[#IZPACK-65] Password Encryption - jira.codehaus.org

IzPack

Password Encryption

Created: 15/Apr/08 02:56 PM Updated: 23/Apr/08 02:02 PM Resolved: 21/Apr/08 07:36 PM

Return to search

Component/s:

Utilities

Affects Version/s:

3.11.0

Fix Version/s:

4.0.0

Time Tracking:

Not Specified

Description

« Hide

Would like to add a validator to perform password encryption to the user input panel password field. This will require a change in the PasswordGroup which should not affect any existing installs.

I recently had to provide setting an encrypted password within a properties file and added a way to do it into the password field. Rather than use a processor like I would probably do if I were to do it "the right way", I added the functionality into a new validator. I did this for 3 reasons, I already had the multiple validator support implemented, validators have parameters already implemented, and if the encryption doesn't work I get feedback and can stop the install. The encryption is done with the standard javax.crypto libraries and the algorithm is controlled by a parameter.

The one thing that needed to change about the implementation is the PasswordGroup getPassword() method logic. I made an instance variable called modifiedPassword to store the encrypted value, and that value is returned if found instead of running a processor. If that value is null then the processor will get called (if one was specified), then as a last resort the value typed in the first password field is returned (the last two were the original behavior).

Here's an example validator definition:

So my question here is, are there any objections to having this committed? My thoughts are that there should be no effects to existing code and unless you specifically use the modifiedPassword field there will be no difference in the way processors work.

Description

Would like to add a validator to perform password encryption to the user input panel password field. This will require a change in the PasswordGroup which should not affect any existing installs. I recently had to provide setting an encrypted password within a properties file and added a way to do it into the password field. Rather than use a processor like I would probably do if I were to do it "the right way", I added the functionality into a new validator. I did this for 3 reasons, I already had the multiple validator support implemented, validators have parameters already implemented, and if the encryption doesn't work I get feedback and can stop the install. The encryption is done with the standard javax.crypto libraries and the algorithm is controlled by a parameter. The one thing that needed to change about the implementation is the PasswordGroup getPassword() method logic. I made an instance variable called modifiedPassword to store the encrypted value, and that value is returned if found instead of running a processor. If that value is null then the processor will get called (if one was specified), then as a last resort the value typed in the first password field is returned (the last two were the original behavior). Here's an example validator definition: <field type="password" align="left" variable="the.password"> <spec> <pwd txt="The Password:" size="25" /> <pwd txt="Retype Password:" size="25" /> </spec> <validator class="com.izforge.izpack.util.PasswordEqualityValidator" txt="Both passwords must match." id="key for the error text"/> <validator class="com.izforge.izpack.util.PasswordEncryptionValidator" txt="Could not encrypt password." id="key for the error text"> <param name="encryptionKey" value="blahblahblah"/> <param name="algorithm" value="Blowfish"/> </validator> </field> So my question here is, are there any objections to having this committed? My thoughts are that there should be no effects to existing code and unless you specifically use the modifiedPassword field there will be no difference in the way processors work.

Show »

Sort Order: