GSIP 63 - Encrypt Plaintext Passwords

Overview

Support digest and encrypted passwords for users and datastore credentials.

This proposal has been superseded by GSIP 71 - New Security Subsystem.

Proposed By

[Ian Schneider]

Assigned to Release

TDB. 2.1.x or later.

State

Choose one of: Under Discussion, In Progress, Completed, Rejected, Deferred

Motivation

User and datastore passwords are currently stored in plaintext. This is an obvious security hazard.

Proposal

There are two basic components of this proposal:

1. Support digest storage of user passwords. This implies non-recoverable passwords for users but provides higher security than recoverable passwords.
2. Support encrypted passwords for datastore credentials. These passwords must be decryptable to allow plaintext transmission to authentication systems. A master password is used to encrypt these.

Additional features include:

1. Opt-in only. To enabled the system, a configuration property must be set.
2. Configurable digest and encryption algorithms and JCE security provider.
3. Default provider and SPI for custom provider.
4. JMX bean supports changing master password.
5. User docs!

Other Notes:

• Currently using the Jasypt library. This provides a nice JCE wrapper and integrates with spring security.
• Patch currently has tests that all pass. Additional manual tests run to ensure behavior.
• Should pave the way for integration with GSIP 53 - http://geoserver.org/display/GEOS/GSIP+53+Geoserver+security+improvement

Question:

Given default behavior is disabled (unit tests all work with enabled), the unit tests that touch the security layer should all be run in both modes - disabled and enabled. Support for this is in the current patch, but I don't like the way it is implemented. Any other good approaches to acheiving this?

Feedback

This section should contain feedback provided by PSC members who may have a problem with the proposal.

Backwards Compatibility

No backwards compatibility issues as the functionality is disabled by default. One enabled, the digestion of passwords is not reversable. Encypted datastore passwords are recoverable, but no support is provided to assist the end user in recovery (by design).

Voting

Andrea Aime: +1
Alessio Fabiani:
Ben Caradoc-Davies: +1
Gabriel Roldán:
Justin Deoliveira: +1
Jody Garnett: +1
Mark Leslie: +1
Simone Giannecchini:

Links

http://jira.codehaus.org/browse/GEOS-4702
http://osgeo-org.1803224.n2.nabble.com/plaintext-password-storage-td6665497.html

[Wiki Page|]