24 Aug
2010
24 Aug
'10
10:18 p.m.
On 08/10/2010 08:45 PM, Caleb James DeLisle wrote:
Because protectPassword generates a base-64 encoded
java serialized form, the size is quite a bit larger than
the 255 character limit of StringProperty and thus PasswordProperty.
What is the real reason for using base-64 encoding? Why not using a
larger base? You convert the serialized bytes anyway.
The use of java serialization is central to the upgradability of the password
verification function because
any new class which implements PasswordVerificationFunction automatically works.
This doesn't explain why you need to store the serialized instance of a
PasswordVerificationFunction implementation as a base-64 string.
Thanks,
Marius
Given this, I want to migrate the database to move password hashes into the
xwikilargestrings table and change
PasswordProperty to extend LargeStringProperty. During this migration, any passwords
still stored in plaintext
will be ported to the scrypt function, passwords stored as a hash will have an
exclamation mark pretended to the
text (this is invalid base64) and be inserted into the table as is.
PasswordClass will keep the sha-512 hash function for legacy passwords but will port
passwords to the new format
as users log in.
These changes will allow us to close
http://jira.xwiki.org/jira/browse/XWIKI-70
and
http://jira.xwiki.org/jira/browse/XWIKI-582
WDYT?
Caleb
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs