Il giorno 27/mar/2013, alle ore 17.23, Francesco Chicchiriccò ha scritto:
> Hi all, > I am currently reviewing [1] as part of SYNCOPE-276 and I've just realized > that, since SYNCOPE-51 removed support for MD5 (as password cipher > algorithm), we might have a considerable upgrade problem. > > What about an existing 1.0.X installation with MD5 passwords? When upgrading > to 1.1.0, any user won't be able to authenticate any more because the values > of 'password' column in 'SyncopeUser' table cannot be verified with any of > available cipher algorithm. > > What can we suggest as best practice in this case? > > IMO we can provide a class extending SyncopeAuthenticationProvider [2], able > to check authentication for MD5 users and leaving to > SyncopeAuthenticationProvider for the rest. This new authenticator can be > then configured in securityContext.xml [3] allowing people to keep this as > temporary workaround, until all users have changed their password with the > new configured cipher algorithm. > > WDYT? Can you think of a better alternative? I cannot see a better alternative. +1 for yours. Regards, F. > > Regards. > > [1] https://cwiki.apache.org/confluence/display/SYNCOPE/Upgrade+instructions > [2] > https://svn.apache.org/repos/asf/syncope/trunk/core/src/main/java/org/apache/syncope/core/security/SyncopeAuthenticationProvider.java > [3] > https://svn.apache.org/repos/asf/syncope/trunk/core/src/main/resources/securityContext.xml > > -- > Francesco Chicchiriccò > > ASF Member, Apache Syncope PMC chair, Apache Cocoon PMC Member > http://people.apache.org/~ilgrosso/ >
