[52N Security] wss cleartext password in users.xml

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[52N Security] wss cleartext password in users.xml

Sandor Csaba
Hi again,

Apparently users.xml stores passwords as cleartext. In my setup I need
to check users against a database table with md5 sums in it as
passwords (actually a drupal user database in mysql).

Can I store passwords in users.xml as md5 sum?

Or is there a way to connect wss directly to some authentication service?

Can you point me to information regarding this topic?

Thanks,
Csaba

--
Sándor Csaba
szolgáltatási vezető
ViaMap Kft.
Székhely/postacím: 1132 Budapest, Váci út 60-62.

Iroda: Hungária Malom Udvar
1093 Budapest, Soroksári út 48-54.
11. ép. 4. em. 404.

Tel: +3630/9605853
Fax: +3617002542
_______________________________________________
Security mailing list
[hidden email]
http://list.52north.org/mailman/listinfo/security
http://security.forum.52north.org
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [52N Security] wss cleartext password in users.xml

Jan Drewnak
Cseba,

Unfortunately we do not provide an out-of-the-box solution.

MD5 checksums in users.xml
--------------------------
Not supported yet, but something we really should consider for the near future.

Connect to some kind of authentication service
----------------------------------------------
You generally have two options to connect to user stores or authentication services:
1. Provide a custom implementation of the AuthenticationService interface [1] and configure the WSS to use it.
2. Use 52n's default implmentation of that interface which allows to plug in JAAS [2] compliant so called LoginModules. You will most likely need to implement your own LoginModule.


In both cases you need to take care that the user's authentication data (user name and role) is encoded as expected by the WSS's permission model. You can find a LoginModule in the 52n code which connects to a database here [3]. Please note that this module is not recommended for production environments.



Best regards,

  Jan Drewnak


[1] http://52north.org/communities/security/generated-sites/api/2.1/apidocs/index.html
[2] http://download.oracle.com/javase/6/docs/technotes/guides/security/
[3] http://52north.org/communities/security/generated-sites/api/2.1/xref/org/n52/security/authentication/loginmodule/DataBaseLoginModule.html

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Sandor Csaba
Sent: Donnerstag, 13. Januar 2011 14:10
To: [hidden email]
Subject: [52N Security] wss cleartext password in users.xml

Hi again,

Apparently users.xml stores passwords as cleartext. In my setup I need to check users against a database table with md5 sums in it as passwords (actually a drupal user database in mysql).

Can I store passwords in users.xml as md5 sum?

Or is there a way to connect wss directly to some authentication service?

Can you point me to information regarding this topic?

Thanks,
Csaba

--
Sándor Csaba
szolgáltatási vezető
ViaMap Kft.
Székhely/postacím: 1132 Budapest, Váci út 60-62.

Iroda: Hungária Malom Udvar
1093 Budapest, Soroksári út 48-54.
11. ép. 4. em. 404.

Tel: +3630/9605853
Fax: +3617002542
_______________________________________________
Security mailing list
[hidden email]
http://list.52north.org/mailman/listinfo/security
http://security.forum.52north.org
_______________________________________________
Security mailing list
[hidden email]
http://list.52north.org/mailman/listinfo/security
http://security.forum.52north.org
Loading...