20 Jan
2012
20 Jan
'12
5:31 p.m.
On 01/19/2012 04:28 AM, Paul Libbrecht wrote:
Hello developers,
since quite long I see that XWiki has the practice of a cookie that says the username
(and password) encrypted.
The way to encrypt the username seems a "simple" cipher that would be fairly
easy to share, provided the key is shared of course.
I am considering to use this for the purpose of recognizing the authenticity of a request
to another web-application.
I am thinking a simple servlet-filter would be able to do most of the authentication
services, provided the user is logged in into xwiki (and the cookie-path makes /blabla
also receive the cooke).
But there are two questions:
- is this encryption recognizable as signed? (i.e. can someone without the key generate
an encrypted username?)
The same key is used both for encryption and decryption, but there's no
signature on it, so probably any random string can be encrypted and
decrypted, so you'll need a way to check the plaintext value as well,
not just that the encrypted one.
The algorithm used by default is DES/ECB with PKCS5Padding, but this can
be changed in the configuration.
- is this practice expected to last?
No idea.
If yes to both, it would be interesting to share a
servlet filter (or even Apache module) that would do this recognition and indicate the
recognized user-principals. Maybe that was done already?
Well, the authentication is based on
http://securityfilter.sourceforge.net/ which does provide a servlet
filter, which we're not using in XWiki and instead have our own
authentication process.
thanks in advance
--
Sergiu Dumitriu
http://purl.org/net/sergiu/