The Penrose Project

• Overview
  • News
  • FAQ
  • Features
  • Licenses
  • Download
  • Demo
• Documentation
  • Quick Start
  • Version 1.2 (in development)
    • Complete
    • Server User Guide
    • Studio User Guide
    • Developer Guide
    • Embedding Penrose
    • Javadoc
  • Version 1.1 (stable)
    • Complete
    • Server User Guide
    • Studio User Guide
    • Developer Guide
    • Embedding Penrose
    • Javadoc
  • Use Cases
  • Community Wiki
• Developer
  • Nightly Builds
  • Code Repository
  • Road Map
  • Change Log
  • Project Management
• Support
  • WebChat
  • Forum & List
  • Bug/Feature Tracker
  • Team
  • Contact

Custom Password Encryption

How do I configure Penrose to recognize passwords encrypted using a custom encryption? There are different answers to this problem, depending on whether the password encryption is reversible or not.

Reversible Encryption

In the event that the password encryption can be reversed, your custom algorithm can be implemented directly in the partition's mapping.xml file. This process is summarized at Authentication, in the "Using Different Encoding" section. The userPassword and encPassword mapping expressions will call your encrypt and decrypt methods, which you need to have packaged as a jar. This jar file will need to be placed in PENROSE_SERVER_HOME/lib/ext. If you use Studio, you will also need to place a copy of the jar file in PENROSE_STUDIO_HOME/plugins/org.safehaus.penrose_x.x.x/lib, and then add a reference to your jar in PENROSE_STUDIO_HOME/plugins/org.safehaus.penrose_x.x.x/META-INF/MANIFEST.MF.

Non-Reversible Hash

In the event that your password encryption cannot be reversed, you will need to implement your password hash as a custom Penrose module. For an overview of creating a custom module, refer to Custom Modules.

In order to create the necessary module, Penrose server versions prior to 1.2 need a minor tweak. This change allows a module to modify data before it is acted on. An updated copy of the penrose-1.1.2 jar file is attached; if you would like more details on this change, or you would like to patch and rebuild penrose yourself, please refer to http://jira.safehaus.org/browse/PENROSE-206. The patched penrose server jar file will need to be placed in PENROSE_SERVER_HOME/lib. If you use Studio, you will also need to place a copy of the jar file in PENROSE_STUDIO_HOME/plugins/org.safehaus.penrose_x.x.x/lib.

Once the Penrose server is patched, a module can be created that will allow the clear-text password to be hashed before it is used. As far as Penrose is concerned, a clear-text password is being used throughout the system. However, our new module will always encrypt the real clear-text password into our hashed password. A template for this module is attached; it is named PasswordEncryption.java. Just add your own encryption algorithm, rebuild using 'ant rebuild' and deploy as described in the custom module overview.

Code Example

• PasswordModule.zip
• penrose-1.1.2.jar