Change query and encode database authentication hashing algorithm.

[Stef Schenkelaars]

Hi Cas Community,

I am trying to setup a cas server with query and encode database authentication handler. In the current application, the encrypted password is calculated with 20 runs of SHA-512 with an APPENDED salt. However since this encoding is delegated to Apache Shiro's DefaultHashService, it is not possible to change this hashing behavior. 

This exact problem was already expected as stated in the header of the QueryAndEncodeDatabaseAuthenticationHandler class. It states:

If the hashing behavior and/or configuration of private and public salts does nto meet your needs, a extension can be developed to specify alternative methods of encoding and digestion of the encoded password.

So this is exactly what I want to achieve, however, what I can understand from the source code it is not possible to dynamically set the extension. It is hardcoded here. 

What I understand from the rest of the source code is that you need to create a bean to resolve the requested hash service into an actual class. But before I dive into java programming I wanted to hear your opinions, maybe I am missing something completely here.

Thanks!

[Misagh Moayyed]

Hi Cas Community,

I am trying to setup a cas server with query and encode database authentication handler. In the current application, the encrypted password is calculated with 20 runs of SHA-512 with an APPENDED salt. However since this encoding is delegated to Apache Shiro's DefaultHashService, it is not possible to change this hashing behavior. 

What does the hash service currently not do that you want it to do? it has support for number of iterations, salt and algorithms. Is it just the "appended salt" behavior that you cant have? 

[Stef Schenkelaars]

Yes, for now it is only the appended part which is blocking. But I could also imagine other algorithms that are not supported now, think about pepper or adding the salt every iteration. In my opinion it would be great to add the possibility to choose your hash class, just like you select your password encoder for example. But if I am really the only one with this problem, than this might be an overkill. 

And in addition I wondered why this relatively simple hashing is delegated to apache shiro while you can write it yourself with only the java.security.MessageDigest dependency in almost the same amount of lines. The 'default' MessageDigest also supports all the algorithms. IMO this would simplify the code quite a lot. (This is how I fixed it for myself now).

Op woensdag 20 september 2017 14:47:55 UTC+2 schreef Misagh Moayyed:

[Misagh Moayyed]

And in addition I wondered why this relatively simple hashing is delegated to apache shiro while you can write it yourself with only the java.security.MessageDigest dependency in almost the same amount of lines. The 'default' MessageDigest also supports all the algorithms. IMO this would simplify the code quite a lot. (This is how I fixed it for myself now).

I think this would be a very welcomed change, if you want to contribute the same fix.

--

--Misagh