You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jetspeed-user@portals.apache.org by Ying Wen Z Zhang <zy...@cn.ibm.com> on 2013/07/09 15:47:29 UTC
About Changing Password Encryption Algorithm for Jetspeed Portal
Dear,
I met problem when I try to change Password Encryption Algorithm of
Jetspeed Portal, the version of the Jetspeed I am using is Jetspeed 2.2.2
Can you tell me the exact procedure of how to override the password
encoding algorithm?
These are the procedures I have tried, but Jetspeed doesn't change its
behavior.
1. modify security-spi.xml(webapps\jetspeed\WEB-INF\assembly)
change the constructor value from SHA-1 to MD5
<bean id="org.apache.jetspeed.security.CredentialPasswordEncoder"
class="org.apache.jetspeed.security.spi.impl.MessageDigestCredentialPasswordEncoder">
<meta key="j2:cat" value="default or security" />
<constructor-arg index="0">
<value>MD5</value>
</constructor-arg>
</bean>
2.modify security-spi-atn.xml(webapps\jetspeed\WEB-INF\assembly), change
the constructor value from SHA-1 to MD5
<bean id="org.apache.jetspeed.security.spi.CredentialPasswordEncoder"
class="org.apache.jetspeed.security.spi.impl.MessageDigestCredentialPasswordEncoder">
<meta key="j2:cat" value="default or security" />
<constructor-arg index="0">
<value>MD5</value>
</constructor-arg>
</bean>
3. restart jetspeed server, create a new user as admin, login as a new
user, load a portlet application that use jetspeed user manager service to
retreive the encrypted password, it seems that the newly created user's
password is still encrypted by SHA-1
4. What I really want is to override the credential password encoder
implementation to use our own encryption algorithm.
Then I try to write a new password encoding class that implements
CredentialPasswordEncoder,
(See attached file: SHA256PasswordEncoder.java)(I package the program to
jar file under webapps\jetspeed\WEB-INF\lib )
and I change the name of the class from
org.apache.jetspeed.security.spi.impl.MessageDigestCredentialPasswordEncoder
to my encoding class, restart the server, the encryption algorithm also
didn't change.
5.I also tried to create a xml file in the override folder to override the
bean
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="
http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-2.5.xsd">
<bean id="org.apache.jetspeed.security.spi.CredentialPasswordEncoder"
class="com.ibm.gbsc.arema.security.SHA256PasswordEncoder">
</bean>
</beans>
it also failed in changing the encoding behavior.
Can you give me some suggestions? I will be greatly appreciated of your
help, since this solution is very crucial to our project.
Best regards,
Ying Wen Zhang
GBSC
Software Engineer
GBS Solutions and Assets
isg
Office Phone: +86 10-8245-1193
Mobile: 15210895280
Email: zyingwen@cn.ibm.com
gbscbrandcolor
Visit:
GBS
Solution
Maps
Re: About Changing Password Encryption Algorithm for Jetspeed Portal
Posted by David Taylor <da...@gmail.com>.
Can you try overriding two beans with your class (*SHA256PasswordEncoder)
as follows. You can do this in a 'override' new xml file placed in
overrides directory, you don't actually have to edit security-spi.xml and
security-spi-atn.xml*....
1. security-spi.xml
<bean id="org.apache.jetspeed.security.CredentialPasswordEncoder"
class="com.ibm.gbsc.arema.security.">
<meta key="j2:cat" value="default or security.SHA256PasswordEncoder" />
</bean>
2. security-spi-atn.xml
<!-- MessageDigest encode passwords using SHA-1 -->
<bean id="org.apache.jetspeed.security.spi.CredentialPasswordEncoder"
class="com.ibm.gbsc.arema.security.SHA256PasswordEncoder">
<meta key="j2:cat" value="default or security" />
</bean>
And then restart and see if that works.
On Tue, Jul 9, 2013 at 6:47 AM, Ying Wen Z Zhang <zy...@cn.ibm.com>wrote:
> Dear,
>
> I met problem when I try to change Password Encryption Algorithm of
> Jetspeed Portal, the version of the Jetspeed I am using is Jetspeed 2.2.2
>
> Can you tell me the exact procedure of how to override the password
> encoding algorithm?
>
> These are the procedures I have tried, but Jetspeed doesn't change its
> behavior.
>
> 1. modify security-spi.xml(webapps\jetspeed\WEB-INF\assembly)
> change the constructor value from SHA-1 to MD5
>
> <bean id="org.apache.jetspeed.security.CredentialPasswordEncoder"
>
> class="org.apache.jetspeed.security.spi.impl.MessageDigestCredentialPasswordEncoder">
> <meta key="j2:cat" value="default or security" />
> <constructor-arg index="0">
> <value>MD5</value>
> </constructor-arg>
> </bean>
> 2.modify security-spi-atn.xml(webapps\jetspeed\WEB-INF\assembly), change
> the constructor value from SHA-1 to MD5
> <bean id="org.apache.jetspeed.security.spi.CredentialPasswordEncoder"
>
> class="org.apache.jetspeed.security.spi.impl.MessageDigestCredentialPasswordEncoder">
> <meta key="j2:cat" value="default or security" />
> <constructor-arg index="0">
> <value>MD5</value>
> </constructor-arg>
> </bean>
>
> 3. restart jetspeed server, create a new user as admin, login as a new
> user, load a portlet application that use jetspeed user manager service to
> retreive the encrypted password, it seems that the newly created user's
> password is still encrypted by SHA-1
>
> 4. What I really want is to override the credential password encoder
> implementation to use our own encryption algorithm.
>
> Then I try to write a new password encoding class that implements
> CredentialPasswordEncoder,
> *(See attached file: SHA256PasswordEncoder.java)*(I package the program
> to jar file under webapps\jetspeed\WEB-INF\lib )
> and I change the name of the class from
> org.apache.jetspeed.security.spi.impl.MessageDigestCredentialPasswordEncoder
> to my encoding class, restart the server, the encryption algorithm also
> didn't change.
>
> 5.I also tried to create a xml file in the override folder to override the
> bean
>
> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="
> http://www.w3.org/2001/XMLSchema-instance"
> xsi:schemaLocation="http://www.springframework.org/schema/beans
> http://www.springframework.org/schema/beans/spring-beans-2.5.xsd">
> <bean id="org.apache.jetspeed.security.spi.CredentialPasswordEncoder"
> class="com.ibm.gbsc.arema.security.SHA256PasswordEncoder">
>
> </bean>
> </beans>
>
> it also failed in changing the encoding behavior.
>
> Can you give me some suggestions? I will be greatly appreciated of your
> help, since this solution is very crucial to our project.
>
>
> Best regards,
>
> *Ying Wen Zhang*
> GBSC
> Software Engineer*GBS Solutions and Assets*<http://w3.ibm.com/ibm/resource/gbs_solutions.html>
> [image: isg]<https://w3-03.sso.ibm.com/services/practitionerportal/assethub/production/sacindex.jsp?&source=signature>
> Office Phone: +86 10-8245-1193
> Mobile: 15210895280
> Email: zyingwen@cn.ibm.com[image: gbscbrandcolor]
> Visit: GBS Solution Maps<http://w3.ibm.com/ibm/resource/gbs_industry_solution_maps.html>
>
>
>
>
>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
> For additional commands, e-mail: jetspeed-user-help@portals.apache.org
>
--
David