1.4. Remember me password encryption

Remember me feature

"Remember me" (or "Remember My Login") is a feature of GateIn Portal that automatically authenticates returning users without prompting username and password and is implemented with the token mechanism. When a user logs in with the 'Remember My Login' option, a token entity holding his/her credential is generated and stored on server-side and the token ID is sent back to the client-side in the "rememberme" cookie.

Symmetric encryption of passwords

The user password is encrypted and stored along with the token.

The password encryption is built against JCA (Java Cryptography Architecture) and by default uses the AES algorithm. If you do not make your own configuration, a keystore is generated with defaulted attributes (such as file name, keypass, keysize). Thus, the feature works without any effort to configure anything. However, GateIn allows you to configure and use your own keystore to conform to your security policy.

Default password encryption

In case of GateIn package, the following two properties are written in the configuration.properties file:

gatein.codec.builderclass=org.exoplatform.web.security.codec.JCASymmetricCodecBuilder
gatein.codec.config=${gatein.conf.dir}/codec/jca-symmetric-codec.properties

The jca-symmetric-codec.properties file is then placed under the gatein/conf/codec folder and it contains the following attributes that are used to generate the keystore file:

# Detailed information on JCA standard names could be found at
#
# http://docs.oracle.com/javase/6/docs/technotes/guides/security/StandardNames.html#KeyStore
#
# The file key.txt is generated via keytool util in JDK
#
# keytool -genseckey -alias "gtnKey" -keypass "gtnKeyPass" -keyalg "AES" -keysize 128 -keystore "key.txt" -storepass "gtnStorePass" -storetype "JCEKS"
#
#
gatein.codec.jca.symmetric.alias=gtnKey
gatein.codec.jca.symmetric.keypass=gtnKeyPass
gatein.codec.jca.symmetric.keyalg=AES
gatein.codec.jca.symmetric.keystore=key.txt
gatein.codec.jca.symmetric.storepass=gtnStorePass
gatein.codec.jca.symmetric.storetype=JCEKS

With the above attributes, the key.txt file is generated under gatein/conf/codec.

In case of eXo Platform, the configuration.properties and jca-symmetric-codec.properties files are not packaged. So do not copy the properties of configuration.properties unless you also write your own jca-symmetric-codec.properties. As of eXo Platform 4.1.0, if you want to write your own jca-symmetric-codec.properties, you need to update the properties in exo.properties not configuration.properties. See Configuration overview for the exo.properties file.

gatein.codec.builderclass=org.exoplatform.web.security.codec.JCASymmetricCodecBuilder
gatein.codec.config=${exo.conf.dir}/codec/jca-symmetric-codec.properties

The keystore file is generated automatically and with exactly same attributes as in GateIn. However, the file name will be different that is named codeckey.txt (under gatein/conf/codec in Tomcat or standalone/configuration/gatein/codec in JBoss).

How to customize

As you can see, the customization involves properties in exo.properties, jca-symmetric-codec.properties and a keystore. The goal of customization is to use your own keystore instead of the default one.

  1. Generate your own keystore file using keytool:

    keytool -genseckey -alias "customAlias" -keypass "customKeyPass" -keyalg "customAlgo" -keystore "customStore" -storepass "customStorePass" -storetype "customStoreType"

    The file name will be the parameter keystore ("customStore" in the example). The valid value of algorithms and other parameters can be found here.

    Then, place the generated file under gatein/conf/codec (in Tomcat) or standalone/configuration/gatein/codec (in JBoss).

  2. Update the jca-symmetric-codec.properties file with the parameters used in your keytool command:

    gatein.codec.jca.symmetric.alias=customAlias
    gatein.codec.jca.symmetric.keypass=customKeyPass
    gatein.codec.jca.symmetric.keyalg=customAlgo
    gatein.codec.jca.symmetric.keystore=customStore
    gatein.codec.jca.symmetric.storepass=customStorePass
    gatein.codec.jca.symmetric.storetype=customStoreType

Again, in case of eXo Platform package, you need to create the jca-symmetric-codec.properties file by yourself. You also need to put these two properties in exo.properties.

See also

Copyright ©. All rights reserved. eXo Platform SAS
blog comments powered byDisqus