9 Replies Latest reply on Nov 27, 2008 8:45 AM by Nikolay Elenkov

    Salt for UserPassword in Seam 2.1

    Nikolay Elenkov Master

      I've been looking into Seam 2.1 security, and here's a feature I think would be useful.

      If we want to change the password hashing algorithm, we have to override PasswordHash (btw, SHA-1 should probably the default), that's easy enough. But if we want to use a salt value different from the username (the default), we need to override JpaIdentityStore, and it seems one should not generally need to do this. The default implementation just uses the username string, but in most cases we'd probably like to use a dedicated random value and save it in the UserPrincipal entity. In addition, one would generally loop a number of times (makes generating hashes harder), when generating the hash (as per PKCS#5), so the inputs for generating the password hash become: password, salt and iteration count. It would be nice if one could have all of these in one place, the UserPrincipal entity.

      To support this we need one new annotation and a few params to @UserPassword. Something like:

      String getSalt()
      @UserPassword(hash="sha1", saltLength=64, iterationCount=1000)
      String getPasswordHash()

      Salt length is in bits and is randomly generated by createUser, iteration count would be passed to PasswordHash.generatedSaltedHash.
      This more general implementation should cover the most common cases, I think, and one would rarely need to override PasswordHash or JpaIdentityStore.

      How does this sound?