[kune-devel] [kune issues] #131: Secure register/sign in and autologin
kune issues
noreply at ourproject.org
Wed Sep 28 19:36:45 CEST 2011
#131: Secure register/sign in and autologin
--------------------------+------------------
Reporter: vjrj | Owner: vjrj
Type: enhancement | Status: new
Priority: major | Milestone:
Component: Common | Version:
Resolution: | Keywords:
Blocked By: | Blocking:
--------------------------+------------------
The goal:
- Register accounts
- Sign in with user/pass
- and auto login with a cookie for some days
in both Kune+Wave+XMPP
Also we have to permit xmpp auth to non kune/emite xmpp clients.
The current status:
Kune/WIAB register users with digest SHA-512 + salt
auth plaintext user + pass (see WaveClientSimpleAuthenticator). Aka:
We should use https
Autologin is done via a hash in a cookie.
A proposed non secure solution (server specific) is to implement a custom:
http://www.igniterealtime.org/builds/openfire/docs/latest/documentation/javadoc/org/jivesoftware/openfire/auth/AuthProvider.html
http://community.igniterealtime.org/thread/35365
and for autologin, try to auth to xmpp with user+cookie-hash as a second
option using:
http://www.igniterealtime.org/builds/openfire/docs/latest/documentation/javadoc/org/jivesoftware/openfire/auth/HybridAuthProvider.html
This permits normal xmpp use (with external and emite client) and
autologin for xmpp also in kune.
Problem: we need to store plain passwords (even with a SASL client I
think). See:
http://svn.igniterealtime.org/svn/repos/openfire/trunk/src/java/org/jivesoftware/openfire/auth/DefaultAuthProvider.java
http://svn.igniterealtime.org/svn/repos/openfire/trunk/src/java/org/jivesoftware/util/Blowfish.java
http://java-monitor.com/forum/showthread.php?t=453
This is not secure: "But hey, management wants encrypted passwords in the
database, management gets encrypted passwords in the database. :-)"
TODO: study a way to make a compatible secure plain+digest AuthProvider
compatible with our SHA-512 stored pass...
Work in progress
--
Ticket URL: <http://kune.ourproject.org/issues/ticket/131>
kune issues <http://kune.ourproject.org/issues/>
More information about the kune-devel
mailing list