You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@syncope.apache.org by Suresh Ajja <su...@gmail.com> on 2014/09/12 11:35:50 UTC
Encrypted Password required in clear text in mail.
hi,The cipher encryption kept is SHA1 in the syncope. on user creation, I
need to send mail to the user with username and password. But the password
should be cleartext.
How do I convert the below encrypted password to a clear text password.
Mail received:
Hi $user.getAttributeMap().get("firstname").getValues().get(0)
$user.getAttributeMap().get("surname").getValues().get(0), welcome to
Syncope!
Your username is suresh.
Your password is 5BAA61E4C9B93F3F0682250B6CF8331B7EE68FD8.
Your email address is suresh.ajja@gmail.com. Your email address inside a
link <http://localhost/?email=suresh.ajja%40gmail.com>.
Thanks
Suresh
Re: Encrypted Password required in clear text in mail.
Posted by Suresh Ajja <su...@gmail.com>.
Thanks for the response.
Do you mean the self forgot password reset is being planned for 1.2.0 with
challenge questions?
That would be great.
I see 'Password Reset' can be done after logging in to the syncope by the
user in 1.1.8.
Regards,
Suresh
On Mon, Sep 15, 2014 at 1:34 PM, Francesco Chicchiriccò <ilgrosso@apache.org
> wrote:
> On 15/09/2014 07:48, Suresh Ajja wrote:
>
> Hi,
> Yes we were able to send out e-mails, thanks for the quick response.
> Though initially we tried to modify the existing NotificationJob.java
> (1.1.8 Release file) and build, but did not work. It worked with java file
> that you had provided in the link and adding the Property for
> smpt.auth.mail and build.
>
>
> Ok nice to know that the bug was that one and that the fix worked: I have
> opened
>
> https://issues.apache.org/jira/browse/SYNCOPE-547
>
> Regarding the password being sent in cleartext, consider below scenario:
> User has locked his password by attempting n attempts in the end
> application. The locked account attribute is syncope to temporarily suspend
> his account.
> User cannot reset his own password through syncope (account suspended).
>
>
> It's just the default workflow definition that does not allow
> modifications of suspended users; you can (actually, you should), however,
> change it in the way that most suits your own requirements.
>
> He sends a mail to admin requesting to reset his password.
> Admin logs in to the application and resets users password. On resetting
> his password, mail is sent to user with his new password. User logs in to
> the system and changes his password manually. (since the first time sign-in
> functionality is scheduled to release later).
> Since the password is sent into the users inbox directly, cleartext
> password sending out does not breach security. (Passwords though should be
> stored and propagated to end application in encrypted form only).
>
> Can the User Forgot Password(self) functionality be taken on priority (I
> see in the syncope roadmap, its too late in priority list), so that user
> need not request admin to reset his password. The user will be able to
> reset his own password from syncope (without logging in, similar to
> Self-User Registration) answering few challenge questions. This will solve
> the above problem.
>
>
> Recently the roadmap was updated and "SYNCOPE-135 Password reset" was
> moved to Syncope 1.2.0.
> The first milestone release for 1.2.0 was published last week: I guess
> that in a couple of weeks we should be ready for the definitive 1.2.0.
>
> Regards.
>
>
> On Fri, Sep 12, 2014 at 7:26 PM, Francesco Chicchiriccò <
> ilgrosso@apache.org> wrote:
>
>> Hi,
>> it seems you've finally been able to sent e-mails out [1]: I am curious,
>> did the fix work?
>>
>> About your specific question, sending the cleartext password out is not
>> definitely a good security practice; for this reason the password value
>> provided for creation is removed before being made available to the
>> template engine.
>> You should better empower some kind of double opt-in.
>>
>> Naturally you can always tweak things - by overriding some components -
>> to do it anyway but this is complex, not documented and nevertheless
>> discouraged.
>>
>> Regards.
>>
>>
>> On 12/09/2014 11:35, Suresh Ajja wrote:
>>
>> hi, The cipher encryption kept is SHA1 in the syncope. on user
>> creation, I need to send mail to the user with username and password. But
>> the password should be cleartext.
>> How do I convert the below encrypted password to a clear text password.
>>
>> Mail received:
>> Hi $user.getAttributeMap().get("firstname").getValues().get(0)
>> $user.getAttributeMap().get("surname").getValues().get(0), welcome to
>> Syncope!
>>
>> Your username is suresh.
>> Your password is 5BAA61E4C9B93F3F0682250B6CF8331B7EE68FD8.
>> Your email address is suresh.ajja@gmail.com. Your email address inside a
>> link <http://localhost/?email=suresh.ajja%40gmail.com>.
>>
>>
>> Thanks
>>
>> Suresh
>>
>> [1] http://markmail.org/message/t3yfs2eyj67yrnft
>>
> --
> Francesco Chicchiriccò
>
> Tirasa - Open Source Excellencehttp://www.tirasa.net/
>
> Involved at The Apache Software Foundation:
> member, Syncope PMC chair, Cocoon PMC, Olingo PMChttp://people.apache.org/~ilgrosso/
>
>
Re: Encrypted Password required in clear text in mail.
Posted by Francesco Chicchiriccò <il...@apache.org>.
On 15/09/2014 07:48, Suresh Ajja wrote:
> Hi,
> Yes we were able to send out e-mails, thanks for the quick response.
> Though initially we tried to modify the existing NotificationJob.java
> (1.1.8 Release file) and build, but did not work. It worked with java
> file that you had provided in the link and adding the Property for
> smpt.auth.mail and build.
Ok nice to know that the bug was that one and that the fix worked: I
have opened
https://issues.apache.org/jira/browse/SYNCOPE-547
> Regarding the password being sent in cleartext, consider below scenario:
> User has locked his password by attempting n attempts in the end
> application. The locked account attribute is syncope to temporarily
> suspend his account.
> User cannot reset his own password through syncope (account suspended).
It's just the default workflow definition that does not allow
modifications of suspended users; you can (actually, you should),
however, change it in the way that most suits your own requirements.
> He sends a mail to admin requesting to reset his password.
> Admin logs in to the application and resets users password. On
> resetting his password, mail is sent to user with his new password.
> User logs in to the system and changes his password manually. (since
> the first time sign-in functionality is scheduled to release later).
> Since the password is sent into the users inbox directly, cleartext
> password sending out does not breach security. (Passwords though
> should be stored and propagated to end application in encrypted form
> only).
>
> Can the User Forgot Password(self) functionality be taken on priority
> (I see in the syncope roadmap, its too late in priority list), so that
> user need not request admin to reset his password. The user will be
> able to reset his own password from syncope (without logging in,
> similar to Self-User Registration) answering few challenge questions.
> This will solve the above problem.
Recently the roadmap was updated and "SYNCOPE-135 Password reset" was
moved to Syncope 1.2.0.
The first milestone release for 1.2.0 was published last week: I guess
that in a couple of weeks we should be ready for the definitive 1.2.0.
Regards.
> On Fri, Sep 12, 2014 at 7:26 PM, Francesco Chicchiriccò
> <ilgrosso@apache.org <ma...@apache.org>> wrote:
>
> Hi,
> it seems you've finally been able to sent e-mails out [1]: I am
> curious, did the fix work?
>
> About your specific question, sending the cleartext password out
> is not definitely a good security practice; for this reason the
> password value provided for creation is removed before being made
> available to the template engine.
> You should better empower some kind of double opt-in.
>
> Naturally you can always tweak things - by overriding some
> components - to do it anyway but this is complex, not documented
> and nevertheless discouraged.
>
> Regards.
>
>
> On 12/09/2014 11:35, Suresh Ajja wrote:
>>
>>
>> hi,
>>
>>
>> The cipher encryption kept is SHA1 in the syncope. on user
>> creation, I need to send mail to the user with username and
>> password. But the password should be cleartext.
>>
>> How do I convert the below encrypted password to a clear text
>> password.
>>
>> Mail received:
>>
>>
>> Hi
>> $user.getAttributeMap().get("firstname").getValues().get(0)
>> $user.getAttributeMap().get("surname").getValues().get(0),
>> welcome to Syncope!
>>
>> Your username is suresh.
>> Your password is 5BAA61E4C9B93F3F0682250B6CF8331B7EE68FD8.
>> Your email address is suresh.ajja@gmail.com
>> <ma...@gmail.com>. Your email address inside a link
>> <http://localhost/?email=suresh.ajja%40gmail.com>.
>>
>>
>> Thanks
>>
>> Suresh
>>
> [1] http://markmail.org/message/t3yfs2eyj67yrnft
>
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Involved at The Apache Software Foundation:
member, Syncope PMC chair, Cocoon PMC, Olingo PMC
http://people.apache.org/~ilgrosso/
Re: Encrypted Password required in clear text in mail.
Posted by Suresh Ajja <su...@gmail.com>.
Hi,
Yes we were able to send out e-mails, thanks for the quick response. Though
initially we tried to modify the existing NotificationJob.java (1.1.8
Release file) and build, but did not work. It worked with java file that
you had provided in the link and adding the Property for smpt.auth.mail and
build.
Regarding the password being sent in cleartext, consider below scenario:
User has locked his password by attempting n attempts in the end
application. The locked account attribute is syncope to temporarily suspend
his account.
User cannot reset his own password through syncope (account suspended). He
sends a mail to admin requesting to reset his password.
Admin logs in to the application and resets users password. On resetting
his password, mail is sent to user with his new password. User logs in to
the system and changes his password manually. (since the first time sign-in
functionality is scheduled to release later).
Since the password is sent into the users inbox directly, cleartext
password sending out does not breach security. (Passwords though should be
stored and propagated to end application in encrypted form only).
Can the User Forgot Password(self) functionality be taken on priority (I
see in the syncope roadmap, its too late in priority list), so that user
need not request admin to reset his password. The user will be able to
reset his own password from syncope (without logging in, similar to
Self-User Registration) answering few challenge questions. This will solve
the above problem.
Regards,
Suresh
On Fri, Sep 12, 2014 at 7:26 PM, Francesco Chicchiriccò <ilgrosso@apache.org
> wrote:
> Hi,
> it seems you've finally been able to sent e-mails out [1]: I am curious,
> did the fix work?
>
> About your specific question, sending the cleartext password out is not
> definitely a good security practice; for this reason the password value
> provided for creation is removed before being made available to the
> template engine.
> You should better empower some kind of double opt-in.
>
> Naturally you can always tweak things - by overriding some components - to
> do it anyway but this is complex, not documented and nevertheless
> discouraged.
>
> Regards.
>
>
> On 12/09/2014 11:35, Suresh Ajja wrote:
>
> hi, The cipher encryption kept is SHA1 in the syncope. on user creation,
> I need to send mail to the user with username and password. But the
> password should be cleartext.
> How do I convert the below encrypted password to a clear text password.
>
> Mail received:
> Hi $user.getAttributeMap().get("firstname").getValues().get(0)
> $user.getAttributeMap().get("surname").getValues().get(0), welcome to
> Syncope!
>
> Your username is suresh.
> Your password is 5BAA61E4C9B93F3F0682250B6CF8331B7EE68FD8.
> Your email address is suresh.ajja@gmail.com. Your email address inside a
> link <http://localhost/?email=suresh.ajja%40gmail.com>.
>
>
> Thanks
>
> Suresh
>
> [1] http://markmail.org/message/t3yfs2eyj67yrnft
>
> --
> Francesco Chicchiriccò
>
> Tirasa - Open Source Excellencehttp://www.tirasa.net/
>
> Involved at The Apache Software Foundation:
> member, Syncope PMC chair, Cocoon PMC, Olingo PMChttp://people.apache.org/~ilgrosso/
>
>
Re: Encrypted Password required in clear text in mail.
Posted by Francesco Chicchiriccò <il...@apache.org>.
Hi,
it seems you've finally been able to sent e-mails out [1]: I am curious,
did the fix work?
About your specific question, sending the cleartext password out is not
definitely a good security practice; for this reason the password value
provided for creation is removed before being made available to the
template engine.
You should better empower some kind of double opt-in.
Naturally you can always tweak things - by overriding some components -
to do it anyway but this is complex, not documented and nevertheless
discouraged.
Regards.
On 12/09/2014 11:35, Suresh Ajja wrote:
>
>
> hi,
>
>
> The cipher encryption kept is SHA1 in the syncope. on user
> creation, I need to send mail to the user with username and
> password. But the password should be cleartext.
>
> How do I convert the below encrypted password to a clear text password.
>
> Mail received:
>
>
> Hi $user.getAttributeMap().get("firstname").getValues().get(0)
> $user.getAttributeMap().get("surname").getValues().get(0),
> welcome to Syncope!
>
> Your username is suresh.
> Your password is 5BAA61E4C9B93F3F0682250B6CF8331B7EE68FD8.
> Your email address is suresh.ajja@gmail.com
> <ma...@gmail.com>. Your email address inside a link
> <http://localhost/?email=suresh.ajja%40gmail.com>.
>
>
> Thanks
>
> Suresh
>
[1] http://markmail.org/message/t3yfs2eyj67yrnft
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Involved at The Apache Software Foundation:
member, Syncope PMC chair, Cocoon PMC, Olingo PMC
http://people.apache.org/~ilgrosso/