You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@karaf.apache.org by "Christoph (Updated) (JIRA)" <ji...@apache.org> on 2011/11/29 10:29:40 UTC
[jira] [Updated] (KARAF-1037) karaf console command "jaas:adduser"
with encrypted password
[ https://issues.apache.org/jira/browse/KARAF-1037?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Christoph updated KARAF-1037:
-----------------------------
Priority: Major (was: Minor)
> karaf console command "jaas:adduser" with encrypted password
> ------------------------------------------------------------
>
> Key: KARAF-1037
> URL: https://issues.apache.org/jira/browse/KARAF-1037
> Project: Karaf
> Issue Type: Bug
> Components: karaf-core
> Affects Versions: 2.2.4
> Environment: CentOS-5.7-x86_64, Mac OS X 10.7.2, Java 1.6.0_29
> Reporter: Christoph
> Labels: security
> Original Estimate: 24h
> Remaining Estimate: 24h
>
> The karaf console shows a strange behavior when working with JAAS authentication modules and password encryption
> Line of actions that lead to the issue:
> (1) First of all, we've created a blueprint service containing the JAAS configuration
> {noformat}
> <blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0" xmlns:jaas="http://karaf.apache.org/xmlns/jaas/v1.0.0"
> xmlns:cm="http://aries.apache.org/blueprint/xmlns/blueprint-cm/v1.1.0" xmlns:ext="http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0">
> <type-converters>
> <bean class="org.apache.karaf.jaas.modules.properties.PropertiesConverter" />
> </type-converters>
> <!-- Allow usage of System properties, especially the karaf.base property -->
> <ext:property-placeholder placeholder-prefix="$[" placeholder-suffix="]" />
> <jaas:config name="myRealm">
> <jaas:module className="org.apache.karaf.jaas.modules.properties.PropertiesLoginModule"
> flags="required">
> users = $[karaf.base]/etc/myUser.properties
> encryption.enabled = true
> encryption.prefix = {CRYPT}
> encryption.suffix = {CRYPT}
> encryption.algorithm = MD5
> encryption.encoding = hexadecimal
> </jaas:module>
> </jaas:config>
> </blueprint>
> {noformat}
> (2) After installing the realm as a feature in our service gateway, we configure two users with roles via the karaf command line interface
> {noformat}
> karaf@tesb> jaas:manage myRealm
> karaf@tesb> jaas:useradd usr.app cert1
> karaf@tesb> jaas:roleadd usr.app admin
> karaf@tesb> jaas:roleadd usr.app dev
> karaf@tesb> jaas:update
> {noformat}
> and can find something like the following entry in our myUser.properties file
> {noformat}
> usr.app = 510fd1dc93d0c601ad208ad700afc403,admin,dev
> {noformat}
> (3) When we execute a service call that triggers our authentication chain, the myUser.properties file changes to something like:
> {noformat}
> usr.app = {CRYPT}b3bef7f3d410589d471f93f6d55db6d4{CRYPT},admin,dev
> {noformat}
> This behaviour lead's us to the assumption, that the configuration via the karaf command line interface using JAAS commands does not create the encryption tag's but an initial hash set. When the application is using than the hash the first time, it does think that the password is not hashed yet, and creates a second hash with the pre- and suffix but makes the initial password useless.
> Workaround for that issue is to avoid pre- and suffix for custom JAAS authentication modules
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira