Forum Post: Re: OERealm REST Authentication

  • Thread starter Thread starter Michael Jacobs
  • Start date Start date
Status
Not open for further replies.
M

Michael Jacobs

Guest
Hello Paul, You ask a good question - but because it’s security the response is not always simple: I’ll point out that the clear-text password value is only one of your problems as clear-text user-ids, privileges, and account attributes carry their own security liability problems. Its easiest to always pass everything using a secure socket connection via local sockets or using SSL encrypted connections. You could employ wire encryption and encryption all of the field values individually, but generally is a lot of work to actually make it secure and there are easier ways. Regarding ENCODE(). Using the ABL ENCODE() function for OpenEdge, or gnu standard password encoding for UNIX, accounts is an example of where a clear-text password is needed so that the OERealm class can use the same encoding algorithm in order to match the stored encoded value. Calling something like an LDAP/AD service or ABL SET-DB-CLIENT() API would be an example where the user account system’s API requires a clear-text password value. In either case, the process starts with the OERealm class knowing the clear-text value. The simple path for many reasons is to simply pass a clear-text value and let the OERealm know what to do with it. OK? Mike J. From: Paul Koufalis bounce-pkoufalis@community.progress.com Reply-To: " TU.OE.Development@community.progress.com " TU.OE.Development@community.progress.com Date: Thursday, August 7, 2014 at 11:49 PM To: " TU.OE.Development@community.progress.com " TU.OE.Development@community.progress.com Subject: RE: [Technical Users - OE Development] OERealm REST Authentication RE: OERealm REST Authentication Reply by Paul Koufalis After a lot of reading and trial-and-error, I'm 99% there. I added my own cp in WEB-INF/classes and got all the way to ValidatePassword(). With realmPwdAlg=0 the password is passed in plain text and the validation fails since it checks "_User._Password = password" and _password is ENCODE'd . If I pass the actual content of _Password it works great. Of course I could change HybridRealm.cls to authenticate against ENCODE(password) but somehow that doesn't seem like the right solution. What am I missing? Stop receiving emails on this subject. Flag this post as spam/abuse.

Continue reading...
 
Status
Not open for further replies.
Back
Top