[kune-commits] [Kune - Feature #131] Secure register/sign in and autologin

• Previous message: [kune-commits] [Kune - Feature #169] (Closed) Sign-in username is confusing: force lowercase & more
• Next message: [kune-commits] [Kune - Feature #127] (Closed) Generate some screencast while doing automate testing
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Issue #131 has been updated by Vicente J. Ruiz Jurado.

Resolution set to fixed

This was fixed several months ago.

----------------------------------------
Feature #131: Secure register/sign in and autologin
http://redmine.ourproject.org/issues/131#change-390

* Author: Vicente J. Ruiz Jurado
* Status: New
* Priority: High
* Assignee: Vicente J. Ruiz Jurado
* Category: Common
* Target version: 
* Resolution: fixed
----------------------------------------
The goal:
- Register accounts
- Sign in with user/pass
- and auto login with a cookie for some days
in both Kune+Wave+XMPP

Also we have to permit xmpp auth to non kune/emite xmpp clients.

The current status:
Kune/WIAB register users with digest SHA-512 + salt
     auth plaintext user + pass (see [[WaveClientSimpleAuthenticator]]). Aka: We should use https
Autologin is done via a hash in a cookie.

A proposed non secure solution (server specific) is to implement a custom:
http://www.igniterealtime.org/builds/openfire/docs/latest/documentation/javadoc/org/jivesoftware/openfire/auth/AuthProvider.html
http://community.igniterealtime.org/thread/35365
and for autologin, try to auth to xmpp with user+cookie-hash as a second option using:
http://www.igniterealtime.org/builds/openfire/docs/latest/documentation/javadoc/org/jivesoftware/openfire/auth/HybridAuthProvider.html

This permits normal xmpp use (with external and emite client) and autologin for xmpp also in kune.

Problem: we need to store plain passwords (even with a SASL client I think). See:
http://svn.igniterealtime.org/svn/repos/openfire/trunk/src/java/org/jivesoftware/openfire/auth/DefaultAuthProvider.java
http://svn.igniterealtime.org/svn/repos/openfire/trunk/src/java/org/jivesoftware/util/Blowfish.java
http://java-monitor.com/forum/showthread.php?t=453
This is not secure: "But hey, management wants encrypted passwords in the database, management gets encrypted passwords in the database. :-)"

TODO: study a way to make a compatible secure plain+digest [[AuthProvider]] compatible with our SHA-512 stored pass... 

Work in progress



-- 
You have received this notification because you have either subscribed to it, or are involved in it.
To change your notification preferences, please click here: http://redmine.ourproject.org/my/account

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.ourproject.org/pipermail/kune-commits/attachments/20120903/012d0ac0/attachment.htm 

• Previous message: [kune-commits] [Kune - Feature #169] (Closed) Sign-in username is confusing: force lowercase & more
• Next message: [kune-commits] [Kune - Feature #127] (Closed) Generate some screencast while doing automate testing
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]