You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@geronimo.apache.org by "Aaron Mulder (JIRA)" <de...@geronimo.apache.org> on 2004/11/01 17:33:32 UTC
[jira] Created: (GERONIMO-411) Add Hash Password Rewrite to File Realm
Add Hash Password Rewrite to File Realm
---------------------------------------
Key: GERONIMO-411
URL: http://nagoya.apache.org/jira/browse/GERONIMO-411
Project: Apache Geronimo
Type: Improvement
Components: security
Versions: 1.0-M2
Reporter: Aaron Mulder
Priority: Minor
It would be nice if the properties file realm could rewrite your properties file with hashed passwords when it reads it. We would need to be able to recognize hashed vs. unhashed entries and perhaps even different algorithms. Perhaps it could go like this:
user1=plaintext
user2=MD5{...}
user3=SHA1{...}
Anyway, the idea is that this could be a reasonably secure alternative, but you still wouldn't need to manually hash things to add or update entries -- just put a plain text entry in and the next time the server reads the file it would hash it for you.
I guess we'd need to synchronize on the hash operation to avoid threading problems if multiple apps or whatever use the same properties file, but it shouldn't be bad if we only rewrite the file if we find any plain text entries.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://nagoya.apache.org/jira/secure/Administrators.jspa
-
If you want more information on JIRA, or have a bug to report see:
http://www.atlassian.com/software/jira
[jira] Commented: (GERONIMO-411) Add Hash Password Rewrite to File Realm
Posted by "Aaron Mulder (JIRA)" <de...@geronimo.apache.org>.
[ http://nagoya.apache.org/jira/browse/GERONIMO-411?page=comments#action_54887 ]
Aaron Mulder commented on GERONIMO-411:
---------------------------------------
And of course we'd need a new property on the realm to enable this, perhaps a "hashAlgirithm" properity and if you don't set it then you get the default plain text behavior.
> Add Hash Password Rewrite to File Realm
> ---------------------------------------
>
> Key: GERONIMO-411
> URL: http://nagoya.apache.org/jira/browse/GERONIMO-411
> Project: Apache Geronimo
> Type: Improvement
> Components: security
> Versions: 1.0-M2
> Reporter: Aaron Mulder
> Priority: Minor
>
> It would be nice if the properties file realm could rewrite your properties file with hashed passwords when it reads it. We would need to be able to recognize hashed vs. unhashed entries and perhaps even different algorithms. Perhaps it could go like this:
> user1=plaintext
> user2=MD5{...}
> user3=SHA1{...}
> Anyway, the idea is that this could be a reasonably secure alternative, but you still wouldn't need to manually hash things to add or update entries -- just put a plain text entry in and the next time the server reads the file it would hash it for you.
> I guess we'd need to synchronize on the hash operation to avoid threading problems if multiple apps or whatever use the same properties file, but it shouldn't be bad if we only rewrite the file if we find any plain text entries.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://nagoya.apache.org/jira/secure/Administrators.jspa
-
If you want more information on JIRA, or have a bug to report see:
http://www.atlassian.com/software/jira
[jira] Updated: (GERONIMO-411) Add Hash Password Rewrite to File
Realm
Posted by "Prasad Kashyap (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-411?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Prasad Kashyap updated GERONIMO-411:
------------------------------------
Fix Version/s: (was: 2.0-M7)
2.0.x
This issue has been around for too long.
> Add Hash Password Rewrite to File Realm
> ---------------------------------------
>
> Key: GERONIMO-411
> URL: https://issues.apache.org/jira/browse/GERONIMO-411
> Project: Geronimo
> Issue Type: Improvement
> Components: security
> Affects Versions: 1.0-M2, 1.2
> Reporter: Aaron Mulder
> Assignee: Donald Woods
> Priority: Minor
> Fix For: 2.0.x
>
> Attachments: properties-realm.patch
>
>
> It would be nice if the properties file realm could rewrite your properties file with hashed passwords when it reads it. We would need to be able to recognize hashed vs. unhashed entries and perhaps even different algorithms. Perhaps it could go like this:
> user1=plaintext
> user2=MD5{...}
> user3=SHA1{...}
> Anyway, the idea is that this could be a reasonably secure alternative, but you still wouldn't need to manually hash things to add or update entries -- just put a plain text entry in and the next time the server reads the file it would hash it for you.
> I guess we'd need to synchronize on the hash operation to avoid threading problems if multiple apps or whatever use the same properties file, but it shouldn't be bad if we only rewrite the file if we find any plain text entries.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (GERONIMO-411) Add Hash Password Rewrite to File
Realm
Posted by "Aman Nanner (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-411?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Aman Nanner updated GERONIMO-411:
---------------------------------
Affects Version/s: 1.2
Hopefully this is something that can go into 1.2, or a 1.2 maintenance release.
> Add Hash Password Rewrite to File Realm
> ---------------------------------------
>
> Key: GERONIMO-411
> URL: https://issues.apache.org/jira/browse/GERONIMO-411
> Project: Geronimo
> Issue Type: Improvement
> Components: security
> Affects Versions: 1.0-M2, 1.2
> Reporter: Aaron Mulder
> Priority: Minor
> Fix For: Wish List
>
> Attachments: properties-realm.patch
>
>
> It would be nice if the properties file realm could rewrite your properties file with hashed passwords when it reads it. We would need to be able to recognize hashed vs. unhashed entries and perhaps even different algorithms. Perhaps it could go like this:
> user1=plaintext
> user2=MD5{...}
> user3=SHA1{...}
> Anyway, the idea is that this could be a reasonably secure alternative, but you still wouldn't need to manually hash things to add or update entries -- just put a plain text entry in and the next time the server reads the file it would hash it for you.
> I guess we'd need to synchronize on the hash operation to avoid threading problems if multiple apps or whatever use the same properties file, but it shouldn't be bad if we only rewrite the file if we find any plain text entries.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (GERONIMO-411) Add Hash Password Rewrite to File Realm
Posted by "Dain Sundstrom (JIRA)" <de...@geronimo.apache.org>.
[ http://issues.apache.org/jira/browse/GERONIMO-411?page=all ]
Dain Sundstrom updated GERONIMO-411:
------------------------------------
Fix Version: 1.1
(was: 1.0)
> Add Hash Password Rewrite to File Realm
> ---------------------------------------
>
> Key: GERONIMO-411
> URL: http://issues.apache.org/jira/browse/GERONIMO-411
> Project: Geronimo
> Type: Improvement
> Components: security
> Versions: 1.0-M2
> Reporter: Aaron Mulder
> Priority: Minor
> Fix For: 1.1
>
> It would be nice if the properties file realm could rewrite your properties file with hashed passwords when it reads it. We would need to be able to recognize hashed vs. unhashed entries and perhaps even different algorithms. Perhaps it could go like this:
> user1=plaintext
> user2=MD5{...}
> user3=SHA1{...}
> Anyway, the idea is that this could be a reasonably secure alternative, but you still wouldn't need to manually hash things to add or update entries -- just put a plain text entry in and the next time the server reads the file it would hash it for you.
> I guess we'd need to synchronize on the hash operation to avoid threading problems if multiple apps or whatever use the same properties file, but it shouldn't be bad if we only rewrite the file if we find any plain text entries.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Assigned: (GERONIMO-411) Add Hash Password Rewrite to File
Realm
Posted by "Donald Woods (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-411?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Donald Woods reassigned GERONIMO-411:
-------------------------------------
Assignee: Donald Woods
> Add Hash Password Rewrite to File Realm
> ---------------------------------------
>
> Key: GERONIMO-411
> URL: https://issues.apache.org/jira/browse/GERONIMO-411
> Project: Geronimo
> Issue Type: Improvement
> Components: security
> Affects Versions: 1.0-M2, 1.2
> Reporter: Aaron Mulder
> Assigned To: Donald Woods
> Priority: Minor
> Fix For: Wish List
>
> Attachments: properties-realm.patch
>
>
> It would be nice if the properties file realm could rewrite your properties file with hashed passwords when it reads it. We would need to be able to recognize hashed vs. unhashed entries and perhaps even different algorithms. Perhaps it could go like this:
> user1=plaintext
> user2=MD5{...}
> user3=SHA1{...}
> Anyway, the idea is that this could be a reasonably secure alternative, but you still wouldn't need to manually hash things to add or update entries -- just put a plain text entry in and the next time the server reads the file it would hash it for you.
> I guess we'd need to synchronize on the hash operation to avoid threading problems if multiple apps or whatever use the same properties file, but it shouldn't be bad if we only rewrite the file if we find any plain text entries.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (GERONIMO-411) Add Hash Password Rewrite to File
Realm
Posted by "David Jencks (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-411?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12537999 ]
David Jencks commented on GERONIMO-411:
---------------------------------------
With GERONIMO-2925 the passwords are all encrypted with a pluggable encryption method. I'm not sure that further work on this toy security realm is warranted. Won't anyone with actual users be using ldap or a database for the backing store?
> Add Hash Password Rewrite to File Realm
> ---------------------------------------
>
> Key: GERONIMO-411
> URL: https://issues.apache.org/jira/browse/GERONIMO-411
> Project: Geronimo
> Issue Type: Improvement
> Components: security
> Affects Versions: 1.0-M2, 1.2
> Reporter: Aaron Mulder
> Assignee: Donald Woods
> Priority: Minor
> Fix For: 2.0.x, 2.1
>
> Attachments: properties-realm.patch
>
>
> It would be nice if the properties file realm could rewrite your properties file with hashed passwords when it reads it. We would need to be able to recognize hashed vs. unhashed entries and perhaps even different algorithms. Perhaps it could go like this:
> user1=plaintext
> user2=MD5{...}
> user3=SHA1{...}
> Anyway, the idea is that this could be a reasonably secure alternative, but you still wouldn't need to manually hash things to add or update entries -- just put a plain text entry in and the next time the server reads the file it would hash it for you.
> I guess we'd need to synchronize on the hash operation to avoid threading problems if multiple apps or whatever use the same properties file, but it shouldn't be bad if we only rewrite the file if we find any plain text entries.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
Re: [jira] Commented: (GERONIMO-411) Add Hash Password Rewrite to
File Realm
Posted by Aaron Mulder <am...@alumni.princeton.edu>.
On Mon, 1 Nov 2004, Dain Sundstrom wrote:
> I think we should have a gpasswd tool that can set a password, add
> accounts, remove them etc, and it would work it all the realms we
> provide. Basically PAM for G.
Currently, the file realm is read/write, but the SQL and Kerberos
realms are read-only. Frankly, I'm not even sure if there's a standard
way to add users to Kerberos or if that's an "implementation detail" (but
I know little about Kerberos).
If we were going to support read/write access to our SQL realm, it
would increase the configuration burden significantly; instead of 2
queries (load user, load groups) you'd need at least 8
(insert/update/delete for users and groups). Do you think it's worth it?
I'm skeptical.
Aaron
Re: [jira] Commented: (GERONIMO-411) Add Hash Password Rewrite to File Realm
Posted by Dain Sundstrom <ds...@gluecode.com>.
I think we should have a gpasswd tool that can set a password, add
accounts, remove them etc, and it would work it all the realms we
provide. Basically PAM for G.
-dain
--
Dain Sundstrom
Chief Architect
Gluecode Software
310.536.8355, ext. 26
On Nov 1, 2004, at 10:41 AM, Aaron Mulder (JIRA) wrote:
> [
> http://nagoya.apache.org/jira/browse/GERONIMO-411?
> page=comments#action_54897 ]
>
> Aaron Mulder commented on GERONIMO-411:
> ---------------------------------------
>
> I don't like requiring entries to be hashed to begin with, because
> then you need to tool to edit the file. In my experience, it's nicer
> to put plain text in the file and let the server replace that with the
> hashed version.
>
> But... if we were not going to rewrite, but we still want hashes, then
> I think we need to provide a tool to add or update entries in the
> file, so you still get everything you need in the Geronimo download.
> Some products just have you use htpasswd, but I don't like that
> approach much (and I thought that used crypt instead of MD5 anyway,
> though I don't really know).
>
> What is it about rewriting that bothers you?
>
>
>> Add Hash Password Rewrite to File Realm
>> ---------------------------------------
>>
>> Key: GERONIMO-411
>> URL: http://nagoya.apache.org/jira/browse/GERONIMO-411
>> Project: Apache Geronimo
>> Type: Improvement
>> Components: security
>> Versions: 1.0-M2
>> Reporter: Aaron Mulder
>> Priority: Minor
>
>>
>> It would be nice if the properties file realm could rewrite your
>> properties file with hashed passwords when it reads it. We would
>> need to be able to recognize hashed vs. unhashed entries and perhaps
>> even different algorithms. Perhaps it could go like this:
>> user1=plaintext
>> user2=MD5{...}
>> user3=SHA1{...}
>> Anyway, the idea is that this could be a reasonably secure
>> alternative, but you still wouldn't need to manually hash things to
>> add or update entries -- just put a plain text entry in and the next
>> time the server reads the file it would hash it for you.
>> I guess we'd need to synchronize on the hash operation to avoid
>> threading problems if multiple apps or whatever use the same
>> properties file, but it shouldn't be bad if we only rewrite the file
>> if we find any plain text entries.
>
> --
> This message is automatically generated by JIRA.
> -
> If you think it was sent incorrectly contact one of the administrators:
> http://nagoya.apache.org/jira/secure/Administrators.jspa
> -
> If you want more information on JIRA, or have a bug to report see:
> http://www.atlassian.com/software/jira
[jira] Commented: (GERONIMO-411) Add Hash Password Rewrite to File Realm
Posted by "Aaron Mulder (JIRA)" <de...@geronimo.apache.org>.
[ http://nagoya.apache.org/jira/browse/GERONIMO-411?page=comments#action_54897 ]
Aaron Mulder commented on GERONIMO-411:
---------------------------------------
I don't like requiring entries to be hashed to begin with, because then you need to tool to edit the file. In my experience, it's nicer to put plain text in the file and let the server replace that with the hashed version.
But... if we were not going to rewrite, but we still want hashes, then I think we need to provide a tool to add or update entries in the file, so you still get everything you need in the Geronimo download. Some products just have you use htpasswd, but I don't like that approach much (and I thought that used crypt instead of MD5 anyway, though I don't really know).
What is it about rewriting that bothers you?
> Add Hash Password Rewrite to File Realm
> ---------------------------------------
>
> Key: GERONIMO-411
> URL: http://nagoya.apache.org/jira/browse/GERONIMO-411
> Project: Apache Geronimo
> Type: Improvement
> Components: security
> Versions: 1.0-M2
> Reporter: Aaron Mulder
> Priority: Minor
>
> It would be nice if the properties file realm could rewrite your properties file with hashed passwords when it reads it. We would need to be able to recognize hashed vs. unhashed entries and perhaps even different algorithms. Perhaps it could go like this:
> user1=plaintext
> user2=MD5{...}
> user3=SHA1{...}
> Anyway, the idea is that this could be a reasonably secure alternative, but you still wouldn't need to manually hash things to add or update entries -- just put a plain text entry in and the next time the server reads the file it would hash it for you.
> I guess we'd need to synchronize on the hash operation to avoid threading problems if multiple apps or whatever use the same properties file, but it shouldn't be bad if we only rewrite the file if we find any plain text entries.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://nagoya.apache.org/jira/secure/Administrators.jspa
-
If you want more information on JIRA, or have a bug to report see:
http://www.atlassian.com/software/jira
[jira] Closed: (GERONIMO-411) Add Hash Password Rewrite to File
Realm
Posted by "Donald Woods (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-411?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Donald Woods closed GERONIMO-411.
---------------------------------
Resolution: Fixed
Fix Version/s: (was: 2.0.x)
2.0.2
Resolved by GERONIMO-2925
> Add Hash Password Rewrite to File Realm
> ---------------------------------------
>
> Key: GERONIMO-411
> URL: https://issues.apache.org/jira/browse/GERONIMO-411
> Project: Geronimo
> Issue Type: Improvement
> Components: security
> Affects Versions: 1.0-M2, 1.2
> Reporter: Aaron Mulder
> Assignee: Donald Woods
> Priority: Minor
> Fix For: 2.1, 2.0.2
>
> Attachments: properties-realm.patch
>
>
> It would be nice if the properties file realm could rewrite your properties file with hashed passwords when it reads it. We would need to be able to recognize hashed vs. unhashed entries and perhaps even different algorithms. Perhaps it could go like this:
> user1=plaintext
> user2=MD5{...}
> user3=SHA1{...}
> Anyway, the idea is that this could be a reasonably secure alternative, but you still wouldn't need to manually hash things to add or update entries -- just put a plain text entry in and the next time the server reads the file it would hash it for you.
> I guess we'd need to synchronize on the hash operation to avoid threading problems if multiple apps or whatever use the same properties file, but it shouldn't be bad if we only rewrite the file if we find any plain text entries.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (GERONIMO-411) Add Hash Password Rewrite to File
Realm
Posted by "Aaron Mulder (JIRA)" <de...@geronimo.apache.org>.
[ http://issues.apache.org/jira/browse/GERONIMO-411?page=all ]
Aaron Mulder updated GERONIMO-411:
----------------------------------
Fix Version: 1.1
(was: 1.2)
Assign To: Aaron Mulder
Someone on the user list said PW hashing was an absolute requirement for their project. Review for 1.1 if time permits.
> Add Hash Password Rewrite to File Realm
> ---------------------------------------
>
> Key: GERONIMO-411
> URL: http://issues.apache.org/jira/browse/GERONIMO-411
> Project: Geronimo
> Type: Improvement
> Components: security
> Versions: 1.0-M2
> Reporter: Aaron Mulder
> Assignee: Aaron Mulder
> Priority: Minor
> Fix For: 1.1
>
> It would be nice if the properties file realm could rewrite your properties file with hashed passwords when it reads it. We would need to be able to recognize hashed vs. unhashed entries and perhaps even different algorithms. Perhaps it could go like this:
> user1=plaintext
> user2=MD5{...}
> user3=SHA1{...}
> Anyway, the idea is that this could be a reasonably secure alternative, but you still wouldn't need to manually hash things to add or update entries -- just put a plain text entry in and the next time the server reads the file it would hash it for you.
> I guess we'd need to synchronize on the hash operation to avoid threading problems if multiple apps or whatever use the same properties file, but it shouldn't be bad if we only rewrite the file if we find any plain text entries.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Commented: (GERONIMO-411) Add Hash Password Rewrite to File
Realm
Posted by "Vamsavardhana Reddy (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-411?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12519865 ]
Vamsavardhana Reddy commented on GERONIMO-411:
----------------------------------------------
GERONIMO-1880 is not exactly the same as this one. It does not do any rewriting of passwords with hash. It only allows already hashed passwords to be used with PropertiesFile and SQL LoginModules. May be we should reopen this JIRA!!
> Add Hash Password Rewrite to File Realm
> ---------------------------------------
>
> Key: GERONIMO-411
> URL: https://issues.apache.org/jira/browse/GERONIMO-411
> Project: Geronimo
> Issue Type: Improvement
> Components: security
> Affects Versions: 1.0-M2, 1.2
> Reporter: Aaron Mulder
> Assignee: Donald Woods
> Priority: Minor
> Attachments: properties-realm.patch
>
>
> It would be nice if the properties file realm could rewrite your properties file with hashed passwords when it reads it. We would need to be able to recognize hashed vs. unhashed entries and perhaps even different algorithms. Perhaps it could go like this:
> user1=plaintext
> user2=MD5{...}
> user3=SHA1{...}
> Anyway, the idea is that this could be a reasonably secure alternative, but you still wouldn't need to manually hash things to add or update entries -- just put a plain text entry in and the next time the server reads the file it would hash it for you.
> I guess we'd need to synchronize on the hash operation to avoid threading problems if multiple apps or whatever use the same properties file, but it shouldn't be bad if we only rewrite the file if we find any plain text entries.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (GERONIMO-411) Add Hash Password Rewrite to File Realm
Posted by "Alan Cabrera (JIRA)" <de...@geronimo.apache.org>.
[ http://nagoya.apache.org/jira/browse/GERONIMO-411?page=comments#action_54896 ]
Alan Cabrera commented on GERONIMO-411:
---------------------------------------
I'm not fond of the idea of rewriting the files w/ hashed passwords.
What do you think about the idea of having the passwords already hashed and that the login module would do a hash on the password that was entered and compare it against what was in the file?
The hash that is used can be configurable.
> Add Hash Password Rewrite to File Realm
> ---------------------------------------
>
> Key: GERONIMO-411
> URL: http://nagoya.apache.org/jira/browse/GERONIMO-411
> Project: Apache Geronimo
> Type: Improvement
> Components: security
> Versions: 1.0-M2
> Reporter: Aaron Mulder
> Priority: Minor
>
> It would be nice if the properties file realm could rewrite your properties file with hashed passwords when it reads it. We would need to be able to recognize hashed vs. unhashed entries and perhaps even different algorithms. Perhaps it could go like this:
> user1=plaintext
> user2=MD5{...}
> user3=SHA1{...}
> Anyway, the idea is that this could be a reasonably secure alternative, but you still wouldn't need to manually hash things to add or update entries -- just put a plain text entry in and the next time the server reads the file it would hash it for you.
> I guess we'd need to synchronize on the hash operation to avoid threading problems if multiple apps or whatever use the same properties file, but it shouldn't be bad if we only rewrite the file if we find any plain text entries.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://nagoya.apache.org/jira/secure/Administrators.jspa
-
If you want more information on JIRA, or have a bug to report see:
http://www.atlassian.com/software/jira
[jira] Updated: (GERONIMO-411) Add Hash Password Rewrite to File
Realm
Posted by "Aaron Mulder (JIRA)" <de...@geronimo.apache.org>.
[ http://issues.apache.org/jira/browse/GERONIMO-411?page=all ]
Aaron Mulder updated GERONIMO-411:
----------------------------------
Assign To: (was: Aaron Mulder)
> Add Hash Password Rewrite to File Realm
> ---------------------------------------
>
> Key: GERONIMO-411
> URL: http://issues.apache.org/jira/browse/GERONIMO-411
> Project: Geronimo
> Type: Improvement
> Components: security
> Versions: 1.0-M2
> Reporter: Aaron Mulder
> Priority: Minor
> Fix For: 1.2
>
> It would be nice if the properties file realm could rewrite your properties file with hashed passwords when it reads it. We would need to be able to recognize hashed vs. unhashed entries and perhaps even different algorithms. Perhaps it could go like this:
> user1=plaintext
> user2=MD5{...}
> user3=SHA1{...}
> Anyway, the idea is that this could be a reasonably secure alternative, but you still wouldn't need to manually hash things to add or update entries -- just put a plain text entry in and the next time the server reads the file it would hash it for you.
> I guess we'd need to synchronize on the hash operation to avoid threading problems if multiple apps or whatever use the same properties file, but it shouldn't be bad if we only rewrite the file if we find any plain text entries.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Updated: (GERONIMO-411) Add Hash Password Rewrite to File
Realm
Posted by "Aman Nanner (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-411?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Aman Nanner updated GERONIMO-411:
---------------------------------
Attachment: properties-realm.patch
This is a patch that will rewrite the user properties file with hashed passwords, according to the digest algorithm supplied to the properties login module. If no digest is specified, then the passwords will not be hashed.
> Add Hash Password Rewrite to File Realm
> ---------------------------------------
>
> Key: GERONIMO-411
> URL: https://issues.apache.org/jira/browse/GERONIMO-411
> Project: Geronimo
> Issue Type: Improvement
> Components: security
> Affects Versions: 1.0-M2
> Reporter: Aaron Mulder
> Priority: Minor
> Fix For: Wish List
>
> Attachments: properties-realm.patch
>
>
> It would be nice if the properties file realm could rewrite your properties file with hashed passwords when it reads it. We would need to be able to recognize hashed vs. unhashed entries and perhaps even different algorithms. Perhaps it could go like this:
> user1=plaintext
> user2=MD5{...}
> user3=SHA1{...}
> Anyway, the idea is that this could be a reasonably secure alternative, but you still wouldn't need to manually hash things to add or update entries -- just put a plain text entry in and the next time the server reads the file it would hash it for you.
> I guess we'd need to synchronize on the hash operation to avoid threading problems if multiple apps or whatever use the same properties file, but it shouldn't be bad if we only rewrite the file if we find any plain text entries.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (GERONIMO-411) Add Hash Password Rewrite to File Realm
Posted by "Aaron Mulder (JIRA)" <de...@geronimo.apache.org>.
[ http://issues.apache.org/jira/browse/GERONIMO-411?page=comments#action_12320293 ]
Aaron Mulder commented on GERONIMO-411:
---------------------------------------
Jeff says: "Is this something we should do in the plans as well (i.e. SSL certs, etc)?"
I guess ultimately we'll want some sort of utility class that can have a method like
public boolean isMatchingPassword(String one, String two)
Then it can handle comparing password regardless of whether they're null, plain text, hashed, etc. And we can invoke that anywhere we need to compare passwords.
That said, we can't hash the passwords for SSL certs since AFAIK we have to reproduce the passwords in order to pass it to the keystore API to access the keystore and pricate key. Likewise the DB password for a connection pool, etc. We could encrypt the passwords, but I don't know what encryption key we could use that wouldn't be subject to change and also wouldn't be transparent to anyone with the source code -- in other words, it would only defeat the most casual attackers, and it's probably overengineering for that compared to, say, ROT-13. :)
> Add Hash Password Rewrite to File Realm
> ---------------------------------------
>
> Key: GERONIMO-411
> URL: http://issues.apache.org/jira/browse/GERONIMO-411
> Project: Geronimo
> Type: Improvement
> Components: security
> Versions: 1.0-M2
> Reporter: Aaron Mulder
> Priority: Minor
> Fix For: 1.0
>
> It would be nice if the properties file realm could rewrite your properties file with hashed passwords when it reads it. We would need to be able to recognize hashed vs. unhashed entries and perhaps even different algorithms. Perhaps it could go like this:
> user1=plaintext
> user2=MD5{...}
> user3=SHA1{...}
> Anyway, the idea is that this could be a reasonably secure alternative, but you still wouldn't need to manually hash things to add or update entries -- just put a plain text entry in and the next time the server reads the file it would hash it for you.
> I guess we'd need to synchronize on the hash operation to avoid threading problems if multiple apps or whatever use the same properties file, but it shouldn't be bad if we only rewrite the file if we find any plain text entries.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Reopened: (GERONIMO-411) Add Hash Password Rewrite to File
Realm
Posted by "Donald Woods (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-411?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Donald Woods reopened GERONIMO-411:
-----------------------------------
> Add Hash Password Rewrite to File Realm
> ---------------------------------------
>
> Key: GERONIMO-411
> URL: https://issues.apache.org/jira/browse/GERONIMO-411
> Project: Geronimo
> Issue Type: Improvement
> Components: security
> Affects Versions: 1.0-M2, 1.2
> Reporter: Aaron Mulder
> Assignee: Donald Woods
> Priority: Minor
> Fix For: 2.0.x, 2.1
>
> Attachments: properties-realm.patch
>
>
> It would be nice if the properties file realm could rewrite your properties file with hashed passwords when it reads it. We would need to be able to recognize hashed vs. unhashed entries and perhaps even different algorithms. Perhaps it could go like this:
> user1=plaintext
> user2=MD5{...}
> user3=SHA1{...}
> Anyway, the idea is that this could be a reasonably secure alternative, but you still wouldn't need to manually hash things to add or update entries -- just put a plain text entry in and the next time the server reads the file it would hash it for you.
> I guess we'd need to synchronize on the hash operation to avoid threading problems if multiple apps or whatever use the same properties file, but it shouldn't be bad if we only rewrite the file if we find any plain text entries.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (GERONIMO-411) Add Hash Password Rewrite to File
Realm
Posted by "Vamsavardhana Reddy (JIRA)" <ji...@apache.org>.
[ http://issues.apache.org/jira/browse/GERONIMO-411?page=comments#action_12455584 ]
Vamsavardhana Reddy commented on GERONIMO-411:
----------------------------------------------
Now that PropertiesFileLoginModule and SQLLoginModule support a "digest" option (See GERONIMO-1880), is this Hash Password Rewrite feature required?
> Add Hash Password Rewrite to File Realm
> ---------------------------------------
>
> Key: GERONIMO-411
> URL: http://issues.apache.org/jira/browse/GERONIMO-411
> Project: Geronimo
> Issue Type: Improvement
> Components: security
> Affects Versions: 1.0-M2
> Reporter: Aaron Mulder
> Priority: Minor
> Fix For: Wish List
>
>
> It would be nice if the properties file realm could rewrite your properties file with hashed passwords when it reads it. We would need to be able to recognize hashed vs. unhashed entries and perhaps even different algorithms. Perhaps it could go like this:
> user1=plaintext
> user2=MD5{...}
> user3=SHA1{...}
> Anyway, the idea is that this could be a reasonably secure alternative, but you still wouldn't need to manually hash things to add or update entries -- just put a plain text entry in and the next time the server reads the file it would hash it for you.
> I guess we'd need to synchronize on the hash operation to avoid threading problems if multiple apps or whatever use the same properties file, but it shouldn't be bad if we only rewrite the file if we find any plain text entries.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Closed: (GERONIMO-411) Add Hash Password Rewrite to File
Realm
Posted by "Donald Woods (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-411?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Donald Woods closed GERONIMO-411.
---------------------------------
Resolution: Duplicate
Fix Version/s: (was: 2.0.x)
Already solved by GERONIMO-1880
> Add Hash Password Rewrite to File Realm
> ---------------------------------------
>
> Key: GERONIMO-411
> URL: https://issues.apache.org/jira/browse/GERONIMO-411
> Project: Geronimo
> Issue Type: Improvement
> Components: security
> Affects Versions: 1.0-M2, 1.2
> Reporter: Aaron Mulder
> Assignee: Donald Woods
> Priority: Minor
> Attachments: properties-realm.patch
>
>
> It would be nice if the properties file realm could rewrite your properties file with hashed passwords when it reads it. We would need to be able to recognize hashed vs. unhashed entries and perhaps even different algorithms. Perhaps it could go like this:
> user1=plaintext
> user2=MD5{...}
> user3=SHA1{...}
> Anyway, the idea is that this could be a reasonably secure alternative, but you still wouldn't need to manually hash things to add or update entries -- just put a plain text entry in and the next time the server reads the file it would hash it for you.
> I guess we'd need to synchronize on the hash operation to avoid threading problems if multiple apps or whatever use the same properties file, but it shouldn't be bad if we only rewrite the file if we find any plain text entries.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (GERONIMO-411) Add Hash Password Rewrite to File
Realm
Posted by "Matt Hogstrom (JIRA)" <de...@geronimo.apache.org>.
[ http://issues.apache.org/jira/browse/GERONIMO-411?page=all ]
Matt Hogstrom updated GERONIMO-411:
-----------------------------------
Fix Version: 1.2
(was: 1.1)
> Add Hash Password Rewrite to File Realm
> ---------------------------------------
>
> Key: GERONIMO-411
> URL: http://issues.apache.org/jira/browse/GERONIMO-411
> Project: Geronimo
> Type: Improvement
> Components: security
> Versions: 1.0-M2
> Reporter: Aaron Mulder
> Assignee: Aaron Mulder
> Priority: Minor
> Fix For: 1.2
>
> It would be nice if the properties file realm could rewrite your properties file with hashed passwords when it reads it. We would need to be able to recognize hashed vs. unhashed entries and perhaps even different algorithms. Perhaps it could go like this:
> user1=plaintext
> user2=MD5{...}
> user3=SHA1{...}
> Anyway, the idea is that this could be a reasonably secure alternative, but you still wouldn't need to manually hash things to add or update entries -- just put a plain text entry in and the next time the server reads the file it would hash it for you.
> I guess we'd need to synchronize on the hash operation to avoid threading problems if multiple apps or whatever use the same properties file, but it shouldn't be bad if we only rewrite the file if we find any plain text entries.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Updated: (GERONIMO-411) Add Hash Password Rewrite to File
Realm
Posted by "Donald Woods (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-411?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Donald Woods updated GERONIMO-411:
----------------------------------
Fix Version/s: 2.1
2.0.x
> Add Hash Password Rewrite to File Realm
> ---------------------------------------
>
> Key: GERONIMO-411
> URL: https://issues.apache.org/jira/browse/GERONIMO-411
> Project: Geronimo
> Issue Type: Improvement
> Components: security
> Affects Versions: 1.0-M2, 1.2
> Reporter: Aaron Mulder
> Assignee: Donald Woods
> Priority: Minor
> Fix For: 2.0.x, 2.1
>
> Attachments: properties-realm.patch
>
>
> It would be nice if the properties file realm could rewrite your properties file with hashed passwords when it reads it. We would need to be able to recognize hashed vs. unhashed entries and perhaps even different algorithms. Perhaps it could go like this:
> user1=plaintext
> user2=MD5{...}
> user3=SHA1{...}
> Anyway, the idea is that this could be a reasonably secure alternative, but you still wouldn't need to manually hash things to add or update entries -- just put a plain text entry in and the next time the server reads the file it would hash it for you.
> I guess we'd need to synchronize on the hash operation to avoid threading problems if multiple apps or whatever use the same properties file, but it shouldn't be bad if we only rewrite the file if we find any plain text entries.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
Re: [jira] Updated: (GERONIMO-411) Add Hash Password Rewrite to File
Realm
Posted by Jeff Genender <jg...@savoirtech.com>.
Is this something we should do in the plans as well (i.e. SSL certs, etc)?
Aaron Mulder (JIRA) wrote:
> [ http://issues.apache.org/jira/browse/GERONIMO-411?page=all ]
>
> Aaron Mulder updated GERONIMO-411:
> ----------------------------------
>
> Fix Version: 1.0
> Description:
> It would be nice if the properties file realm could rewrite your properties file with hashed passwords when it reads it. We would need to be able to recognize hashed vs. unhashed entries and perhaps even different algorithms. Perhaps it could go like this:
>
> user1=plaintext
> user2=MD5{...}
> user3=SHA1{...}
>
> Anyway, the idea is that this could be a reasonably secure alternative, but you still wouldn't need to manually hash things to add or update entries -- just put a plain text entry in and the next time the server reads the file it would hash it for you.
>
> I guess we'd need to synchronize on the hash operation to avoid threading problems if multiple apps or whatever use the same properties file, but it shouldn't be bad if we only rewrite the file if we find any plain text entries.
>
> was:
> It would be nice if the properties file realm could rewrite your properties file with hashed passwords when it reads it. We would need to be able to recognize hashed vs. unhashed entries and perhaps even different algorithms. Perhaps it could go like this:
>
> user1=plaintext
> user2=MD5{...}
> user3=SHA1{...}
>
> Anyway, the idea is that this could be a reasonably secure alternative, but you still wouldn't need to manually hash things to add or update entries -- just put a plain text entry in and the next time the server reads the file it would hash it for you.
>
> I guess we'd need to synchronize on the hash operation to avoid threading problems if multiple apps or whatever use the same properties file, but it shouldn't be bad if we only rewrite the file if we find any plain text entries.
>
> Environment:
>
>
>>Add Hash Password Rewrite to File Realm
>>---------------------------------------
>>
>> Key: GERONIMO-411
>> URL: http://issues.apache.org/jira/browse/GERONIMO-411
>> Project: Geronimo
>> Type: Improvement
>> Components: security
>> Versions: 1.0-M2
>> Reporter: Aaron Mulder
>> Priority: Minor
>> Fix For: 1.0
>
>
>>It would be nice if the properties file realm could rewrite your properties file with hashed passwords when it reads it. We would need to be able to recognize hashed vs. unhashed entries and perhaps even different algorithms. Perhaps it could go like this:
>>user1=plaintext
>>user2=MD5{...}
>>user3=SHA1{...}
>>Anyway, the idea is that this could be a reasonably secure alternative, but you still wouldn't need to manually hash things to add or update entries -- just put a plain text entry in and the next time the server reads the file it would hash it for you.
>>I guess we'd need to synchronize on the hash operation to avoid threading problems if multiple apps or whatever use the same properties file, but it shouldn't be bad if we only rewrite the file if we find any plain text entries.
>
>
[jira] Updated: (GERONIMO-411) Add Hash Password Rewrite to File Realm
Posted by "Aaron Mulder (JIRA)" <de...@geronimo.apache.org>.
[ http://issues.apache.org/jira/browse/GERONIMO-411?page=all ]
Aaron Mulder updated GERONIMO-411:
----------------------------------
Fix Version: 1.0
Description:
It would be nice if the properties file realm could rewrite your properties file with hashed passwords when it reads it. We would need to be able to recognize hashed vs. unhashed entries and perhaps even different algorithms. Perhaps it could go like this:
user1=plaintext
user2=MD5{...}
user3=SHA1{...}
Anyway, the idea is that this could be a reasonably secure alternative, but you still wouldn't need to manually hash things to add or update entries -- just put a plain text entry in and the next time the server reads the file it would hash it for you.
I guess we'd need to synchronize on the hash operation to avoid threading problems if multiple apps or whatever use the same properties file, but it shouldn't be bad if we only rewrite the file if we find any plain text entries.
was:
It would be nice if the properties file realm could rewrite your properties file with hashed passwords when it reads it. We would need to be able to recognize hashed vs. unhashed entries and perhaps even different algorithms. Perhaps it could go like this:
user1=plaintext
user2=MD5{...}
user3=SHA1{...}
Anyway, the idea is that this could be a reasonably secure alternative, but you still wouldn't need to manually hash things to add or update entries -- just put a plain text entry in and the next time the server reads the file it would hash it for you.
I guess we'd need to synchronize on the hash operation to avoid threading problems if multiple apps or whatever use the same properties file, but it shouldn't be bad if we only rewrite the file if we find any plain text entries.
Environment:
> Add Hash Password Rewrite to File Realm
> ---------------------------------------
>
> Key: GERONIMO-411
> URL: http://issues.apache.org/jira/browse/GERONIMO-411
> Project: Geronimo
> Type: Improvement
> Components: security
> Versions: 1.0-M2
> Reporter: Aaron Mulder
> Priority: Minor
> Fix For: 1.0
>
> It would be nice if the properties file realm could rewrite your properties file with hashed passwords when it reads it. We would need to be able to recognize hashed vs. unhashed entries and perhaps even different algorithms. Perhaps it could go like this:
> user1=plaintext
> user2=MD5{...}
> user3=SHA1{...}
> Anyway, the idea is that this could be a reasonably secure alternative, but you still wouldn't need to manually hash things to add or update entries -- just put a plain text entry in and the next time the server reads the file it would hash it for you.
> I guess we'd need to synchronize on the hash operation to avoid threading problems if multiple apps or whatever use the same properties file, but it shouldn't be bad if we only rewrite the file if we find any plain text entries.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Commented: (GERONIMO-411) Add Hash Password Rewrite to File
Realm
Posted by "Vamsavardhana Reddy (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-411?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12489602 ]
Vamsavardhana Reddy commented on GERONIMO-411:
----------------------------------------------
There is already a digest attribute being used to address GERONIMO-1880. The purpose of this attribute is not to rewrite any passwords but to allow the use of digested passwords in place of clear text passwords. Won't properties-realm.patch break GERONIMO-1880?
> Add Hash Password Rewrite to File Realm
> ---------------------------------------
>
> Key: GERONIMO-411
> URL: https://issues.apache.org/jira/browse/GERONIMO-411
> Project: Geronimo
> Issue Type: Improvement
> Components: security
> Affects Versions: 1.0-M2, 1.2
> Reporter: Aaron Mulder
> Assigned To: Donald Woods
> Priority: Minor
> Fix For: Wish List
>
> Attachments: properties-realm.patch
>
>
> It would be nice if the properties file realm could rewrite your properties file with hashed passwords when it reads it. We would need to be able to recognize hashed vs. unhashed entries and perhaps even different algorithms. Perhaps it could go like this:
> user1=plaintext
> user2=MD5{...}
> user3=SHA1{...}
> Anyway, the idea is that this could be a reasonably secure alternative, but you still wouldn't need to manually hash things to add or update entries -- just put a plain text entry in and the next time the server reads the file it would hash it for you.
> I guess we'd need to synchronize on the hash operation to avoid threading problems if multiple apps or whatever use the same properties file, but it shouldn't be bad if we only rewrite the file if we find any plain text entries.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (GERONIMO-411) Add Hash Password Rewrite to File
Realm
Posted by "Vamsavardhana Reddy (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-411?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12538004 ]
Vamsavardhana Reddy commented on GERONIMO-411:
----------------------------------------------
I agree with David. If the cause for concern is unprotected properties files, the users should either protect the properties files or use the digest option (see GERONIMO-1880).
> Add Hash Password Rewrite to File Realm
> ---------------------------------------
>
> Key: GERONIMO-411
> URL: https://issues.apache.org/jira/browse/GERONIMO-411
> Project: Geronimo
> Issue Type: Improvement
> Components: security
> Affects Versions: 1.0-M2, 1.2
> Reporter: Aaron Mulder
> Assignee: Donald Woods
> Priority: Minor
> Fix For: 2.0.x, 2.1
>
> Attachments: properties-realm.patch
>
>
> It would be nice if the properties file realm could rewrite your properties file with hashed passwords when it reads it. We would need to be able to recognize hashed vs. unhashed entries and perhaps even different algorithms. Perhaps it could go like this:
> user1=plaintext
> user2=MD5{...}
> user3=SHA1{...}
> Anyway, the idea is that this could be a reasonably secure alternative, but you still wouldn't need to manually hash things to add or update entries -- just put a plain text entry in and the next time the server reads the file it would hash it for you.
> I guess we'd need to synchronize on the hash operation to avoid threading problems if multiple apps or whatever use the same properties file, but it shouldn't be bad if we only rewrite the file if we find any plain text entries.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (GERONIMO-411) Add Hash Password Rewrite to File
Realm
Posted by "Matt Hogstrom (JIRA)" <ji...@apache.org>.
[ http://issues.apache.org/jira/browse/GERONIMO-411?page=all ]
Matt Hogstrom updated GERONIMO-411:
-----------------------------------
Fix Version/s: Wish List
(was: 1.2)
> Add Hash Password Rewrite to File Realm
> ---------------------------------------
>
> Key: GERONIMO-411
> URL: http://issues.apache.org/jira/browse/GERONIMO-411
> Project: Geronimo
> Issue Type: Improvement
> Components: security
> Affects Versions: 1.0-M2
> Reporter: Aaron Mulder
> Priority: Minor
> Fix For: Wish List
>
>
> It would be nice if the properties file realm could rewrite your properties file with hashed passwords when it reads it. We would need to be able to recognize hashed vs. unhashed entries and perhaps even different algorithms. Perhaps it could go like this:
> user1=plaintext
> user2=MD5{...}
> user3=SHA1{...}
> Anyway, the idea is that this could be a reasonably secure alternative, but you still wouldn't need to manually hash things to add or update entries -- just put a plain text entry in and the next time the server reads the file it would hash it for you.
> I guess we'd need to synchronize on the hash operation to avoid threading problems if multiple apps or whatever use the same properties file, but it shouldn't be bad if we only rewrite the file if we find any plain text entries.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira