Hi,

DSpace Eperson password hash: https://github.com/DSpace/DSpace/blob/master/dspace-api/src/main/java/org/dspace/eperson/PasswordHash.java

Hashing the eperson password for storing purposes only allows one to secure DSpace against those who have access to the database (mainly, DSpace administrators).
However deploying DSpace without HTTPS will allow anyone on the local network to watch all passwords, as they travel as plaintext.

On 1 November 2012 08:24, Umair Kayani <ukayani@niftetrust.com> wrote:
Helix, Using SSL was our backup plan. DSpace keeps the hash of the password in database so I was wondering at what servlet this change occur. If request is going with clear password then it must be converting it to match with database password of the user for authentication. I need to know that code file or method for my understanding at least. Though I checked AuthenticationManager, AuthenticationMethod and eperson code files and found nothing there except a hashcode method in eperson code file. Can anyone confirm if this is the one which dspace uses to convert plain text password to hashcode and then match that hashcode with database hashcode.


Thanks & Regards
Umair Kayani

-----Original Message-----
From: ivan.masar@gmail.com [mailto:ivan.masar@gmail.com] On Behalf Of helix84
Sent: Wednesday, October 31, 2012 5:26 PM
To: Umair Kayani
Cc: dspace-tech@lists.sourceforge.net
Subject: [?? Probable Spam] Re: [Dspace-tech] Application Security details of dspace 1.8.2

On Wed, Oct 31, 2012 at 1:03 PM, Umair Kayani <ukayani@niftetrust.com> wrote:
> What I want is to make my login password encrypted without deploying
> SSL certificate (without going on to https). What I investigated so
> far is that my password travels in plain text on the network which is
> a security risk. But when I check my password in database it is the
> hash value so I want to know at what point my password calculates its
> hash or verify its hash. Please also let me know what code files are
> involved in all its process

That's correct, password is sent in plain text over HTTP, which is why it's recommended to use HTTPS at least for the login form.

I have to say that while it's possible to make a system which will encrypt the password being sent, that means reimplementing "something like TLS", which is bound to be a poor reimplementation and is one of the most common security mistakes in general. For that reason, I'm not going to give you tips how to do it.

I'm wondering what is the reason why you don't want to use HTTPS.
Perhaps you don't have a free IP address? The solution is to use SNI (Server Name Indication).


Regards,
~~helix84

Compulsory reading: DSpace Mailing List Etiquette https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette



------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_sfd2d_oct
_______________________________________________
DSpace-tech mailing list
DSpace-tech@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dspace-tech



--
Thanks, Joćo Melo (My Portfolio)
DSpace Department
LyncodeOfficial website
Follow us on Facebook