掲示板

  1. ホーム
  2. Development
  3. Decrypting portal user password

Decrypting portal user password

14年前 に Vytautas R によって更新されました。

Decrypting portal user password

New Member 投稿: 12 参加年月日: 09/12/08 最新の投稿
Hi,

I'm developing login logic through Facebook Connect and need some hint.
After I get Facebook user ID, which is mapped to portal user ID, I want to login user to it's account. I retrieve particular User object, it's password is entrypted in DB. I want to use
LoginUtil.login(request, response, login, password, rememberMe, authType);
so, I need password unencrypted.
Encryptor.decrypt() method gives exception:
javax.crypto.IllegalBlockSizeException: Input length must be multiple of 8 when decrypting with padded cipher

What should I do about that?
Maybe there is some other way to login user to liferay?

BTW i'm doing all this stuff in LoginAction (EXT env).

Any thoughts greatly appreciated. Thanks!
14年前 に Vytautas R によって更新されました。

RE: Decrypting portal user password

New Member 投稿: 12 参加年月日: 09/12/08 最新の投稿
Forgot to mention - I'm using Liferay Portal v5.2.2
14年前 に Vytautas R によって更新されました。

RE: Decrypting portal user password

New Member 投稿: 12 参加年月日: 09/12/08 最新の投稿
I don't believe here is no-one who knows the answer to that simple question! Help anybody.
thumbnail
14年前 に Shagul Khaja によって更新されました。

RE: Decrypting portal user password

Liferay Master 投稿: 758 参加年月日: 07/09/27 最新の投稿
Hi,

I don't see a decrypt method in PwdEncryptor.java. You may have to collect a clear text password from the facebook application.


Best Regards,
Shagul
3ヶ月前 に Vilmos Papp によって更新されました。

RE: Decrypting portal user password

Regular Member 投稿: 131 参加年月日: 09/05/04 最新の投稿
IMHO you can't decrypt it. It wouldn't be very safe if the passwords could be decrypted at fist, at second, if you check the file in portal-impl/src/com/liferay/security/pwd/PWDEncryptor.java you see, that the encoding mechanism creates hascodes from the plaintext password, so there is no way to decoding it. But maybe I am wrong. If security is not important you could instruct liferay somehow to use unencrypted passwords but I wouldn't suggest it!!!

Maybe you could extend loginutil, to login the user with the encrypted password not with a plaintext password. or you have to have a look how the SSO solutions are developed for Liferay e.g.: OpenSSO,CAS or SiteMinder autologin.
thumbnail
14年前 に Rishi Dev Gupta によって更新されました。

RE: Decrypting portal user password

Expert 投稿: 255 参加年月日: 08/11/23 最新の投稿
Have you got the solution for this, as I am also stuck at the same point?
14年前 に Vytautas R によって更新されました。

RE: Decrypting portal user password

New Member 投稿: 12 参加年月日: 09/12/08 最新の投稿
Rishi Dev Gupta:
Have you got the solution for this, as I am also stuck at the same point?


Hi, Rishi.

No, i don't have the solution for decrypting liferay password. As i understood, it is not impossible to decrypt it at all, because of the algorithm used for encryption.
But what is the purpose of Encryptor.decrypt() method then? I'm confused.
Please let me know, if you work out something. Thanks!
thumbnail
14年前 に Fuad Efendi によって更新されました。

RE: Decrypting portal user password

Regular Member 投稿: 180 参加年月日: 07/04/05 最新の投稿
Ok, is it possible to decrypt!? Yes!

Try this:

UserLocalServiceUtil.decryptUserId(companyId, userId, password);


I found this by analyzing autologin hooks,
 auto.login.hooks= ... com.liferay.portal.security.auth.RememberMeAutoLogin

- check this class (and others too)


I don't have time to test, check this:

				if (company.isAutoLogin()) {
					kvp = UserLocalServiceUtil.decryptUserId(
						company.getCompanyId(), autoUserId, autoPassword);

					credentials = new String[3];

					credentials[0] = kvp.getKey();
					credentials[1] = kvp.getValue();
					credentials[2] = Boolean.FALSE.toString();
				}





For instance, OpenSSO Auto Login uses this:

			credentials[0] = String.valueOf(user.getUserId());
			credentials[1] = user.getPassword();
			credentials[2] = Boolean.TRUE.toString();



Notice, Boolean.TRUE vs. Boolean.FALSE, and no decrypting code for OpenSSO. You don't have to decrypt (look at OpenSSOAutoLogin).
thumbnail
13年前 に Ali Shahrami によって更新されました。

RE: Decrypting portal user password

Junior Member 投稿: 52 参加年月日: 09/08/01 最新の投稿
Fuad Efendi:
Ok, is it possible to decrypt!? Yes!
No

It is not possible. Not this way, as far as I know.


Fuad Efendi:

				if (company.isAutoLogin()) {
					kvp = UserLocalServiceUtil.decryptUserId(
						company.getCompanyId(), autoUserId, autoPassword);

					credentials = new String[3];

					credentials[0] = kvp.getKey();
					credentials[1] = kvp.getValue();
					credentials[2] = Boolean.FALSE.toString();
				}



But there is really no need to decrypt password.

Take a look at LoginUtil and you will see that encrypted password is being added to session and cookie.

Fuad you gave me a very good hint and I'm thankful for that. This is how I did it:


String userIdString = String.valueOf(userId);

session.setAttribute("j_username", userIdString);
session.setAttribute("j_password", user.getPassword()); // encrypted password
session.setAttribute("j_remoteuser", userIdString);
session.setAttribute("USER_PASSWORD", user.getPassword()); // encrypted password


// you also need to create the following cookies
Cookie companyIdCookie = new Cookie(
	"COMPANY_ID", String.valueOf(company.getCompanyId())); 

Cookie idCookie = new Cookie("ID",
        UserLocalServiceUtil.encryptUserId(userIdString));

Cookie passwordCookie = new Cookie("PASSWORD", user.getPassword());

Cookie loginCookie = new Cookie("LOGIN", user.getEmailAddress()); // if you login with email address

Cookie screenNameCookie = new Cookie("SCREEN_NAME",
				Encryptor.encrypt(company.getKeyObj(), user.getScreenName()));

This is not all you have to do, for more info refer to com.liferay.portlet.login.util.LoginUtil

I should say that I got this to work from a plugin, rather than ext. env. and I DID NOT added ext-impl.jar in plugin's classpath, which is a very bad practice to begin with.
thumbnail
14年前 に Fuad Efendi によって更新されました。

RE: Decrypting portal user password

Regular Member 投稿: 180 参加年月日: 07/04/05 最新の投稿
Authentication Made Easy!

Use this:
	
  jPassword = user.getPassword(); // it is encrypted!
  jUsername = user.getUserId();
  session.setAttribute("j_username", jUsername);
  session.setAttribute("j_password", jPassword);
  response.sendRedirect("somewhere...");



And, check code of com.liferay.portal.servlet.filters.autologin.AutoLoginFilter.


P.S.
Using this can really break Liferay... because we need to use hooks instead!

Implement class similar to OpenSSOAutoLogin, register it in portal-ext.properties.

public String[] login(
		HttpServletRequest request, HttpServletResponse response)


- this method should return (in your case):
[indent]User ID (long)
Password (encrypted)
Boolean.TRUE ("true" means password is encrypted)[/indent]
thumbnail
14年前 に Balazs Zsoldos によって更新されました。

RE: Decrypting portal user password

Junior Member 投稿: 41 参加年月日: 06/04/12 最新の投稿
Hi,

if it is ok for you to get the password for the currently logged on user there is a possibilitiy I described at the website of my company.

You can get the user and password in this way everywhere where you can see the cookies of liferay (basically everywhere within the same domain)

Regards,
Balazs
thumbnail
13年前 に Michael Poznecki によって更新されました。

RE: Decrypting portal user password

Expert 投稿: 301 参加年月日: 08/12/10 最新の投稿
If Liferay was using something other than one-way hash to encrypt the password, we would all have to throw it away! Passwords should NEVER have the ability to be decrypted. Even asking to do this should get you banned. We don't want hackers around here.
thumbnail
13年前 に Brian Ko によって更新されました。

RE: Decrypting portal user password

Junior Member 投稿: 70 参加年月日: 10/02/11 最新の投稿
Michael,

Here is my use case. Please let me know if you have any suggestion.

I need to us AD and NTLM for authentication, which means I would not even see the password entered by the client. However, one of our portal app is Lotus Note which uses LTPA token for authentication. To access this Lotus Notes from portal without logging in again, I need to put the password in the browser session. Since the password is not known to server, my plan is to get them from the database. (Of course, the AD should be configured to sync the password with portal user database.)

All this idea is not going to work if I cannot decrypt the password. Do you have any suggestion?

Brian Ko
thumbnail
13年前 に Rishi Dev Gupta によって更新されました。

RE: Decrypting portal user password

Expert 投稿: 255 参加年月日: 08/11/23 最新の投稿
Brian

I haven't tried this but you have to implement your own encryption and decryption logic using any of the standard encryption algorithms available. You can plug this is in into portal source to make it working... for this you will need to bring couple of source file into ext to override them at the time of deployment...
13年前 に James McGovern によって更新されました。

RE: Decrypting portal user password

Junior Member 投稿: 68 参加年月日: 10/06/13 最新の投稿
You should not go down the path of even thinking about the password. Instead consider a federated approach and understand whether approaches that use SAML will work for you.
thumbnail
13年前 に Brian Ko によって更新されました。

RE: Decrypting portal user password

Junior Member 投稿: 70 参加年月日: 10/02/11 最新の投稿
James,

I think you are right. However, I have to use NTLM. There is no easy way to solve this issue.

Brian
13年前 に James McGovern によって更新されました。

RE: Decrypting portal user password

Junior Member 投稿: 68 参加年月日: 10/06/13 最新の投稿
Liferay can support login via NTLM, however there are several things you need to noodle including but not limited to the fact that your network administrator when you go Windows 2003 Native Mode, NTLM will automatically be turned off and you would be left without a solution.

In terms of the upgrade path, I have already submitted one request to support Information Cards which is Microsoft's long term direction. You may want to consider voting for this as a backup approach.
thumbnail
13年前 に Brian Ko によって更新されました。

RE: Decrypting portal user password

Junior Member 投稿: 70 参加年月日: 10/02/11 最新の投稿
James,

I am planning to use NTLM, but I found our admin team has a plan to upgrade to windows server 2003. Do you know any website or reference that I can read to understand the technology? Thank you in advance.

Brian
thumbnail
13年前 に Hugh Martin によって更新されました。

RE: Decrypting portal user password

Junior Member 投稿: 75 参加年月日: 10/06/15 最新の投稿
Brian,

Did you ever achieve yor SSO issue with Notes? We have the same issue and are assuming we'll have to implement LTPA within the app server, such as by deploying Liferay on WebSphere Application Server.

Hugh
3ヶ月前 に Vilmos Papp によって更新されました。

RE: Decrypting portal user password

Regular Member 投稿: 131 参加年月日: 09/05/04 最新の投稿
There is a much easier way to solve this problem than decrypting passwords:

You should create a Hook plugin for LoginPreAction (or something similar) and store the password sent to the server in your session if you need it.
thumbnail
13年前 に Olaf Kock によって更新されました。

RE: Decrypting portal user password

Liferay Legend 投稿: 6403 参加年月日: 08/09/23 最新の投稿
György Vilmos Papp:
There is a much easier way to solve this problem than decrypting passwords:

You should create a Hook plugin for LoginPreAction (or something similar) and store the password sent to the server in your session if you need it.


That is, if there is no SSO solution in place where you authenticate to the SSO server instead of Liferay - this way even the LoginPreAction never sees the unencrypted password. Fiddling with plain text passwords is really evil.

The "correct" way (especially in terms of SSO) to incorporate a user would be to obtain some ticket from the SSO server or redirect the browser to get it. Of course there is also the other evil way: Using some administrative access for other systems to make changes on behalf of the user.
3ヶ月前 に Vilmos Papp によって更新されました。

RE: Decrypting portal user password

Regular Member 投稿: 131 参加年月日: 09/05/04 最新の投稿
You are right Olaf, but some times, e.g.: when you want to use Liferay's e-mail portlet which stores the e-mail password in a Base64 encoded format in the file system what is another no-no I guess, you need some workaround. I did it that way as we have no SSO server currently. And the e-mail portlet needs the unencrypted password to authenticate the user to the mail server.
thumbnail
13年前 に Olaf Kock によって更新されました。

RE: Decrypting portal user password

Liferay Legend 投稿: 6403 参加年月日: 08/09/23 最新の投稿
Yes, correct, it might happen that there is a scenario where it makes sense to have the passwords. However, I'd argue that "knowingly providing passwords" so that a server can do something for me differs fundamentally from the server being able to decrypt passwords used for login to it. If passwords are stored on the server for such a purpose they must be stored with a reversible cipher, but in 98% of cases that I've seen they differ from the passwords used for login - if only because they can be changed independently from each other.

Please don't take my rants as offensive - it's just that I have the habit of strongly opposing the notion of being able to decrypt user's passwords for the sake of using them elsewhere. I understand that there might indeed be usecases. But in a public forum like this, 95% of readers would have the impression that it's possible & worth the hassle to decrypt some passwords. Therefor I take strong opposition, knowing that the situation currently asked for might actually be one of the exceptional usecases.

That said, good to know that your problem is solved. To the others: Note that this stunt has been performed by professionals, the roads have been closed during taping of the show, and you shouldn't try this at home ;-)
3ヶ月前 に Vilmos Papp によって更新されました。

RE: Decrypting portal user password

Regular Member 投稿: 131 参加年月日: 09/05/04 最新の投稿
Well thanks Olaf :-) I didn't think it was an offensive response for me. And actually this could be used only for a limited scenarios by professionals.
thumbnail
13年前 に Mahmudur Rahman Manna によって更新されました。

RE: Decrypting portal user password

New Member 投稿: 7 参加年月日: 10/07/09 最新の投稿
Ok, I got a scenario here, I am working with liferay 5.2.3, CAS 3.4 and OpenLDAP 2.4.

Liferay needs to import users from LDAP at startup or while login if the user is not existing in liferay database. The funny thing i got is : 
ldap.security.credentials=secret
. How can I put LDAP root user credentials in such plain way in this property file, is not it breaking security of the whole Enterprise?

Ok I have decided not to use import in this way. But whenever a single user will try to login if he doesnot exist in Liferay only his data will be imported from LDAP through his credentials that he has entered in login ui of CAS. But where is password? Is there any way to do it such way.

Please advise me.


-Manna