Uploaded image for project: 'camunda BPM'
  1. camunda BPM
  2. CAM-7300

Process Engine should use strongest hashing algorithm available in JDK for passwords

    Details

    • Type: Task
    • Status: Closed
    • Priority: L3 - Default
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 7.7.0, 7.7.0-alpha1
    • Component/s: engine
    • Labels:
      None

      Description

      AT:

      • Process engine uses strongest hashing algorithm available in JDK

      NOTE: think about backwards compatibility

        Issue Links

          Activity

          Show
          christopher.zell Christopher Zell added a comment - Std. Message Digest https://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#MessageDigest
          Hide
          thorben.lindhauer Thorben Lindhauer added a comment -

          Review:

          • DatabasePrefixHandler
            • visibility modifier for field pattern
            • outer group in the pattern is apparently not required
          • DatabasePrefixHandlerTest
          • PasswordHashingTest
            • Performance can be improved by making the bootstrap rule a class rule and set the changed engine properties in an @After method
            • test readability becomes even better when classes like MyConstantSaltGenerator and MyCustomPasswordEncryptor take their properties as constructor parameters
            • #prefixThatCannotBeResolvedThrowsError: there should be only one line of code after setting an expected exception
          Show
          thorben.lindhauer Thorben Lindhauer added a comment - Review: DatabasePrefixHandler visibility modifier for field pattern outer group in the pattern is apparently not required DatabasePrefixHandlerTest might be a candidate for parameterized JUnit tests (see https://github.com/junit-team/junit4/wiki/Parameterized-tests ) PasswordHashingTest Performance can be improved by making the bootstrap rule a class rule and set the changed engine properties in an @After method test readability becomes even better when classes like MyConstantSaltGenerator and MyCustomPasswordEncryptor take their properties as constructor parameters #prefixThatCannotBeResolvedThrowsError : there should be only one line of code after setting an expected exception
          Hide
          johannes.heinemann Johannes Heinemann added a comment -

          Remark to review hint: parameterized JUnit tests for the DatabasePrefixHandlerTest class make no sense here, as they clutter up the test result making it hard to find out which test actually failed.

          Show
          johannes.heinemann Johannes Heinemann added a comment - Remark to review hint: parameterized JUnit tests for the DatabasePrefixHandlerTest class make no sense here, as they clutter up the test result making it hard to find out which test actually failed.

            People

            • Assignee:
              thorben.lindhauer Thorben Lindhauer
              Reporter:
              meyer Daniel Meyer
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development