Usernames and passwords are stored in clear text. The Remember Me feature of eXo Platform uses a token mechanism to authenticate returning users without requiring any their explicit logins. However, to authenticate these users, the token needs to store their usernames and passwords in clear text in JCR.
Administrators have 2 options available to avoid this risk:
The first way: Enable the Remember Me feature by removing the corresponding checkbox in: $TOMCAT_HOME/webapps/portal.war/login/jsp/login.jsp and $TOMCAT_HOME/webapps/portal.war/groovy/portal/webui/UILoginForm.gtmpl.
The second way: Encode passwords prior to saving them to JCR via the following steps:
This option requires administrators to provide a custom subclass of org.exoplatform.web.security.security.AbstractCodec and to set up a codec implementation with CookieTokenService.
Create a Javaclass which is similar as below:
package org.example.codec;
import org.exoplatform.container.xml.InitParams;
import org.exoplatform.web.security.security.AbstractCodec;
import org.exoplatform.web.security.security.CookieTokenService;
import org.picocontainer.Startable;
public class ExampleCodec extends AbstractCodec implements Startable
{
private String simpleParam;
private CookieTokenService cookieTokenService;
public ExampleCodec(InitParams params, CookieTokenService cookieTokenService)
{
simpleParam = params.getValueParam("encodingParam").getValue();
this.cookieTokenService = cookieTokenService;
}
public void start()
{
cookieTokenService.setupCodec(this);
}
public void stop()
{
}
/**
* Very simple encoding algorithm used only for demonstration purposes.
* You should use stronger algorithm in real production environment.
*/
public String encode(String plainInput)
{
return plainInput + simpleParam;
}
public String decode(String encodedInput)
{
return encodedInput.substring(0, encodedInput.length() - simpleParam.length());
}
}
Compile the class and package it into a .jar file. In this example, you will call a .jar file named codec-example.jar.
Create a conf/portal/configuration.xml file within the codec-example.jar similar to the example below. This allows the portal kernel to find and use the new codec implementation.
<?xml version="1.0" encoding="ISO-8859-1"?>
<configuration xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.exoplaform.org/xml/ns/kernel_1_2.xsd http://www.exoplaform.org/xml/ns/kernel_1_2.xsd"
xmlns="http://www.exoplaform.org/xml/ns/kernel_1_2.xsd">
<component>
<key>org.example.codec.ExampleCodec</key>
<type>org.example.codec.ExampleCodec</type>
<init-params>
<value-param>
<name>encodingParam</name>
<value>aaa</value>
</value-param>
</init-params>
</component>
</configuration>
Deploy codec-example.jar into your $TOMCAT_HOME/lib/ directory.
Start (or restart) your platform. Now, the passwords written to JCR will be encoded and NOT in plain text.