gatein.codec.builderclass=org.exoplatform.web.security.codec.JCASymmetricCodecBuilder
gatein.codec.config=${gatein.conf.dir}/codec/jca-symmetric-codec.properties
Automatic login feature of GateIn Portal employs token mechanism to authenticate returning users without asking their explicit logins.
For the moment, token storage contains a security hole as user passwords are persisted in plain form. The high risk from such unsecured implementation boost us to find an encryption mechanism which:
Bases on secured algorithm.
Functions with secret factors created/maintained by customers.
Generates not-too-long encrypted data.
We decided to build a symmetric encryption over JCA - Java Cryptography Architecture library whose default algorithm is AES
Default configuration entry of JCA-based encryption is declared in configuration.properties file
gatein.codec.builderclass=org.exoplatform.web.security.codec.JCASymmetricCodecBuilder
gatein.codec.config=${gatein.conf.dir}/codec/jca-symmetric-codec.properties
Detailed parameters for encryptions whose builder is org.exoplatform.web.security.codec.JCASymmetricCodecBuilder are referred in the file jca-symmetric-codec.properties
# Defailed information on JCA standard names could be found at # # http://docs.oracle.com/javase/6/docs/technotes/guides/security/StandardNames.html#KeyStore # # The file key.txt is generated via keytool util in JDK # # keytool -genseckey -alias "gtnKey" -keypass "gtnKeyPass" -keyalg "AES" -keysize 128 -keystore "key.txt" -storepass "gtnStorePass" -storetype "JCEKS" # # gatein.codec.jca.symmetric.alias=gtnKey gatein.codec.jca.symmetric.keypass=gtnKeyPass gatein.codec.jca.symmetric.keyalg=AES gatein.codec.jca.symmetric.keystore=key.txt gatein.codec.jca.symmetric.storepass=gtnStorePass gatein.codec.jca.symmetric.storetype=JCEKS
A crucial point of our encryption is that secret factors (algorithm, key storage, key size,...) are created/maintained on customer side, hence keep it private to them.
Below are steps to customize those secret factors in products using JCASymmmetricCodecBuilder.
Generate secret key via keytool
$JAVA_HOME/bin/keytool -genseckey -alias "customAlias" -keypass "customKeyPass" -keyalg "customAlgo" -keystore "customStore" -storepass "customStorePass" -storetype "customStoreType"
The above keytool command generates secret key stored in a file named customStore. Let's copy the file to the directory gatein/conf/codec.
NOTEs:
* The list of standard algorithms could be found
here
* Extra params for keytool might be required for special algorithms.
* In JCA, only JCEKS storetype supports symmetric key.
Updates jca-symmetric-codec.properties
Remain work is updating the file jca-symmetric-codec.properties with parameters used in previous step.
gatein.codec.jca.symmetric.alias=customAlias gatein.codec.jca.symmetric.keypass=customKeyPass gatein.codec.jca.symmetric.keyalg=customAlgo gatein.codec.jca.symmetric.keystore=customStore gatein.codec.jca.symmetric.storepass=customStorePass gatein.codec.jca.symmetric.storetype=customStoreType