Re: [Jamwiki-devel] Question about code fragment
Brought to you by:
wrh2
From: <jam...@li...> - 2013-03-10 19:14:34
|
I think the Encryption.bytes2String method can be killed - if I had to guess that's probably just very old code and no one noticed the possible cleanup. One caveat if you're looking into the password salts is to ensure that any change will work for existing installations (or with an upgrade process). I haven't looked at that issue in a long time, but as I recall there was no easy way to upgrade existing installations to support password salts using Java 5, but the new encryption methods in Java 6 made it possible. With JAMWiki 2.0 dropping support for Java 5 it should now be feasible to support password salts and upgrades, although it has been so long since I looked at the issue that I don't remember what the specific issues requiring a new Java version were. Let me know if you run into any problems as this was one of the items I had on the TODO list once Java 5 support was dropped. Ryan On 3/10/2013 11:56 AM, jam...@li... wrote: > Hi, > > I stumbled about JAMWiki not using any salt for password hashing and > wanted to start a request about it. Than I figured JIRA exists and > found JAMWIKI-36 ... So now I'm trying to take care about it. > > While crawling through the code, to get an image about who's using > what, when and why I saw > > org.jamwiki.utils.Encryption.bytes2String(byte[]) > > and am wondering, what's the concrete intention behind it? I see what > it does and from it's usage I see what's it currently expected to > do. But to achieve the very same much simpler code would be > sufficient. [1] So I fear there's something else "implied", which I > don't see ... > > Anybody out there able to answer my question? > > Best regards, Peter > > [1]: 'new String(byteData, "US-ASCII")' or 'new String(byteData)' > because simply casting byte to char is only valid for the very > optimistic assumption every provided byte value represents a valid > US-ASCII (or system default charset) character. > > The concrete question that came up to me is: what, if this method > just returns a hex string representation of 'byte[]'? OTOH than > Encryption.decrypt64(String) might break ... |