Uploaded image for project: 'Jetspeed 2 (Retired)'
  1. Jetspeed 2 (Retired)
  2. JS2-550

A new Two-way password encoding service allowing decoding of encoded passwords

    XMLWordPrintableJSON

Details

    • New Feature
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 2.1-dev, 2.1
    • 2.1-dev, 2.1
    • Security
    • None

    Description

      For password encoding Jetspeed currently only provides the MessageDigestCredentialPasswordEncoder in the security component.
      While highly secure, this encoding solution cannot be used when you would like to be able to recover lost passwords, like providing the clear text value back to the user to a know/trusted email address. Or for an trusted administrator to be able to do the same manually.

      Therefore, I'll provide a new two-way encoding solution based on PKCS #5 PBE (Password Based Encryption), which uses a cipher generated from a secure password to encode user passwords. For this solution I'll provide a service which both implements the security component SPI CredentialPasswordEncoder as well as a decode method to retrieve the clear text value of an encoded password.

      Thus, I'll add a new PasswordEncodingService interface to the jetspeed-api and a PBEPasswordService implementation in the security component.
      The PBEPasswordService both extends a POJO PBEPasswordTool class, which also can be used standalone through a main method, as well as the CredentialPasswordEncoder.

      This way, this new service can both be made available as a portlet service through the Jetspeed Spring configuration for usage from specialized Portlet Applications, as well be used as a replacement for the default MessageDigestCredentialPasswordEncoder.

      Example Jetspeed Spring configuration how to make use of the new service could be as follows.

      In security-spi-atn.xml:

      <!-- A Two-way encoding password service which also implements CredentialPasswordEncoder
      this Service can be used instead of for example the default provided MessageDigestCredentialPasswordEncoder -->
      <bean id="org.apache.jetspeed.security.PasswordEncodingService" name="org.apache.jetspeed.security.spi.CredentialPasswordEncoder" class="org.apache.jetspeed.security.spi.impl.PBEPasswordService">
      <constructor-arg index="0">
      <!-- secret PBE key password -->
      <value>********</value>
      </constructor-arg>
      </bean>

      In jetspeed-services.xml:

      <bean id="PortalServices" class="org.apache.jetspeed.services.JetspeedPortletServices">
      <constructor-arg>
      <map>
      <entry key="PortletRegistryComponent">
      <ref bean="org.apache.jetspeed.components.portletregistry.PortletRegistry" />
      </entry>
      ...
      <entry key="PasswordEncodingService">
      <ref bean="org.apache.jetspeed.security.PasswordEncodingService" />
      </entry>
      ...
      <map>
      <constructor-arg>
      </bean>

      Using the PBEPasswordTool standalone is possible as follows.
      Running the following command

      java -cp jetspeed-api-2.1-dev.jar:jetspeed-security-2.1-dev.jar:commons-codec-1.3.jar org.apache.jetspeed.security.util.PBEPasswordTool

      gives the following output:

      Encode/Decode a user password using Password Based Encryption
      Usage: PBEPasswordTool <encode|decode> <encoding-password> <username> <password>
      encode|decode : specify if to encode or decode the provided password
      encoding-password: the password to be used for encoding and decoding
      username : the name of the user to which the provided password belongs
      password : the cleartext password to encode, or the encoded password to decode

      Attachments

        Activity

          People

            ate Ate Douma
            ate Ate Douma
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: