[Treebase-devel] User authentication in TB2 and password hashing.

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

In search for the place where password hashing should be implemented,  
I have been having difficulty identifying TB2 code responsible for  
comparing user-supplied password to the one stored in db.  My best  
guess at the moment is that authentication is handled by the acegi- 
security package -- based on this in treebase-web/.../treebase- 
security.xml:

     <bean id="daoAuthenticationProvider"  
class="org.acegisecurity.providers.dao.DaoAuthenticationProvider">
         <property name="userDetailsService"><ref bean ="userService"/ 
 ></property>
         <!--  encrypt password instead of storing in clear text in DB  
-->
         <!--  property name="passwordEncoder" ref="passwordEncoder"/  
-->
         <!--  the next 2 lines are for debugging purpose -->
         <!--  property name="userDetailsService" ref="jdbcDaoImpl"/ -->
         <!--  property name="userDetailsService"  
ref="myUserServices"/ -->
     </bean>
     <!--  bean id="passwordEncoder"  
class="org.acegisecurity.providers.encoding.ShaPasswordEncoder"/ -->

Am I right about acegi?

The declarations commented-out above suggest that it could be possible  
to get password hashing from acegi for free.  Does anyone know why  
this is currently disabled?

My plan now would be to learn acegi (which, btw, is SpringSecurity  
starting with Spring 2.0, which TB2 uses) and what it offers for  
password hashing -- unless someone offers more focused guidance on  
what I should do.
I'll follow the suggestions at http://acegisecurity.org/suggested.html

--Vladimir