Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Storing User Passwords Securely (A.E) planned?

udoderk
Champ in-the-making
Champ in-the-making

‎03-20-2013 09:22 AM

Hi Activiti Core Team,

now i'm found, that the user passwords are stored as plain text. The Storage in this way is not a good solution (as well as store a "one-way hash" , "salt" the password before hashing, PER_USER_SALT + password - thay are bad solutions)
Are you planning the securely storing of the user passwords using jBCrypt, scrypt or Shiro or other security solutions?

If we want to implement the more Securely solutions like using jBcrypt for Activiti Explorer, what steps are needed?
i know currently the step number zero Smiley Wink : set the library like jBcrypt to the java class path
i suppose, that i need to implement own identity service (like following descriptions (1, 2)


Thanks
Labels:
0 Kudos
5 REPLIES 5

frederikherema1
Star Contributor
Star Contributor

‎03-21-2013 03:51 AM

The explorer-app is intended as a "demo app",  a good place to start. This is the reason why we're not putting in effort for password-encryption because this depends on the required implementation.

I'm not sure how that mechanism works you're suggesting, but if you get a piece of text in the end, that you can store as a password using the API. This would only require changing parts of the Activiti-explorer (user-creation and authentication) which is less drastically than altering user-management. If it's a more complex approach, you'll have to override the identity-stuff, indeed.
0 Kudos

jbarrez
Star Contributor
Star Contributor

‎03-21-2013 07:32 AM

I have to disagree with Frederik here (that can happen 😉 ). I do believe we should add encrypted password storage + salt hashing to the engine. It requires some changes probably in the command that is used to create a new user (when the password is passed in the User pojo object). So in theory, it would be easy to fix. However, if we want to add a salt, we need a new DB column too, and then some mapping changes.

I actually have it noted down on my todo list for the very near future.
0 Kudos

frederikherema1
Star Contributor
Star Contributor

‎03-21-2013 07:36 AM

As mentioned above, hashing + salt is also not "safe enough" for the requirement Smiley Wink
0 Kudos

jbarrez
Star Contributor
Star Contributor

‎03-21-2013 07:42 AM

God point, missed that.

But still we should make it better than it now is 😉
0 Kudos

udoderk
Champ in-the-making
Champ in-the-making

‎03-21-2013 04:48 PM


I'm not sure how that mechanism works you're suggesting, but if you get a piece of text in the end, that you can store as a password using the API. This would only require changing parts of the Activiti-explorer (user-creation and authentication) which is less drastically than altering user-management. If it's a more complex approach, you'll have to override the identity-stuff, indeed.

Hi frederikheremans, and thank you for that tips Smiley Happy

The explorer-app is intended as a "demo app",  a good place to start. This is the reason why we're not putting in effort for password-encryption because this depends on the required implementation…….

i know, that Activiti Stack has two identity packages:
1. ActivitiExplorer-package, containing interfaces:

org.activiti.explorer.identity.LoggedInUser

org.activiti.explorer.ui.login.LoginHandler

And ..0. Smiley Wink  -
Activiti Engine public stable packages and not stable techical public packages.
I write Engine because thay logically (imho) and "physically" (as JAR file activiti-engine) are part of activiti engine.

The examples of such javas are:
Therefore the identity functionality is a one of core functionalities of activiti (also included to engine). A part of identity functionality is an authentication functionality.  The password-encryption functionality is a part of an authentication functionality. Thus, the password-encryption functionality should be a part of activiti-engine. (In form of a few interfaces (imho) ). The default realisation could be implemented in "not stable" public packages of activiti engine. Or it could be implemented into "activiti-explorer" java classes.

P.S Now i found such Shiro plugin in groovy

https://github.com/nickmancol/grails-activiti-shiro-security-plugin/blob/master/ActivitiShiroGrailsP...
with description ..in Spain language(?)
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2024 Khoros, LLC