You are viewing a plain text version of this content. The canonical link for it is here.

Posted to jetspeed-user@portals.apache.org by Paul ANDERSON <pa...@wataniya-algerie.com> on 2007/11/21 10:22:03 UTC

Jetspeed legacy SSO portlets and credential store

Jetspeed 2.1.2 still uses a simple scramble algorithm for stored SSO
passwords - not too secure if the password store gets captured from the
DB.

It seems that Roger Ruttimann implemented it like that temporarily until
there was an API and UI for handling encryption/re-encryption of the SSO
credentials (as with MS Sharepoint).

But no improvement ever happened (maybe because the issue was closed).

Anyone know if a secure encrypted credential store is planned, so that
SSO is safer to use in real deployments?

 

Also, when using the SSO IFrame portlet, changing the password with Edit
after you Save your username for a remote system works fine.

But if you make a mistake and save the wrong username, you can't then
change the username (updateCredentialsForSite). Only the admin can do
this, by deleting the J2 user entry from the remote site with the SSO
management portlet.

Am I doing something wrong here or is it a bug?

Re: Jetspeed legacy SSO portlets and credential store

Posted by Dennis Dam <d....@hippo.nl>.



Paul ANDERSON wrote:
> Jetspeed 2.1.2 still uses a simple scramble algorithm for stored SSO
> passwords - not too secure if the password store gets captured from the
> DB.
>
> It seems that Roger Ruttimann implemented it like that temporarily until
> there was an API and UI for handling encryption/re-encryption of the SSO
> credentials (as with MS Sharepoint).
>
> But no improvement ever happened (maybe because the issue was closed).
>
> Anyone know if a secure encrypted credential store is planned, so that
> SSO is safer to use in real deployments?
>
>   

Perhaps we could re-use the default password encoder for jetspeed user 
passwords. See my previous reply to Saurabh on jetspeed password encryption.


>  
>
> Also, when using the SSO IFrame portlet, changing the password with Edit
> after you Save your username for a remote system works fine.
>
> But if you make a mistake and save the wrong username, you can't then
> change the username (updateCredentialsForSite). Only the admin can do
> this, by deleting the J2 user entry from the remote site with the SSO
> management portlet.
>
> Am I doing something wrong here or is it a bug?
>
>  
>
>   
updateCredentialsForSite only stores the credentials for a remote user, 
yes! It looks to me like the update part for the username is simply missing.



---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-user-help@portals.apache.org