[kune-commits] [Kune - Feature #131] Secure register/sign in and autologin
Redmine Comunes
noreply at ourproject.org
Mon Sep 3 16:11:25 CEST 2012
Issue #131 has been updated by Vicente J. Ruiz Jurado.
Resolution set to fixed
This was fixed several months ago.
----------------------------------------
Feature #131: Secure register/sign in and autologin
http://redmine.ourproject.org/issues/131#change-390
* Author: Vicente J. Ruiz Jurado
* Status: New
* Priority: High
* Assignee: Vicente J. Ruiz Jurado
* Category: Common
* Target version:
* Resolution: fixed
----------------------------------------
The goal:
- Register accounts
- Sign in with user/pass
- and auto login with a cookie for some days
in both Kune+Wave+XMPP
Also we have to permit xmpp auth to non kune/emite xmpp clients.
The current status:
Kune/WIAB register users with digest SHA-512 + salt
auth plaintext user + pass (see [[WaveClientSimpleAuthenticator]]). Aka: We should use https
Autologin is done via a hash in a cookie.
A proposed non secure solution (server specific) is to implement a custom:
http://www.igniterealtime.org/builds/openfire/docs/latest/documentation/javadoc/org/jivesoftware/openfire/auth/AuthProvider.html
http://community.igniterealtime.org/thread/35365
and for autologin, try to auth to xmpp with user+cookie-hash as a second option using:
http://www.igniterealtime.org/builds/openfire/docs/latest/documentation/javadoc/org/jivesoftware/openfire/auth/HybridAuthProvider.html
This permits normal xmpp use (with external and emite client) and autologin for xmpp also in kune.
Problem: we need to store plain passwords (even with a SASL client I think). See:
http://svn.igniterealtime.org/svn/repos/openfire/trunk/src/java/org/jivesoftware/openfire/auth/DefaultAuthProvider.java
http://svn.igniterealtime.org/svn/repos/openfire/trunk/src/java/org/jivesoftware/util/Blowfish.java
http://java-monitor.com/forum/showthread.php?t=453
This is not secure: "But hey, management wants encrypted passwords in the database, management gets encrypted passwords in the database. :-)"
TODO: study a way to make a compatible secure plain+digest [[AuthProvider]] compatible with our SHA-512 stored pass...
Work in progress
--
You have received this notification because you have either subscribed to it, or are involved in it.
To change your notification preferences, please click here: http://redmine.ourproject.org/my/account
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.ourproject.org/pipermail/kune-commits/attachments/20120903/012d0ac0/attachment.htm
More information about the kune-commits
mailing list