Eclipse
/
jetty.project
mirror of https://github.com/jetty/jetty.project.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Issue #2039 - Updated documentation examples.

This commit is contained in:
WalkerWatch 2017-12-13 11:37:00 -05:00
parent 8665348258
commit ce819b5430
1 changed files with 29 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
jetty-documentation/src/main/asciidoc/configuring/security/secure-passwords.adoc
View File

@ -26,11 +26,6 @@ The drawback of the obfuscation algorithm is that it protects passwords *from ca
When the stored password is compared to one a user enters, the handling code can apply the same algorithm that secures the stored password to the user input and compare results, making password authentication more secure. When the stored password is compared to one a user enters, the handling code can apply the same algorithm that secures the stored password to the user input and compare results, making password authentication more secure.
____
[NOTE]
When using the `DIGEST` method in tandem with an MD5 hash, you must hash the entire `user:realm:password` string or you will encounter issues with authenticating.
____
The class `org.eclipse.jetty.util.security.Password` can be used to generate all varieties of passwords. The class `org.eclipse.jetty.util.security.Password` can be used to generate all varieties of passwords.
Run it without arguments to see usage instructions: Run it without arguments to see usage instructions:
@ -43,15 +38,16 @@ Usage - java org.eclipse.jetty.util.security.Password [<user>] <password>
If the password is ?, the user will be prompted for the password If the password is ?, the user will be prompted for the password
.... ....
For example, to generate a secured version of the password "blah" for the user "me": For example, to generate a secured version of the password `password` for the user `username`:
[source, screen, subs="{sub-order}"] [source, screen, subs="{sub-order}"]
.... ....
$ java -cp lib/jetty-util-{VERSION}.jar org.eclipse.jetty.util.security.Password me blah $ java -cp ../lib/jetty-util-{VERSION}.jar org.eclipse.jetty.util.security.Password username password
blah 2017-12-13 11:19:27.928:INFO::main: Logging initialized @95ms to org.eclipse.jetty.util.log.StdErrLog
OBF:20771x1b206z password
MD5:639bae9ac6b3e1a84cebb7b403297b79 OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v
CRYPT:me/ks90E221EY MD5:5f4dcc3b5aa765d61d8327deb882cf99
CRYPT:usjRS48E8ZADM
.... ....
If using a external tool to create/verify the MD5 hash (such as `md5sum` or `md5`), be sure to verify a carriage return (CR) or new line is not added. If using a external tool to create/verify the MD5 hash (such as `md5sum` or `md5`), be sure to verify a carriage return (CR) or new line is not added.
@ -60,12 +56,30 @@ For example:
[source, screen, subs="{sub-order}"] [source, screen, subs="{sub-order}"]
.... ....
//With a CR included //With a CR included
$ echo Jetty | md5sum $ echo password | md5sum
bca10872e52ccc5c4a22bf23ef4d5843 *- 286755fad04869ca523320acce0dc6a4 *-
//Using the `-n` option to exclude a new line from being added. //Using the `-n` option to exclude a new line from being added.
$ echo -n Jetty | md5sum $ echo -n password | md5sum
95dd2e7e150f2e8a04c35a78cb15b3e5 *- 5f4dcc3b5aa765d61d8327deb882cf99 *-
....
____
[IMPORTANT]
When using the `DIGEST` method in tandem with an MD5 hash, you must hash the entire `user:realm:password` string or you will encounter issues with authenticating.
____
[source, screen, subs="{sub-order}"]
....
$ java -cp ../lib/jetty-util-9.4.7.v20170914.jar org.eclipse.jetty.util.security.Password username username:realm:password
2017-12-13 11:34:33.263:INFO::main: Logging initialized @97ms to org.eclipse.jetty.util.log.StdErrLog
username:realm:password
OBF:1w281yf41v1x1z7e1xmi1v1p1tvv1v901c3j1x8k1ugo1ri71uh21x8a1c3j1v9m1tv71v2p1xms1z7o1v2h1yf21w1a
MD5:66999343281b2624585fd58cc9d36dfc
CRYPT:usulxZfApLefk
$ echo -n username:realm:password | md5sum
66999343281b2624585fd58cc9d36dfc *-
.... ....
You can now cut and paste whichever secure version you choose into your configuration file or Java code. You can now cut and paste whichever secure version you choose into your configuration file or Java code.