https://connect.hyland.com/t5/alfresco-archive/storing-user-passwords-securely-a-e-planned/m-p/139093#M97482 <HTML><HEAD></HEAD><BODY><SPAN>As mentioned above, hashing + salt is also not "safe enough" for the requirement <img id="smileywink" class="emoticon emoticon-smileywink" src="https://connect.hyland.com/i/smilies/16x16_smiley-wink.png" alt="Smiley Wink" title="Smiley Wink" /></SPAN></BODY></HTML> Thu, 21 Mar 2013 11:36:13 GMT frederikherema1 2013-03-21T11:36:13Z https://connect.hyland.com/t5/alfresco-archive/storing-user-passwords-securely-a-e-planned/m-p/139090#M97479 Hi Activiti Core Team,now i'm found, that the user passwords are stored as plain text. The Storage in this way is not a good solution (as well as store a "one-way hash" , "salt" the password before hashing, PER_USER_SALT + password - thay are bad solutions)Are you planning the securely storing of th Wed, 20 Mar 2013 13:22:13 GMT https://connect.hyland.com/t5/alfresco-archive/storing-user-passwords-securely-a-e-planned/m-p/139090#M97479 udoderk 2013-03-20T13:22:13Z https://connect.hyland.com/t5/alfresco-archive/storing-user-passwords-securely-a-e-planned/m-p/139091#M97480 <HTML><HEAD></HEAD><BODY><SPAN>The explorer-app is intended as a "demo app",&nbsp; a good place to start. This is the reason why we're not putting in effort for password-encryption because this depends on the required implementation.</SPAN><BR /><BR /><SPAN>I'm not sure how that mechanism works you're suggesting, but if you get a piece of text in the end, that you can store as a password using the API. This would only require changing parts of the Activiti-explorer (user-creation and authentication) which is less drastically than altering user-management. If it's a more complex approach, you'll have to override the identity-stuff, indeed.</SPAN></BODY></HTML> Thu, 21 Mar 2013 07:51:22 GMT https://connect.hyland.com/t5/alfresco-archive/storing-user-passwords-securely-a-e-planned/m-p/139091#M97480 frederikherema1 2013-03-21T07:51:22Z https://connect.hyland.com/t5/alfresco-archive/storing-user-passwords-securely-a-e-planned/m-p/139092#M97481 <HTML><HEAD></HEAD><BODY><SPAN>I have to disagree with Frederik here (that can happen <span class="lia-unicode-emoji" title=":winking_face:">😉</span> ). I do believe we should add encrypted password storage + salt hashing to the engine. It requires some changes probably in the command that is used to create a new user (when the password is passed in the User pojo object). So in theory, it would be easy to fix. However, if we want to add a salt, we need a new DB column too, and then some mapping changes.</SPAN><BR /><BR /><SPAN>I actually have it noted down on my todo list for the very near future.</SPAN></BODY></HTML> Thu, 21 Mar 2013 11:32:18 GMT https://connect.hyland.com/t5/alfresco-archive/storing-user-passwords-securely-a-e-planned/m-p/139092#M97481 jbarrez 2013-03-21T11:32:18Z https://connect.hyland.com/t5/alfresco-archive/storing-user-passwords-securely-a-e-planned/m-p/139093#M97482 <HTML><HEAD></HEAD><BODY><SPAN>As mentioned above, hashing + salt is also not "safe enough" for the requirement <img id="smileywink" class="emoticon emoticon-smileywink" src="https://connect.hyland.com/i/smilies/16x16_smiley-wink.png" alt="Smiley Wink" title="Smiley Wink" /></SPAN></BODY></HTML> Thu, 21 Mar 2013 11:36:13 GMT https://connect.hyland.com/t5/alfresco-archive/storing-user-passwords-securely-a-e-planned/m-p/139093#M97482 frederikherema1 2013-03-21T11:36:13Z https://connect.hyland.com/t5/alfresco-archive/storing-user-passwords-securely-a-e-planned/m-p/139094#M97483 <HTML><HEAD></HEAD><BODY><SPAN>God point, missed that. </SPAN><BR /><BR /><SPAN>But still we should make it better than it now is <span class="lia-unicode-emoji" title=":winking_face:">😉</span></SPAN></BODY></HTML> Thu, 21 Mar 2013 11:42:12 GMT https://connect.hyland.com/t5/alfresco-archive/storing-user-passwords-securely-a-e-planned/m-p/139094#M97483 jbarrez 2013-03-21T11:42:12Z https://connect.hyland.com/t5/alfresco-archive/storing-user-passwords-securely-a-e-planned/m-p/139095#M97484 <HTML><HEAD></HEAD><BODY><BLOCKQUOTE class="jive-quote">…<BR />I'm not sure how that mechanism works you're suggesting, but if you get a piece of text in the end, that you can store as a password using the API. This would only require changing parts of the Activiti-explorer (user-creation and authentication) which is less drastically than altering user-management. If it's a more complex approach, you'll have to override the identity-stuff, indeed.</BLOCKQUOTE><BR /><SPAN>Hi frederikheremans, and thank you for that tips <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://connect.hyland.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" /> </SPAN><BR /><BR /><BLOCKQUOTE class="jive-quote">The explorer-app is intended as a "demo app",&nbsp; a good place to start. This is the reason why we're not putting in effort for password-encryption because this depends on the required implementation…….</BLOCKQUOTE><BR /><SPAN>i know, that Activiti Stack has two </SPAN><EM>identity</EM><SPAN> packages:</SPAN><BR /><SPAN>1. ActivitiExplorer-package, containing interfaces:</SPAN><BR /><BR /><EM><A href="https://github.com/Activiti/Activiti/blob/master/modules/activiti-explorer/src/main/java/org/activiti/explorer/identity/LoggedInUser.java" rel="nofollow noopener noreferrer">org.activiti.explorer.identity.LoggedInUser</A><BR /><BR /><A href="http://code.google.com/p/activitiinaction/source/browse/trunk/book-explorer-form/src/main/java/org/activiti/explorer/ui/login/LoginHandler.java" rel="nofollow noopener noreferrer">org.activiti.explorer.ui.login.LoginHandler</A></EM><BR /><BR /><SPAN>And ..</SPAN><STRONG>0.</STRONG><SPAN> <img id="smileywink" class="emoticon emoticon-smileywink" src="https://connect.hyland.com/i/smilies/16x16_smiley-wink.png" alt="Smiley Wink" title="Smiley Wink" />&nbsp; -</SPAN><BR /><SPAN>Activiti </SPAN><STRONG>Engine </STRONG><SPAN>public </SPAN><EM>stable </EM><SPAN>packages and not stable </SPAN><EM>techical public</EM><SPAN> packages.</SPAN><BR /><SPAN>I write </SPAN><STRONG>Engine </STRONG><SPAN> because thay logically (imho) and "physically" (as JAR file activiti-engine) are part of activiti engine.</SPAN><BR /><BR /><SPAN>The examples of such javas are:</SPAN><BR /><UL><A href="http://www.activiti.org/javadocs/org/activiti/engine/IdentityService.html" rel="nofollow noopener noreferrer">org.activiti.engine.IdentityService</A><BR /><BR /><A href="https://github.com/Activiti/Activiti/blob/master/modules/activiti-engine/src/main/java/org/activiti/engine/identity/Group.java" rel="nofollow noopener noreferrer">org.activiti.engine.identity.Group</A><BR /><BR /><A href="https://github.com/Activiti/Activiti/blob/master/modules/activiti-engine/src/main/java/org/activiti/engine/identity/User.java" rel="nofollow noopener noreferrer">org.activiti.engine.identity.User</A><BR /><BR /><A href="https://github.com/Activiti/Activiti/blob/master/modules/activiti-engine/src/main/java/org/activiti/engine/impl/identity/Authentication.java" rel="nofollow noopener noreferrer">org.activiti.engine.impl.identity.Authentication</A><BR /><BR /><A href="https://github.com/Activiti/Activiti/blob/master/modules/activiti-engine/src/main/java/org/activiti/engine/impl/persistence/entity/UserEntity.java" rel="nofollow noopener noreferrer">org.activiti.engine.impl.persistence.entity.UserEntity</A> <BR /><BR /><A href="https://github.com/Activiti/Activiti/blob/master/modules/activiti-engine/src/main/java/org/activiti/engine/impl/persistence/entity/UserEntityManager.java" rel="nofollow noopener noreferrer">activiti.engine.impl.persistence.entity.UserEntityManager</A><BR /><BR /><A href="https://github.com/Activiti/Activiti/blob/master/modules/activiti-engine/src/main/java/org/activiti/engine/impl/persistence/entity/MembershipEntity.java" rel="nofollow noopener noreferrer">org.activiti.engine.impl.persistence.entity.MembershipEntity</A><BR /><BR /><A href="https://github.com/Activiti/Activiti/blob/master/modules/activiti-engine/src/main/java/org/activiti/engine/impl/persistence/entity/GroupEntity.java" rel="nofollow noopener noreferrer">org.activiti.engine.impl.persistence.entity.GroupEntity</A><BR /><BR /><A href="https://github.com/Activiti/Activiti/blob/master/modules/activiti-engine/src/main/java/org/activiti/engine/impl/persistence/entity/GroupEntityManager.java" rel="nofollow noopener noreferrer">org.activiti.engine.impl.persistence.entity.GroupEntityManager</A></UL><SPAN>Therefore the identity functionality is a one of core functionalities of activiti (also included to engine). A part of identity functionality is an authentication functionality.&nbsp; The password-encryption functionality is a part of an authentication functionality. Thus, the password-encryption functionality should be a part of activiti-engine. (In form of a few interfaces (imho) ). The default realisation could be implemented in "not stable" public packages of activiti engine. Or it could be implemented into "activiti-explorer" java classes.</SPAN><BR /><BR /><SPAN>P.S Now i found such Shiro plugin in groovy</SPAN><BR /><BR /><A href="https://github.com/nickmancol/grails-activiti-shiro-security-plugin/blob/master/ActivitiShiroGrailsPlugin.groovy" rel="nofollow noopener noreferrer">https://github.com/nickmancol/grails-activiti-shiro-security-plugin/blob/master/ActivitiShiroGrailsPlugin.groovy</A><BR /><SPAN>with </SPAN><A href="https://bitbucket.org/nickmancol/grails-activiti-shiro-security-plugin/wiki/Home" rel="nofollow noopener noreferrer">description</A><SPAN> ..in Spain language(?)</SPAN></BODY></HTML> Thu, 21 Mar 2013 20:48:44 GMT https://connect.hyland.com/t5/alfresco-archive/storing-user-passwords-securely-a-e-planned/m-p/139095#M97484 udoderk 2013-03-21T20:48:44Z