Jump to: navigation, search

Difference between revisions of "Jetty/Howto/Secure Passwords"

< Jetty‎ | Howto
 
(3 intermediate revisions by 3 users not shown)
Line 2: Line 2:
 
| introduction =
 
| introduction =
  
There are many places in Jetty where you need to use and store a password, for example the SSL connectors' keystore password, user passwords in realms, and so forth. Passwords can be stored in '''clear text''', '''obfuscated''', '''checksummed''' or '''encrypted''' in order of increasing security.
+
{{Jetty Redirect|http://www.eclipse.org/jetty/documentation/current/configuring-security-secure-passwords.html}}
  
The choice of method that is used to secure a password depends on where it will be used. In some cases such as keystore passwords, digest authentication, and others the original password has to be retrieved, so obfuscation method has to be used for this purpose. The drawback of obfuscation algorithm is that the passwords are protected from casual viewing only.
+
There are many places in Jetty where you need to use and store a password, for example the SSL connector keystore password and user passwords in realms. You can store passwords as ''clear text, obfuscated, checksummed'' or ''encrypted,'' in order of increasing security.
  
In other instances where the stored password needs to be compared to the user entered one only, the handling code can apply the same algorithm that was used to secure the stored password to the user input and compare results, making the password authentication more secure.
+
The choice of method  to secure a password depends on where you are using the password. In some cases such as keystore passwords and digest authentication, the system must retrieve the original password, which requires the obfuscation method. The drawback of the obfuscation algorithm is that it protects passwords from casual viewing only.
 +
 
 +
When the stored password is compared to one a user enters, the handling code can apply the same algorithm that secures the stored password to the user input and compare results, making password authentication more secure.
  
  
 
| steps =
 
| steps =
Jetty provides a [http://dev.eclipse.org/viewcvs/index.cgi/jetty/trunk/jetty-http/src/main/java/org/eclipse/jetty/http/security/Password.java?root=RT_Jetty&view=log password utility] that can be used to generate all varieties of passwords.
+
Jetty provides a [http://dev.eclipse.org/viewcvs/index.cgi/jetty/trunk/jetty-http/src/main/java/org/eclipse/jetty/http/security/Password.java?root=RT_Jetty&view=log password utility] that you can use to generate all varieties of passwords.
  
 
Run it without arguments to see usage instructions:
 
Run it without arguments to see usage instructions:
 +
 +
<strong>Version 8.1 and above -- although this works on 7.6.7 as well</strong>
 +
> java -cp lib/jetty-util-xxx.jar org.eclipse.jetty.util.security.Password
 +
Usage - java org.eclipse.jetty.util.security.Password [<user>] <password>
 +
 +
 +
<strong>Below version 8.1</strong>
 
  > java -cp lib/jetty-http-xxx.jar:lib/jetty-util-xxx.jar org.eclipse.jetty.http.security.Password
 
  > java -cp lib/jetty-http-xxx.jar:lib/jetty-util-xxx.jar org.eclipse.jetty.http.security.Password
 
  Usage - java org.eclipse.jetty.http.security.Password [<user>] <password>
 
  Usage - java org.eclipse.jetty.http.security.Password [<user>] <password>
  
where '''-xxx''' signifies the version of Jetty that you have installed.
+
where <tt>-xxx</tt> signifies the version of Jetty that you have installed.
  
For example, to generate a secured version of the password "blah" for the user "me", do:
+
For example, to generate a secured version of the password ''blah'' for the user ''me'', enter:
 
  > java -cp lib/jetty-http-xxx.jar:lib/jetty-util-xxx.jar org.mortbay.jetty.security.Password me blah
 
  > java -cp lib/jetty-http-xxx.jar:lib/jetty-util-xxx.jar org.mortbay.jetty.security.Password me blah
 
  blah
 
  blah
Line 33: Line 42:
 
  me: CRYPT:me/ks90E221EY
 
  me: CRYPT:me/ks90E221EY
  
{{tip|Don't forget to also copy the ''OBF:'', ''MD5:'' or ''CRYPT:'' prefix on the generated password. It will not be usable by Jetty without it.}}
+
{{tip|Don't forget to also copy the ''OBF:'', ''MD5:'' or ''CRYPT:'' prefix on the generated password. Jetty cannot use it if you don't. }}
 
| category = [[Category:Jetty Howto]]
 
| category = [[Category:Jetty Howto]]
 
}}
 
}}

Latest revision as of 14:35, 23 April 2013



Introduction


There are many places in Jetty where you need to use and store a password, for example the SSL connector keystore password and user passwords in realms. You can store passwords as clear text, obfuscated, checksummed or encrypted, in order of increasing security.

The choice of method to secure a password depends on where you are using the password. In some cases such as keystore passwords and digest authentication, the system must retrieve the original password, which requires the obfuscation method. The drawback of the obfuscation algorithm is that it protects passwords from casual viewing only.

When the stored password is compared to one a user enters, the handling code can apply the same algorithm that secures the stored password to the user input and compare results, making password authentication more secure.


Steps

Jetty provides a password utility that you can use to generate all varieties of passwords.

Run it without arguments to see usage instructions:

Version 8.1 and above -- although this works on 7.6.7 as well

> java -cp lib/jetty-util-xxx.jar org.eclipse.jetty.util.security.Password
Usage - java org.eclipse.jetty.util.security.Password [<user>] <password>


Below version 8.1

> java -cp lib/jetty-http-xxx.jar:lib/jetty-util-xxx.jar org.eclipse.jetty.http.security.Password
Usage - java org.eclipse.jetty.http.security.Password [<user>] <password>

where -xxx signifies the version of Jetty that you have installed.

For example, to generate a secured version of the password blah for the user me, enter:

> java -cp lib/jetty-http-xxx.jar:lib/jetty-util-xxx.jar org.mortbay.jetty.security.Password me blah
blah
OBF:20771x1b206z
MD5:639bae9ac6b3e1a84cebb7b403297b79
CRYPT:me/ks90E221EY

Now you can cut and paste whichever secure version you choose into your configuration file or java code.

For example, the last line below shows you how you would cut and paste the encrypted password generated above into the properties file for a HashUserRealm:

admin: CRYPT:ad1ks..kc.1Ug,server-administrator,content-administrator,admin
other: OBF:1xmk1w261u9r1w1c1xmq
guest: guest,read-only
me: CRYPT:me/ks90E221EY
Idea.png
Don't forget to also copy the OBF:, MD5: or CRYPT: prefix on the generated password. Jetty cannot use it if you don't.