[Opensource] Réf. : Re: [Opensource] pasword decryption

Raul DAVIDOVICH R.DAVIDOVICH at caconcology.com
Fri Oct 18 02:47:44 PDT 2002 

Another option could be to use kerberos style authentication..


---------------------------------------------------
Raul Davidovich
Responsable Informatique
Cvitkovic & Associés Consultants

(33) 1 45 15 40 68
(33) 1 45 15 40 41 Fax
-------------------------------------------------------
http://www.caconcology.com


|---------+------------------------------->
|         |           Steve Posick        |
|         |           <steve.posick at advans|
|         |           ol.com>             |
|         |           Envoyé par :        |
|         |           opensource-admin at jco|
|         |           rporate.com         |
|         |                               |
|         |                               |
|         |           17/10/2002 17:10    |
|         |           Veuillez répondre à |
|         |           opensource          |
|         |                               |
|---------+------------------------------->
  >--------------------------------------------------------------------------------------------------------------------------------------------------|
  |                                                                                                                                                  |
  |       Pour :    opensource at jcorporate.com                                                                                                        |
  |       cc :                                                                                                                                       |
  |       Objet :   Re: [Opensource] pasword decryption                                                                                              |
  >--------------------------------------------------------------------------------------------------------------------------------------------------|




It's a bad smell that the password is stored at all!  There really should
only be a hash of the password stored in the authentication database.  And
that should be a secure hash, such as a SHA-1 with some salt value.
Storing the password in plain text in the session can allow for a rogue
programmer to harvest passwords.

For your single sign on solution, have you looked into the method in which
IE and IIS will use the SMB authentication to allow
Windows users to user their domain accounts to access web resources?  You
could probably use the source from Samba to help you write a similar
authentication scheme.  If I'm not mistaken when the user hits a protected
web resource you would send an SMB challenge back to the host machine.  The
windows box will then reply to the challenge with the logged in users
credentials.  You could pass this information to the operating system (if
your running on windows) to verify the credentials or you could
authenticate to the domain server.

Just my .02

At 09:37 AM 10/17/2002 -0400, you wrote:
      Hi again,

      I have seen that LoginController does already save the original
      password in
      session.
      So, for a Single Sign-On situation, I just have to find the way to
      access it.
      Does anyone feel any bad smell here ?

      Lirian


      Lirian Ostrovica wrote:

      > Mike,
      >
      > The problem I think is that cookie's encrypted password is only
      available when
      > the client chooses to have the password remembered.
      > What I'm trying to do, is a kind of a Single Sign-On, that should
      always work.
      >
      > If there is no other way of getting the password back, I would try
      > modifying/adding some code.
      > For example I might try storing the password in the session.
      > Do you have any better idea ?
      >
      > Lirian
      >
      > Michael Rimov wrote:
      >
      > > At 11:29 AM 10/15/2002 -0400, you wrote:
      > > >Hi,
      > > >I wanted to have back the original user's password, from the
      encrypted
      > > >one ( that I get when I call:  currentUser.getPassword() )
      > > >Can someone save me some time, by sending the few (I guess)
      lines of
      > > >code needed for that.
      > > >With a quick effort I wrote the following but it did not work.
      > >
      > > Actually, the password is hashed, not encrypted therefore, you
      cannot
      > > actually "Get" the password from the database.  The only time the
      password
      > > is encrypted is through the User's password cookie.  So you could
      call
      > > getSession().getClientAttribute("password"); and that might help.
      > >
      > > If you're confused about the difference, take a search with
      Google on
      > > "Cryptographic Hashing".
      > >
      > > HTH!
      > >                                          -Mike
      > >
      > > _______________________________________________
      > > Opensource mailing list
      > > Opensource at jcorporate.com
      > > http://mail.jcorporate.com/mailman/listinfo/opensource
      > > Archives: http://mail.jcorporate.com/pipermail/opensource/
      >
      > _______________________________________________
      > Opensource mailing list
      > Opensource at jcorporate.com
      > http://mail.jcorporate.com/mailman/listinfo/opensource
      > Archives: http://mail.jcorporate.com/pipermail/opensource/

      _______________________________________________
      Opensource mailing list
      Opensource at jcorporate.com
      http://mail.jcorporate.com/mailman/listinfo/opensource
      Archives: http://mail.jcorporate.com/pipermail/opensource/


Steven J. Posick, CISSP
CEO - Systems Architect
AdvanSol LLC.
EMail: steve.posick at advansol.com
Phone: (203) 924-6629

More information about the Opensource mailing list