Storing passwords using sha1 instead of plain text

[ibrahimhamza]

Dear All

Can I change the jasperserver to save passwords

in sha1 to be more secure

thanks

[anandharaj]

JasperServer already have this feature and this is enabled by default in JS-3.5 If you using version prior to this, please refer to my blog www.raj2u.net on how to enable this feature.

[ibrahimhamza]

I have jasper server 3.1

I search your site with sha and sha1 and no results

I add the nest section to applicationContext-security.xml

    <bean id="passwordEncoder" class="org.acegisecurity.providers.encoding.ShaPasswordEncoder">
        <property name="encodeHashAsBase64"><value>false</value></property>       
    </bean>

and commented

the old

<bean id="passwordEncoder" class="com.jaspersoft.jasperserver.api.metadata.common.service.impl.PasswordCipherer">

and then i make user

and hashed its password "1"

which is 356a192b7913b04c54574d18c28d46e6395428ab

[ibrahimhamza]

Now it works

and here is the steps to make the passswords hashed with sha1

Modify the apache-tomcatwebappsjasperserverWEB-INFapplicationContext-security.xml

1- comment  or remove the bean which starts with <bean id="passwordEncoder"

to be

    <!--
    <bean id="passwordEncoder" class="com.jaspersoft.jasperserver.api.metadata.common.service.impl.PasswordCipherer">
        <property name="allowEncoding"><value>false</value></property>
        <property name="keyInPlainText"><value>false</value></property>
        <property name="secretKey"><value>0xC8 0x43 0x29 0x49 0xAE 0x25 0x2F 0xA1 0xC1 0xF2 0xC8 0xD9 0x31 0x01 0x2C  0x52 0x54 0x0B 0x5E 0xEA 0x9E 0x37 0xA8 0x61</value></property>
        <property name="secretKeyAlgorithm"><value>DESede</value></property>
        <property name="cipherTransformation"><value>DESede/CBC/PKCS5Padding</value></property>
    </bean>

-->

2- but this instead

    <bean id="passwordEncoder" class="org.acegisecurity.providers.encoding.ShaPasswordEncoder">
        <property name="encodeHashAsBase64"><value>false</value></property>       
    </bean>

3- make sure that

        <property name="passwordEncoder"><ref local="passwordEncoder"/></property>
is not commented remove th comment by delete   <!--  and  -->

4- connect using sql to update jasperadmin user password

UPDATE JIUSER
SET    PASSWORD                   = '4899a849f6a3cee79e2ad5b7dd93d0a7f276d493'
       WHERE  USERNAME = 'jasperadmin';

now login with jasperadmin and password jasperadmin

 

Post Edited by ibrahim hamza at 04/09/09 07:36

Post Edited by ibrahim hamza at 04/12/09 07:35

[huwtrimet.org]

Does this SHA encryption work with CE version JS 3.5 at all?

 

I have followed the instructions to the teeth, but apparently, all passwords are stored in the database as clear text now.  Did I need to include some acegi libary?

 

Thanks in advance.

[huwtrimet.org]

I think this may be a bug.

I can set the SHA encrypted password like the jasperadmin in the database, and I can login just fine.

But, when I use the user manager interface to change the password to ''mypassword", then the clear text is stored in the database, then I can not login use the password because the login page uses the password Encoder.

 

[huwtrimet.org]

I found the issue was reported in the tracker as number 0004375, status open.

 

With SHA encryption, we can not use this tool to connect to PCI(Payment Card Industry, aka, credit card type) database for reporting needs.

 

 

[huwtrimet.org]

Hi Sherman, will this bug be fixed in version 3.7  Tracker 0004375 ?  Thanks in advance