+1 for extending SyncopeAuthenticationProvider.
> -----Original Message-----
> From: Francesco Chicchiriccò [mailto:ilgro...@apache.org]
> Sent: Freitag, 29. März 2013 08:48
> To: dev@syncope.apache.org
> Subject: Re: [DISCUSS] Migrating users from 1.0.X to 1.1.0
>
> On 28/03/2013 18:58, Guido Irrelevant wrote:
> >> Hi all,
> >> I am currently reviewing [1] as part of SYNCOPE-276 and I've just realized
> that, since SYNCOPE-51 removed support for MD5 (as password cipher
> algorithm), we might have a considerable upgrade problem.
> >> What about an existing 1.0.X installation with MD5 passwords? When
> upgrading to 1.1.0, any user won't be able to authenticate any more because
> the values of 'password' column in 'SyncopeUser' table cannot be verified
> with any of available cipher algorithm.
> >> What can we suggest as best practice in this case?
> >>
> >> IMO we can provide a class extending SyncopeAuthenticationProvider [2],
> able to check authentication for MD5 users and leaving to
> SyncopeAuthenticationProvider for the rest. This new authenticator can be
> then configured in securityContext.xml [3] allowing people to keep this as
> temporary workaround, until all users have changed their password with the
> new configured cipher algorithm.
> >>
> >> WDYT? Can you think of a better alternative?
> > If I understand it correctly, the disadvantage of this approach would
> > be that the hash of a user stays vulnerable until she changes her password.
>
> This is rather the rationale behind SYNCOPE-51.
> The problem I am discussing here is how to deal with existing Syncope 1.0.X
> installations willing to migrate to upcoming 1.1.0, when MD5 was chosen for
> user passwords.
>
> > IMO a more secure but also more complicated approach for migration
> > would be to rehash the MD5 password hashes in a secure way. It seems
> that Drupal followed such an approach:
> > http://drupal.org/node/1349758
> >
> > If one wants to have hashes based on a standard algorithms, one could
> > in addition change such a rehashed hash to a standard (e.g. bcrypt)
> > hash once the user logs in and Syncope sees the password in clear (possibly
> this could also be done by SyncopeAuthenticationProvider).
> >
> > http://blog.jgc.org/2012/06/one-way-to-fix-your-rubbish-password.html
> describes such an approach.
> > There also was an interesting discussion on migration of MD5 passwords on
> stackoverflow:
> > http://stackoverflow.com/questions/10771198/migrate-old-md5-
> passwords-
> > to-bcrypt-passwords
>
> This possibility is very interesting indeed, but I see it as complementary to
> the solution I've proposed above: once we will provide a special
> authenticator for dealing with old MD5 passwords, one could decide to
> extend it in his own project in order to deal with more sophisticated
> approaches (like rehashing proposed by you).
>
> We might add this possibility (including URL references) to the migration wiki
> page [1] that I am going to complete soon as per SYNCOPE-276.
>
> Thanks for contributing.
> Regards.
>
> [1]
> https://cwiki.apache.org/confluence/display/SYNCOPE/Upgrade+instruction
> s
>
> --
> Francesco Chicchiriccò
>
> ASF Member, Apache Syncope PMC chair, Apache Cocoon PMC Member
> http://people.apache.org/~ilgrosso/
