Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@

There are many cases where you might need to provide credentials such as usernames and passwords to authenticate your access to certain services, for example KeyStore and TrustStore passwords, JDBC credentials, Basic or Digest authentication credentials, etc.

Passwords are typically stored in clear-text in configuration files, because a program such as Jetty reading the configuration file must be able to retrieve the original password to authenticate with the service.
Passwords are typically stored in clear-text in configuration files; a program such as Jetty reading the configuration file must be able to retrieve the original password to pass it to the service (for example a KeyStore or a JDBC driver).

You can protect clear-text stored passwords from _casual view_ by obfuscating them using class link:{javadoc-url}/org/eclipse/jetty/util/security/Password.html[`org.eclipse.jetty.util.security.Password`]:

Expand All @@ -29,11 +29,16 @@ Username: <1>
Password: secret <2>
OBF:1yta1t331v8w1v9q1t331ytc <3>
MD5:5eBe2294EcD0E0F08eAb7690D2A6Ee69 <4>
...
MD:SHA-1:E5E9Fa1bA31eCd1aE84f75CaAa474f3a663f05F4
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OBF can be reversed to a password.
MD5, SHA1-, SHA-256 is 1 direction, it cannot be reversed into a password.

Is that nuance worth mentioning?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This nuance is important for reversible passwords.

A stored password for a database connection? needs to be reversible, so that the code can actually submit that password to the database server.

A stored password for verifying a submitted password (like a user login), that can be a MD based 1-way password.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's almost like describing a stored password as verifying an incoming password (all storage types supported) or obtaining an outgoing password (only reversible supported)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@joakime we always had MD5, so this PR adds just a pluggable format for MD-based checksums.

I have added in the docs an example for 1-way password.

Where do you think we need to add more in the documentation?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, this isn't a need for a code change, it feels more documentation specific.
I'll rereview the docs shortly.

...
MD:SHA3-256:F5A5207a8729B1F709Cb710311751eB2Fc8aCaD5A1Fb8aC991B736E69b6529A3
...
----
<1> Hit kbd:[Enter] to specify a blank user.
<2> Enter the password you want to obfuscate.
<3> The obfuscated password.
<4> The MD5 checksum of the password.
<4> MD5 and other `MessageDigest` checksums of the password, using different algorithms.

The `Password` tool produced an obfuscated string for the password `secret`, namely `OBF:1yta1t331v8w1v9q1t331ytc` (the prefix `OBF:` must be retained).
The obfuscated string can be de-obfuscated to obtain the original password.
Expand Down Expand Up @@ -78,3 +83,18 @@ Here is an example, setting an obfuscated password for a JDBC `DataSource`:
</New>
----
<1> Note the usage of `Password.deobfuscate(\...)` to avoid storing the clear-text password in the XML file.

On the other hand, `MessageDigest` checksums of passwords are useful when Jetty receives a password and needs to verify it without storing the original password (for example, with Basic authentication).

Differently from obfuscated passwords, password checksums are not reversible, and cannot be used when Jetty needs to pass the original password to other services.

You can store the Basic authentication credentials in checksum form on the server, and verify the password received from the client by comparing the stored checksum with the checksum of the received password computed on-the-fly.
If the checksum is identical, then the password was correct.

[NOTE]
====
`MessageDigest` algorithms vary in strength, that is the probability that two different inputs produce the same checksum.

The `MD5` and `SHA-1` algorithms are not recommended, as they are weak and insecure.
Use at least `SHA-256`, typically available in all modern JVMs.
====
Loading
Loading