Using encoded passwords

[peschee]

Hi There

I wonder if there's a possibility to properly use the WSSE bundle with sha1 encoded passwords (as opposed to plaintext) in symfony2. We're currently using the FOSUserBundle, and with this configuration

    encoders:
        FOS\UserBundle\Model\UserInterface: sha512

the WSSE authentication does not seem to work. However, using

    encoders:
        FOS\UserBundle\Model\UserInterface: plaintext

and sending a plaintext password when creating the token, works fine.

Any ideas?

[djoos]

Hi Peter,

thanks for getting in touch!

At the moment you need to use $user->getPassword() (=plain text) to create the PasswordDigest for WSSE authentication, which -especially when using https- is no issue.

Having said that, I'll try to make some time to have a look whether I could get a "encoder of choice" implemented. I actually think there was a similar question in the past - in particular FOSUserBundle-related...

Hope this helps!

Kind regards, David

[peschee]

Hi David

Thanks for getting back to me. Yes, the transport is not a problem when using SSL, however, the passwords are saved in plaintext in the database (format: [PLAINTEXT_PW]{SALT}) when using the plaintext encoder. This is a bigger issue to me.

Regards Peter

[djoos]

Hi Peter,

plain text passwords in the database are definitely no-go!

Is there any way, upon creation of the WSSE PasswordDigest, you could use FOSUserBundle's $user->getPlainPassword()? If I'm not mistaking, this would allow you to store the passwords securely in the db, but still give WSSE what it currently needs. I'm not a FOSUserBundle-user, but I think that should do the trick...

Re: encoder of choice I had a quick look at our bundle and I think I should be able to implement something like that, which would be a great addition to the bundle. I'll keep you updated!

Kind regards, David

[djoos]

Hi Peter,

could you give the "dev_encoder_of_choice"-branch a spin? (latest commit: 224e5fd8298b61f0bf84886170ec784eac4dafc9)

Set the sha512 encoder in your security.yml and make sure to use this encoder to generate the digest in the request. In the WSSE authentication bundle the user's encoder should now be picked up and used to check the digest - in this way you can decide which encoder to be used when generating and checking the digest for a particular user instance - rather than it being fixed to sha1 with 1 iteration encoded as base64 as before in the WSSE authentication bundle.

Thanks in advance for your feedback!

Kind regards, David

[peschee]

Hi David

Thank you for your quick response. I'll be away for the next two weeks, so I won't be able to give it a try before end of October. I'll let you know as soon as I have tested your branch. Many thanks in advance.

Regards Peter

[djoos]

Hi @peschee,

we've merged the dev_encoder_of_choice-branch into master (see #2c2ba7ecefd3b9a1aa7c6b42eedeac29c6837177). I'll close this issue for now, but don't hesitate to get in touch and pass on your feedback!

Kind regards, David