The password is sent in clear text from the browser to the turbine app (so
if you want to make sure you are secure there I think you would need SSL
enabled).
Once you set the user's password with the TurbineSecurity service, that is
when it is encrypted. If you just use the user.setPassword() it will not
encrypt the password value.
You must use turbine's security service or some other tool to make the encryption
happen.
The login action should then re-encrypt the plain text password when a
user logs in and compare that to the encrypted value stored in the database.
so again you are passing the password across in clear text so you would
need SSL to protect you at login time as well.
On Tue, 29 Jun 2004 [EMAIL PROTECTED] wrote:
> Hi,
>
> If we set up the password security to true in the TR.properties file when is the
> password encrypted? Is it encrypted from the UI when the user submits it from the
> login window? or is it encrypted in the backend before verifying the password value
> in the turbine_user table?
>
> ---Thanks
>
>
--
Jeffery Painter
President
Kiasoft, Inc.
3205 Randall Parkway, Suite 119
Wilmington, NC 28403
- --
[EMAIL PROTECTED] http://kiasoft.com
PGP FP: 9CE8 83A2 33FA 32B1 0AB1 4E62 E4CB E4DA 5913 EFBC
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQE/qEQE5Mvk2lkT77wRAnMJAJ9vJ6qOkg/mvqqIpz7troCEQJ8bFACglu/U
YNXabx7DZOV2Hd9LwSTmGpY=
=dWiu
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
