Notice: this Wiki will be going read only early in 2024 and edits will no longer be possible. Please see: https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/wikis/Wiki-shutdown-plan for the plan.
Difference between revisions of "Jetty/Howto/Secure Passwords"
| Line 2: | Line 2: | ||
| introduction = | | introduction = | ||
| − | There are many places where you need to use and store a password, for example | + | There are many places in Jetty where you need to use and store a password, for example the SSL connectors' keystore password, user passwords in realms, and so forth. Passwords can be stored in '''clear text''', '''obfuscated''', '''checksummed''' or '''encrypted''' in order of increasing security. |
| + | |||
| + | The choice of method that is used to secure a password depends on where it will be used. In some cases such as keystore passwords, digest authentication, and others the original password has to be retrieved, so obfuscation method has to be used for this purpose. The drawback of obfuscation is that the passwords are protected from casual viewing only. | ||
| + | |||
| + | In other instances where the stored password needs to be compared to the user entered one only, the handling code can apply the same algorithm that was used to secure the stored password to the user input and compare results, making the password authentication more secure. | ||
| + | |||
| − | |||
| steps = | | steps = | ||
Jetty provides a [http://dev.eclipse.org/viewcvs/index.cgi/jetty/trunk/jetty-http/src/main/java/org/eclipse/jetty/http/security/Password.java?root=RT_Jetty&view=log password utility] that can be used to generate all varieties of passwords. | Jetty provides a [http://dev.eclipse.org/viewcvs/index.cgi/jetty/trunk/jetty-http/src/main/java/org/eclipse/jetty/http/security/Password.java?root=RT_Jetty&view=log password utility] that can be used to generate all varieties of passwords. | ||
Revision as of 18:30, 23 December 2009
Introduction
There are many places in Jetty where you need to use and store a password, for example the SSL connectors' keystore password, user passwords in realms, and so forth. Passwords can be stored in clear text, obfuscated, checksummed or encrypted in order of increasing security.
The choice of method that is used to secure a password depends on where it will be used. In some cases such as keystore passwords, digest authentication, and others the original password has to be retrieved, so obfuscation method has to be used for this purpose. The drawback of obfuscation is that the passwords are protected from casual viewing only.
In other instances where the stored password needs to be compared to the user entered one only, the handling code can apply the same algorithm that was used to secure the stored password to the user input and compare results, making the password authentication more secure.
Steps
Jetty provides a password utility that can be used to generate all varieties of passwords.
Run it without arguments to see usage instructions:
> java -cp lib/jetty-http-xxx.jar:lib/jetty-util-xxx.jar org.eclipse.jetty.http.security.Password Usage - java org.eclipse.jetty.http.security.Password [<user>] <password>
where -xxx signifies the version of Jetty that you have installed.
For example, to generate a secured version of the password "blah" for the user "me", do:
> java -cp lib/jetty-http-xxx.jar:lib/jetty-util-xxx.jar org.mortbay.jetty.security.Password me blah blah OBF:20771x1b206z MD5:639bae9ac6b3e1a84cebb7b403297b79 CRYPT:me/ks90E221EY
Now you can cut and paste whichever secure version you choose into your configuration file or java code.
For example, the last line below shows you how you would cut and paste the encrypted password generated above into the properties file for a HashUserRealm:
admin: CRYPT:ad1ks..kc.1Ug,server-administrator,content-administrator,admin other: OBF:1xmk1w261u9r1w1c1xmq guest: guest,read-only me: CRYPT:me/ks90E221EY
