You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@syncope.apache.org by "Hudson (JIRA)" <ji...@apache.org> on 2012/09/03 12:36:10 UTC
[jira] [Commented] (SYNCOPE-100) Add more password encryption
options
[ https://issues.apache.org/jira/browse/SYNCOPE-100?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13447201#comment-13447201 ]
Hudson commented on SYNCOPE-100:
--------------------------------
Integrated in Syncope-linux #264 (See [https://builds.apache.org/job/Syncope-linux/264/])
Fixes issue SYNCOPE-51 and SYNCOPE-100 special thanks to Bob and Massimiliano (Revision 1380190)
Result = SUCCESS
fmartelli :
Files :
* /incubator/syncope/trunk/archetype/src/main/resources/archetype-resources/core/src/main/resources
* /incubator/syncope/trunk/archetype/src/main/resources/archetype-resources/core/src/main/resources/security.properties
* /incubator/syncope/trunk/archetype/src/main/resources/archetype-resources/core/src/test/resources/security.properties
* /incubator/syncope/trunk/client/src/main/java/org/apache/syncope/types/CipherAlgorithm.java
* /incubator/syncope/trunk/core/pom.xml
* /incubator/syncope/trunk/core/src/main/java/org/apache/syncope/core/persistence/beans/user/SyncopeUser.java
* /incubator/syncope/trunk/core/src/main/java/org/apache/syncope/core/rest/data/UserDataBinder.java
* /incubator/syncope/trunk/core/src/main/java/org/apache/syncope/core/security/EncodePasswordCLI.java
* /incubator/syncope/trunk/core/src/main/java/org/apache/syncope/core/security/PasswordEncoder.java
* /incubator/syncope/trunk/core/src/main/java/org/apache/syncope/core/security/SyncopeAuthenticationProvider.java
* /incubator/syncope/trunk/core/src/main/java/org/apache/syncope/core/workflow/NoOpUserWorkflowAdapter.java
* /incubator/syncope/trunk/core/src/main/resources/content.xml
* /incubator/syncope/trunk/core/src/main/resources/security.properties
* /incubator/syncope/trunk/core/src/main/resources/securityContext.xml
* /incubator/syncope/trunk/core/src/test/java/org/apache/syncope/core/rest/UserTestITCase.java
* /incubator/syncope/trunk/core/src/test/java/org/apache/syncope/core/security
* /incubator/syncope/trunk/core/src/test/java/org/apache/syncope/core/security/PasswordEncoderTest.java
* /incubator/syncope/trunk/core/src/test/resources/content.xml
* /incubator/syncope/trunk/core/src/test/resources/security.properties
* /incubator/syncope/trunk/pom.xml
> Add more password encryption options
> ------------------------------------
>
> Key: SYNCOPE-100
> URL: https://issues.apache.org/jira/browse/SYNCOPE-100
> Project: Syncope
> Issue Type: Improvement
> Reporter: Francesco Chicchiriccò
> Assignee: fabio martelli
> Labels: security
> Fix For: 1.1.0-incubating
>
> Attachments: passwordhash.patch
>
>
> It would be best to add other password mechanisms that include salting and stretching of passwords (see links).
> This would mean that an extra attribute has to be added to the user (salt) which can be used for that purpose.
> You would be able to keep the old ones for backward compatibility and include new ones which are a lot safer. Apparently PBKDF2 is considered a secure mechanism.
> Some reading material:
> https://www.owasp.org/index.php/Hashing_Java
> http://jerryorr.blogspot.be/2012/05/secure-password-storage-lots-of-donts.html
> http://throwingfire.com/storing-passwords-securely/
> Jasypt (http://www.jasypt.org/) provides all the things mentioned in the articles, such as hashing,
> salting and iteration out of the box, and is also AL 2.0 licensed.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira