<html>
<head>
<style>
body {
font-family: Verdana, sans-serif;
font-size: 0.8em;
color:#484848;
}
h1, h2, h3 { font-family: "Trebuchet MS", Verdana, sans-serif; margin: 0px; }
h1 { font-size: 1.2em; }
h2, h3 { font-size: 1.1em; }
a, a:link, a:visited { color: #2A5685;}
a:hover, a:active { color: #c61a1a; }
a.wiki-anchor { display: none; }
hr {
width: 100%;
height: 1px;
background: #ccc;
border: 0;
}
.footer {
font-size: 0.8em;
font-style: italic;
}
</style>
</head>
<body>
<span class="header"></span>
Issue #131 has been updated by Vicente J. Ruiz Jurado.
<ul>
<li><strong>Resolution</strong> set to <i>fixed</i></li>
</ul>
<p>This was fixed several months ago.</p>
<hr />
<h1><a href="http://redmine.ourproject.org/issues/131#change-390">Feature #131: Secure register/sign in and autologin</a></h1>
<ul>
<li>Author: Vicente J. Ruiz Jurado</li>
<li>Status: New</li>
<li>Priority: High</li>
<li>Assignee: Vicente J. Ruiz Jurado</li>
<li>Category: Common</li>
<li>Target version: </li>
<li>Resolution: fixed</li>
</ul>
<p>The goal:<br />- Register accounts<br />- Sign in with user/pass<br />- and auto login with a cookie for some days<br />in both Kune+Wave+XMPP</p>
<p>Also we have to permit xmpp auth to non kune/emite xmpp clients.</p>
<p>The current status:<br />Kune/WIAB register users with digest SHA-512 + salt<br /> auth plaintext user + pass (see <a href="http://redmine.ourproject.org/projects/kune/wiki/WaveClientSimpleAuthenticator" class="wiki-page new">WaveClientSimpleAuthenticator</a>). Aka: We should use https<br />Autologin is done via a hash in a cookie.</p>
<p>A proposed non secure solution (server specific) is to implement a custom:<br /><a class="external" href="http://www.igniterealtime.org/builds/openfire/docs/latest/documentation/javadoc/org/jivesoftware/openfire/auth/AuthProvider.html">http://www.igniterealtime.org/builds/openfire/docs/latest/documentation/javadoc/org/jivesoftware/openfire/auth/AuthProvider.html</a><br /><a class="external" href="http://community.igniterealtime.org/thread/35365">http://community.igniterealtime.org/thread/35365</a><br />and for autologin, try to auth to xmpp with user+cookie-hash as a second option using:<br /><a class="external" href="http://www.igniterealtime.org/builds/openfire/docs/latest/documentation/javadoc/org/jivesoftware/openfire/auth/HybridAuthProvider.html">http://www.igniterealtime.org/builds/openfire/docs/latest/documentation/javadoc/org/jivesoftware/openfire/auth/HybridAuthProvider.html</a></p>
<p>This permits normal xmpp use (with external and emite client) and autologin for xmpp also in kune.</p>
<p>Problem: we need to store plain passwords (even with a SASL client I think). See:<br /><a class="external" href="http://svn.igniterealtime.org/svn/repos/openfire/trunk/src/java/org/jivesoftware/openfire/auth/DefaultAuthProvider.java">http://svn.igniterealtime.org/svn/repos/openfire/trunk/src/java/org/jivesoftware/openfire/auth/DefaultAuthProvider.java</a><br /><a class="external" href="http://svn.igniterealtime.org/svn/repos/openfire/trunk/src/java/org/jivesoftware/util/Blowfish.java">http://svn.igniterealtime.org/svn/repos/openfire/trunk/src/java/org/jivesoftware/util/Blowfish.java</a><br /><a class="external" href="http://java-monitor.com/forum/showthread.php?t=453">http://java-monitor.com/forum/showthread.php?t=453</a><br />This is not secure: "But hey, management wants encrypted passwords in the database, management gets encrypted passwords in the database. :-)"</p>
<p>TODO: study a way to make a compatible secure plain+digest <a href="http://redmine.ourproject.org/projects/kune/wiki/AuthProvider" class="wiki-page new">AuthProvider</a> compatible with our SHA-512 stored pass...</p>
<p>Work in progress</p>
<hr />
<span class="footer"><p>You have received this notification because you have either subscribed to it, or are involved in it.<br />To change your notification preferences, please click here: <a class="external" href="http://redmine.ourproject.org/my/account">http://redmine.ourproject.org/my/account</a></p></span>
</body>
</html>