Foros de discusión

  1. Inicio
  2. Portal
  3. Override the hashing mechanism

Override the hashing mechanism

thumbnail
Ugo Ducharme, modificado hace 10 años.

Override the hashing mechanism

New Member Mensajes: 13 Fecha de incorporación: 30/07/13 Mensajes recientes
We are in the process of implementing our first installation of Liferay and our security team would like that if two users has the same password, they would have two different hashes.

To do this, I would like to concatenate the screen name to the password before it is being hashed. To do this, I first though of overriding the Authenticator but that won't do the trick as I need to override everywhere the password gets saved to database.

What should I override to change how the hash is done? Can I invent a new hash algorithm that would do sha but with the screen name concatenated?
thumbnail
David H Nebinger, modificado hace 10 años.

RE: Override the hashing mechanism

Liferay Legend Mensajes: 14919 Fecha de incorporación: 2/09/06 Mensajes recientes
I think it's going to require a two-pronged attack...

First there's saving/updating the user record for password sets, resets, etc. You'd have to inject yourself here to artificially add the screen name when computing the hash.

The bigger problem, of course, is authentication. Normally you'd be ensuring that the given info is valid and let the user in. We use email address for our login (not screen name). So for us, in order to authenticate I'd have to pull back the user record in order to get their screen name, concat it to the entered password, and finally use that in computing the hash and comparing what's in the database...

All of these things are doable. I guess I would say that if your security guys are that paranoid, you may want to offload authentication to some other component, i.e. ldap or cas or openid or ...
thumbnail
Ugo Ducharme, modificado hace 10 años.

RE: Override the hashing mechanism

New Member Mensajes: 13 Fecha de incorporación: 30/07/13 Mensajes recientes
Can you tel me how to inject myself where the hash is computed, I can't seem to find a central point where this is done.