Using Jacksum to generate hashed and salted passwords

To provide greater security for user accounts stored in users.properties, you can use the Open Source Jacksum utility to generate hashed and salted passwords for the entries in the file. For more information on hash and salt, search for hash and salt cryptography references on the Web.

1. Download and install the Jacksum software by following the instructions in http://www.jonelo.de/java/jacksum/#Installation.

CD <installation-dir>\jacksum <version>

3. Execute the following command to get an encoded password for the required string. In this example, you are encoding the string newpassword{newuser}:

java -jar jacksum.jar -a sha -E base64 -q "txt:newpassword{newuser}"

In this example, you encoded the string newpassword{newuser}, and Jacksum returned the encoded password, Y9+iCjOORQoqoTWdRgjd/81Ms9w=

This example uses the sha algorithm to hash the newpassword string, and the newuser string in the curly braces as salt.

You can use any of the popular hashing techniques that Jacksum supports, such as CRC, SHA, Tiger, sum and Whirlpool. And, you can use any string as salt in the encoding process.

4. Open the oeablSecurity-XXXX.xml configuration file you specified in the Web application's web.xml file.

5. Uncomment the code snippet that implements password hashing in the Web application.

For example, assume that you are using the Basic security configuration file, oeablSecurity-basic-local.xml. Do the following:

a. Navigate to and uncomment the code snippet in bold in the oeablSecurity-basic-local.xml:

<authentication-manager id="RestApplicationtAuth"
    <authentication-provider>
      
        <user-service properties="/WEB-INF/users.properties" />
    </authentication-provider>
</authentication-manager>

<authentication-manager id="RestApplicationtAuth"
    <authentication-provider>
        <password-encoder hash="sha" base64="true">
        <salt-source user-property="username" />
        </password-encoder>
        <user-service properties="/WEB-INF/users.properties" />
    </authentication-provider>
</authentication-manager>

6. Add the new user account, newuser, and the encoded password (that you generated in 3) to the users.properties file by appending the following line of code in it:

newuser=Y9+iCjOORQoqoTWdRgjd/81Ms9w=,ROLE_PSCAdmin,enabled

In this example, you assigned the existing ROLE_PSCAdmin role to the newuser and enabled the user account newuser to work with the REST Management Agent.

Note: The users.properties file cannot store both plain text and encoded passwords. Therefore, before adding a new user with an encoded password, you must ensure that all the existing users and the users you add to the users.properties file have encoded passwords.