Author: ate
Date: Thu Sep 22 14:39:44 2005
New Revision: 291019
URL: http://svn.apache.org/viewcvs?rev=291019&view=rev
Log:
Implementation of http://issues.apache.org/jira/browse/JS2-372:
Simplify default Jetspeed password credential security configuration
With this simplification, the old complex password credential interceptors are
no longer in use.
Furthermore, the new atomic interceptors as provided with JS2-359 fully replace
their functionality.
Therefore, these old interceptors are now removed because keeping these two
separate sets of interceptors in sync is not very useful.
Note: the new interceptors already contain several (minor) fixes.
Removed:
portals/jetspeed-2/trunk/components/security/src/java/org/apache/jetspeed/security/spi/impl/DefaultInternalPasswordCredentialInterceptor.java
portals/jetspeed-2/trunk/components/security/src/java/org/apache/jetspeed/security/spi/impl/InternalPasswordCredentialHistoryHandlingInterceptor.java
portals/jetspeed-2/trunk/components/security/src/java/org/apache/jetspeed/security/spi/impl/InternalPasswordCredentialStateHandlingInterceptor.java
Modified:
portals/jetspeed-2/trunk/src/webapp/WEB-INF/assembly/pipelines.xml
portals/jetspeed-2/trunk/src/webapp/WEB-INF/assembly/security-spi-atn.xml
Modified: portals/jetspeed-2/trunk/src/webapp/WEB-INF/assembly/pipelines.xml
URL:
http://svn.apache.org/viewcvs/portals/jetspeed-2/trunk/src/webapp/WEB-INF/assembly/pipelines.xml?rev=291019&r1=291018&r2=291019&view=diff
==============================================================================
--- portals/jetspeed-2/trunk/src/webapp/WEB-INF/assembly/pipelines.xml
(original)
+++ portals/jetspeed-2/trunk/src/webapp/WEB-INF/assembly/pipelines.xml Thu Sep
22 14:39:44 2005
@@ -54,31 +54,12 @@
<bean id="passwordCredentialValve"
class="org.apache.jetspeed.security.impl.PasswordCredentialValveImpl"
init-method="initialize"
- >
- <constructor-arg>
- <!-- expirationWarningDays -->
- <list>
- <value>2</value>
- <value>3</value>
- <value>7</value>
- </list>
- </constructor-arg>
- </bean>
+ />
<bean id="loginValidationValve"
class="org.apache.jetspeed.security.impl.LoginValidationValveImpl"
init-method="initialize"
- >
- <!-- maxNumberOfAuthenticationFailures
- This value should be in sync with the value for
- org.apache.jetspeed.security.spi.InternalPasswordCredentialInterceptor
- (if used) to make sense.
- Any value < 2 will suppress the
LoginConststants.ERROR_FINAL_LOGIN_ATTEMPT
- error code when one one last attempt is possible before the credential
- will be disabled on failure.
- -->
- <constructor-arg index="0"><value>3</value></constructor-arg>
- </bean>
+ />
<bean id="profilerValve"
class="org.apache.jetspeed.profiler.impl.ProfilerValveImpl"
Modified:
portals/jetspeed-2/trunk/src/webapp/WEB-INF/assembly/security-spi-atn.xml
URL:
http://svn.apache.org/viewcvs/portals/jetspeed-2/trunk/src/webapp/WEB-INF/assembly/security-spi-atn.xml?rev=291019&r1=291018&r2=291019&view=diff
==============================================================================
--- portals/jetspeed-2/trunk/src/webapp/WEB-INF/assembly/security-spi-atn.xml
(original)
+++ portals/jetspeed-2/trunk/src/webapp/WEB-INF/assembly/security-spi-atn.xml
Thu Sep 22 14:39:44 2005
@@ -18,9 +18,12 @@
<beans>
<!-- ************** Security SPI Handlers ************** -->
+
+ <!-- require a non-empty password -->
<bean id="org.apache.jetspeed.security.spi.CredentialPasswordValidator"
class="org.apache.jetspeed.security.spi.impl.DefaultCredentialPasswordValidator"/>
+ <!-- MessageDigest encode passwords using SHA-1 -->
<bean id="org.apache.jetspeed.security.spi.CredentialPasswordEncoder"
class="org.apache.jetspeed.security.spi.impl.MessageDigestCredentialPasswordEncoder">
<constructor-arg index="0"><value>SHA-1</value></constructor-arg>
@@ -32,14 +35,18 @@
<constructor-arg index="1"><ref
bean="org.apache.jetspeed.security.spi.CredentialPasswordEncoder"/></constructor-arg>
</bean>
- <bean
id="org.apache.jetspeed.security.spi.InternalPasswordCredentialInterceptor"
-
class="org.apache.jetspeed.security.spi.impl.InternalPasswordCredentialHistoryHandlingInterceptor">
- <!-- maxNumberOfAuthenticationFailures -->
- <constructor-arg index="0"><value>3</value></constructor-arg>
- <!-- maxLifeSpanInDays -->
- <constructor-arg index="1"><value>60</value></constructor-arg>
- <!-- historySize -->
- <constructor-arg index="2"><value>3</value></constructor-arg>
+ <!-- allow multiple InternalPasswordCredentialInterceptors to be used for
DefaultCredentialHandler -->
+ <bean
id="org.apache.jetspeed.security.spi.InternalPasswordCredentialInterceptor"
+
class="org.apache.jetspeed.security.spi.impl.InternalPasswordCredentialInterceptorsProxy">
+ <constructor-arg index="0">
+ <list>
+ <!-- enforce an invalid preset password value in the persisent
store is required to be changed -->
+ <bean
class="org.apache.jetspeed.security.spi.impl.ValidatePasswordOnLoadInterceptor"/>
+
+ <!-- ensure preset cleartext passwords in the persistent store
will be encoded on first use -->
+ <bean
class="org.apache.jetspeed.security.spi.impl.EncodePasswordOnFirstLoadInterceptor"/>
+ </list>
+ </constructor-arg>
</bean>
<!-- Security SPI: CredentialHandler -->
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
