in securityContext.xml [3] allowing people to keep
this as temporary workaround, until all users have changed their
password with the new configured cipher algorithm.
WDYT? Can you think of a better alternative?
Regards.
[1] https://cwiki.apache.org/confluence/display/SYNCOPE/Upgrade+instructions
[2]
https://svn.apache.org/repos/asf/syncope/trunk/core/src/main/java/org/apache/syncope/core/security/SyncopeAuthenticationProvider.java
[3]
https://svn.apache.org/repos/asf/syncope/trunk/core/src/main/resources/securityContext.xml
--
Francesco Chicchiriccò
ASF Member, Apache Syncope PMC chair, Apache Cocoon PMC Member
http://people.apache.org/~ilgrosso/