UNLV-ShaneD
commented
12 years ago How is it coming? I'd like to integrate the user entity (which is responsible for holding items, transactions, and branches) with tagging tonight.
Open benallyc opened 12 years ago
UNLV-ShaneD
commented
12 years ago How is it coming? I'd like to integrate the user entity (which is responsible for holding items, transactions, and branches) with tagging tonight.
benallyc
commented
12 years ago It's looking grim right now. I tried looking over some discussion boards on Google and I'm not seeing a way around the situation with the differing Roo version entity and the RooJpaActiveRecord. Earlier I downloaded a different Roo shell than the one I was initially using, but that too didn't seem to work to our advantage.
UNLV-ShaneD
commented
12 years ago Well if we're wasting lots of time on it with no results, let's just roll our own. No e-mail validation needed. Just have a few use cases: -Unverified register -Login -Change password
Salt and hash passwords with SHA1. Very simple.
benallyc
commented
12 years ago You're right. I have never worked on anything in regards to user login authentication. Where would be a good starting point with Salt and Hashing passwords with SHA1?
UNLV-ShaneD
commented
12 years ago A salt is a random string appended to the password before generating a hash, e.g. SHA1. A salt is used to thwart the use of rainbow tables to crack a list of hashes.
Pseudo-code: salt = random(); calculateHash(sha1, salt + password);
The salt is calculated server-side and never leaves the server. Salts are useful in the event of a security breach - it reduces the usefulness of stolen data. They are generally only as secure as the pseudo-random number generator. Note that passwords are always stored salted and hashed - never in plain-text or unhashed.
A good starting point would be here.
benallyc
commented
12 years ago Experiencing some Git problems, hence latest commit to repo displays [unknown]. However, spring security is implemented with SHA-256 (applicationContext-security.xml). Everything was still working before I committed. Still working on the login situation.
UNLV-ShaneD
commented
12 years ago I'm confused as to why you pushed to the main repository rather than your own and submit a pull request.
Hooray, more issues!
Matt took a look at the code I was working on yesterday, and diagnosed the major problem as being conflicts between the different versions of Roo. The more current versions of Roo were implemented with what's called: @RooJpaActiveRecord, and the older Roo versions were implemented with @RooEntity (via Spring Security plugin). I'll be working on making changes to this. Hopefully there's a convenient work around.