Combination View Flat View Tree View
Threads [ Previous | Next ]
toggle
Decrypting portal user password Vytautas R December 8, 2009 6:58 AM
RE: Decrypting portal user password Vytautas R December 9, 2009 5:03 AM
RE: Decrypting portal user password Vytautas R December 28, 2009 1:01 AM
RE: Decrypting portal user password Shagul Khajamohideen December 28, 2009 1:50 PM
RE: Decrypting portal user password György Vilmos Papp December 29, 2009 6:35 AM
RE: Decrypting portal user password Rishi Dev Gupta February 7, 2010 11:39 PM
RE: Decrypting portal user password Vytautas R February 8, 2010 6:04 AM
RE: Decrypting portal user password Fuad Efendi February 12, 2010 2:46 PM
RE: Decrypting portal user password Ali Shahrami July 23, 2010 6:10 AM
RE: Decrypting portal user password Fuad Efendi February 12, 2010 3:33 PM
RE: Decrypting portal user password Balazs Zsoldos August 5, 2010 5:49 AM
RE: Decrypting portal user password Michael Poznecki May 18, 2010 10:40 AM
RE: Decrypting portal user password Brian Ko May 18, 2010 11:35 AM
RE: Decrypting portal user password Rishi Dev Gupta June 28, 2010 2:30 AM
RE: Decrypting portal user password James McGovern June 28, 2010 11:34 AM
RE: Decrypting portal user password Brian Ko June 28, 2010 12:49 PM
RE: Decrypting portal user password James McGovern June 29, 2010 5:07 AM
RE: Decrypting portal user password Brian Ko June 29, 2010 10:11 AM
RE: Decrypting portal user password Hugh Martin October 9, 2010 12:20 PM
RE: Decrypting portal user password György Vilmos Papp August 4, 2010 4:39 AM
RE: Decrypting portal user password Olaf Kock August 9, 2010 12:17 AM
RE: Decrypting portal user password György Vilmos Papp August 10, 2010 1:46 AM
RE: Decrypting portal user password Olaf Kock August 10, 2010 3:09 AM
RE: Decrypting portal user password György Vilmos Papp August 10, 2010 6:11 AM
RE: Decrypting portal user password Mahmudur Rahman Manna August 16, 2010 12:12 PM
Vytautas R
Decrypting portal user password
December 8, 2009 6:58 AM
Answer

Vytautas R

Rank: New Member

Posts: 12

Join Date: December 8, 2009

Recent Posts

Hi,

I'm developing login logic through Facebook Connect and need some hint.
After I get Facebook user ID, which is mapped to portal user ID, I want to login user to it's account. I retrieve particular User object, it's password is entrypted in DB. I want to use
LoginUtil.login(request, response, login, password, rememberMe, authType);
so, I need password unencrypted.
Encryptor.decrypt() method gives exception:
javax.crypto.IllegalBlockSizeException: Input length must be multiple of 8 when decrypting with padded cipher

What should I do about that?
Maybe there is some other way to login user to liferay?

BTW i'm doing all this stuff in LoginAction (EXT env).

Any thoughts greatly appreciated. Thanks!
Vytautas R
RE: Decrypting portal user password
December 9, 2009 5:03 AM
Answer

Vytautas R

Rank: New Member

Posts: 12

Join Date: December 8, 2009

Recent Posts

Forgot to mention - I'm using Liferay Portal v5.2.2
Vytautas R
RE: Decrypting portal user password
December 28, 2009 1:01 AM
Answer

Vytautas R

Rank: New Member

Posts: 12

Join Date: December 8, 2009

Recent Posts

I don't believe here is no-one who knows the answer to that simple question! Help anybody.
Shagul Khajamohideen
RE: Decrypting portal user password
December 28, 2009 1:50 PM
Answer

Shagul Khajamohideen

Rank: Liferay Master

Posts: 759

Join Date: September 27, 2007

Recent Posts

Hi,

I don't see a decrypt method in PwdEncryptor.java. You may have to collect a clear text password from the facebook application.


Best Regards,
Shagul
György Vilmos Papp
RE: Decrypting portal user password
December 29, 2009 6:35 AM
Answer

György Vilmos Papp

Rank: Regular Member

Posts: 127

Join Date: May 4, 2009

Recent Posts

IMHO you can't decrypt it. It wouldn't be very safe if the passwords could be decrypted at fist, at second, if you check the file in portal-impl/src/com/liferay/security/pwd/PWDEncryptor.java you see, that the encoding mechanism creates hascodes from the plaintext password, so there is no way to decoding it. But maybe I am wrong. If security is not important you could instruct liferay somehow to use unencrypted passwords but I wouldn't suggest it!!!

Maybe you could extend loginutil, to login the user with the encrypted password not with a plaintext password. or you have to have a look how the SSO solutions are developed for Liferay e.g.: OpenSSO,CAS or SiteMinder autologin.
Rishi Dev Gupta
RE: Decrypting portal user password
February 7, 2010 11:39 PM
Answer

Rishi Dev Gupta

Rank: Expert

Posts: 255

Join Date: November 23, 2008

Recent Posts

Have you got the solution for this, as I am also stuck at the same point?
Vytautas R
RE: Decrypting portal user password
February 8, 2010 6:04 AM
Answer

Vytautas R

Rank: New Member

Posts: 12

Join Date: December 8, 2009

Recent Posts

Rishi Dev Gupta:
Have you got the solution for this, as I am also stuck at the same point?


Hi, Rishi.

No, i don't have the solution for decrypting liferay password. As i understood, it is not impossible to decrypt it at all, because of the algorithm used for encryption.
But what is the purpose of Encryptor.decrypt() method then? I'm confused.
Please let me know, if you work out something. Thanks!
Fuad Efendi
RE: Decrypting portal user password
February 12, 2010 2:46 PM
Answer

Fuad Efendi

Rank: Regular Member

Posts: 148

Join Date: April 5, 2007

Recent Posts

Ok, is it possible to decrypt!? Yes!

Try this:

1UserLocalServiceUtil.decryptUserId(companyId, userId, password);


I found this by analyzing autologin hooks,
1 auto.login.hooks= ... com.liferay.portal.security.auth.RememberMeAutoLogin

- check this class (and others too)


I don't have time to test, check this:

 1                if (company.isAutoLogin()) {
 2                    kvp = UserLocalServiceUtil.decryptUserId(
 3                        company.getCompanyId(), autoUserId, autoPassword);
 4
 5                    credentials = new String[3];
 6
 7                    credentials[0] = kvp.getKey();
 8                    credentials[1] = kvp.getValue();
 9                    credentials[2] = Boolean.FALSE.toString();
10                }





For instance, OpenSSO Auto Login uses this:
1
2            credentials[0] = String.valueOf(user.getUserId());
3            credentials[1] = user.getPassword();
4            credentials[2] = Boolean.TRUE.toString();



Notice, Boolean.TRUE vs. Boolean.FALSE, and no decrypting code for OpenSSO. You don't have to decrypt (look at OpenSSOAutoLogin).
Fuad Efendi
RE: Decrypting portal user password
February 12, 2010 3:33 PM
Answer

Fuad Efendi

Rank: Regular Member

Posts: 148

Join Date: April 5, 2007

Recent Posts

Authentication Made Easy!

Use this:
1   
2  jPassword = user.getPassword(); // it is encrypted!
3  jUsername = user.getUserId();
4  session.setAttribute("j_username", jUsername);
5  session.setAttribute("j_password", jPassword);
6  response.sendRedirect("somewhere...");



And, check code of com.liferay.portal.servlet.filters.autologin.AutoLoginFilter.


P.S.
Using this can really break Liferay... because we need to use hooks instead!

Implement class similar to OpenSSOAutoLogin, register it in portal-ext.properties.
1
2public String[] login(
3        HttpServletRequest request, HttpServletResponse response)


- this method should return (in your case):
User ID (long)
Password (encrypted)
Boolean.TRUE ("true" means password is encrypted)
Balazs Zsoldos
RE: Decrypting portal user password
August 5, 2010 5:49 AM
Answer

Balazs Zsoldos

Rank: Junior Member

Posts: 41

Join Date: April 11, 2006

Recent Posts

Hi,

if it is ok for you to get the password for the currently logged on user there is a possibilitiy I described at the website of my company.

You can get the user and password in this way everywhere where you can see the cookies of liferay (basically everywhere within the same domain)

Regards,
Balazs
Michael Poznecki
RE: Decrypting portal user password
May 18, 2010 10:40 AM
Answer

Michael Poznecki

Rank: Expert

Posts: 301

Join Date: December 10, 2008

Recent Posts

If Liferay was using something other than one-way hash to encrypt the password, we would all have to throw it away! Passwords should NEVER have the ability to be decrypted. Even asking to do this should get you banned. We don't want hackers around here.
Brian Ko
RE: Decrypting portal user password
May 18, 2010 11:35 AM
Answer

Brian Ko

Rank: Junior Member

Posts: 70

Join Date: February 11, 2010

Recent Posts

Michael,

Here is my use case. Please let me know if you have any suggestion.

I need to us AD and NTLM for authentication, which means I would not even see the password entered by the client. However, one of our portal app is Lotus Note which uses LTPA token for authentication. To access this Lotus Notes from portal without logging in again, I need to put the password in the browser session. Since the password is not known to server, my plan is to get them from the database. (Of course, the AD should be configured to sync the password with portal user database.)

All this idea is not going to work if I cannot decrypt the password. Do you have any suggestion?

Brian Ko
Rishi Dev Gupta
RE: Decrypting portal user password
June 28, 2010 2:30 AM
Answer

Rishi Dev Gupta

Rank: Expert

Posts: 255

Join Date: November 23, 2008

Recent Posts

Brian

I haven't tried this but you have to implement your own encryption and decryption logic using any of the standard encryption algorithms available. You can plug this is in into portal source to make it working... for this you will need to bring couple of source file into ext to override them at the time of deployment...
James McGovern
RE: Decrypting portal user password
June 28, 2010 11:34 AM
Answer

James McGovern

Rank: Junior Member

Posts: 69

Join Date: June 13, 2010

Recent Posts

You should not go down the path of even thinking about the password. Instead consider a federated approach and understand whether approaches that use SAML will work for you.
Brian Ko
RE: Decrypting portal user password
June 28, 2010 12:49 PM
Answer

Brian Ko

Rank: Junior Member

Posts: 70

Join Date: February 11, 2010

Recent Posts

James,

I think you are right. However, I have to use NTLM. There is no easy way to solve this issue.

Brian
James McGovern
RE: Decrypting portal user password
June 29, 2010 5:07 AM
Answer

James McGovern

Rank: Junior Member

Posts: 69

Join Date: June 13, 2010

Recent Posts

Liferay can support login via NTLM, however there are several things you need to noodle including but not limited to the fact that your network administrator when you go Windows 2003 Native Mode, NTLM will automatically be turned off and you would be left without a solution.

In terms of the upgrade path, I have already submitted one request to support Information Cards which is Microsoft's long term direction. You may want to consider voting for this as a backup approach.
Brian Ko
RE: Decrypting portal user password
June 29, 2010 10:11 AM
Answer

Brian Ko

Rank: Junior Member

Posts: 70

Join Date: February 11, 2010

Recent Posts

James,

I am planning to use NTLM, but I found our admin team has a plan to upgrade to windows server 2003. Do you know any website or reference that I can read to understand the technology? Thank you in advance.

Brian
Ali Shahrami
RE: Decrypting portal user password
July 23, 2010 6:10 AM
Answer

Ali Shahrami

Rank: Junior Member

Posts: 52

Join Date: July 31, 2009

Recent Posts

Fuad Efendi:
Ok, is it possible to decrypt!? Yes!
No

It is not possible. Not this way, as far as I know.


Fuad Efendi:

 1                if (company.isAutoLogin()) {
 2                    kvp = UserLocalServiceUtil.decryptUserId(
 3                        company.getCompanyId(), autoUserId, autoPassword);
 4
 5                    credentials = new String[3];
 6
 7                    credentials[0] = kvp.getKey();
 8                    credentials[1] = kvp.getValue();
 9                    credentials[2] = Boolean.FALSE.toString();
10                }



But there is really no need to decrypt password.

Take a look at LoginUtil and you will see that encrypted password is being added to session and cookie.

Fuad you gave me a very good hint and I'm thankful for that. This is how I did it:

 1
 2String userIdString = String.valueOf(userId);
 3
 4session.setAttribute("j_username", userIdString);
 5session.setAttribute("j_password", user.getPassword()); // encrypted password
 6session.setAttribute("j_remoteuser", userIdString);
 7session.setAttribute("USER_PASSWORD", user.getPassword()); // encrypted password
 8
 9
10// you also need to create the following cookies
11Cookie companyIdCookie = new Cookie(
12    "COMPANY_ID", String.valueOf(company.getCompanyId()));
13
14Cookie idCookie = new Cookie("ID",
15        UserLocalServiceUtil.encryptUserId(userIdString));
16
17Cookie passwordCookie = new Cookie("PASSWORD", user.getPassword());
18
19Cookie loginCookie = new Cookie("LOGIN", user.getEmailAddress()); // if you login with email address
20
21Cookie screenNameCookie = new Cookie("SCREEN_NAME",
22                Encryptor.encrypt(company.getKeyObj(), user.getScreenName()));

This is not all you have to do, for more info refer to com.liferay.portlet.login.util.LoginUtil

I should say that I got this to work from a plugin, rather than ext. env. and I DID NOT added ext-impl.jar in plugin's classpath, which is a very bad practice to begin with.
György Vilmos Papp
RE: Decrypting portal user password
August 4, 2010 4:39 AM
Answer

György Vilmos Papp

Rank: Regular Member

Posts: 127

Join Date: May 4, 2009

Recent Posts

There is a much easier way to solve this problem than decrypting passwords:

You should create a Hook plugin for LoginPreAction (or something similar) and store the password sent to the server in your session if you need it.
Olaf Kock
RE: Decrypting portal user password
August 9, 2010 12:17 AM
Answer

Olaf Kock

LIFERAY STAFF

Rank: Liferay Legend

Posts: 1806

Join Date: September 23, 2008

Recent Posts

György Vilmos Papp:
There is a much easier way to solve this problem than decrypting passwords:

You should create a Hook plugin for LoginPreAction (or something similar) and store the password sent to the server in your session if you need it.


That is, if there is no SSO solution in place where you authenticate to the SSO server instead of Liferay - this way even the LoginPreAction never sees the unencrypted password. Fiddling with plain text passwords is really evil.

The "correct" way (especially in terms of SSO) to incorporate a user would be to obtain some ticket from the SSO server or redirect the browser to get it. Of course there is also the other evil way: Using some administrative access for other systems to make changes on behalf of the user.
György Vilmos Papp
RE: Decrypting portal user password
August 10, 2010 1:46 AM
Answer

György Vilmos Papp

Rank: Regular Member

Posts: 127

Join Date: May 4, 2009

Recent Posts

You are right Olaf, but some times, e.g.: when you want to use Liferay's e-mail portlet which stores the e-mail password in a Base64 encoded format in the file system what is another no-no I guess, you need some workaround. I did it that way as we have no SSO server currently. And the e-mail portlet needs the unencrypted password to authenticate the user to the mail server.
Olaf Kock
RE: Decrypting portal user password
August 10, 2010 3:09 AM
Answer

Olaf Kock

LIFERAY STAFF

Rank: Liferay Legend

Posts: 1806

Join Date: September 23, 2008

Recent Posts

Yes, correct, it might happen that there is a scenario where it makes sense to have the passwords. However, I'd argue that "knowingly providing passwords" so that a server can do something for me differs fundamentally from the server being able to decrypt passwords used for login to it. If passwords are stored on the server for such a purpose they must be stored with a reversible cipher, but in 98% of cases that I've seen they differ from the passwords used for login - if only because they can be changed independently from each other.

Please don't take my rants as offensive - it's just that I have the habit of strongly opposing the notion of being able to decrypt user's passwords for the sake of using them elsewhere. I understand that there might indeed be usecases. But in a public forum like this, 95% of readers would have the impression that it's possible & worth the hassle to decrypt some passwords. Therefor I take strong opposition, knowing that the situation currently asked for might actually be one of the exceptional usecases.

That said, good to know that your problem is solved. To the others: Note that this stunt has been performed by professionals, the roads have been closed during taping of the show, and you shouldn't try this at home ;-)
György Vilmos Papp
RE: Decrypting portal user password
August 10, 2010 6:11 AM
Answer

György Vilmos Papp

Rank: Regular Member

Posts: 127

Join Date: May 4, 2009

Recent Posts

Well thanks Olaf :-) I didn't think it was an offensive response for me. And actually this could be used only for a limited scenarios by professionals.
Mahmudur Rahman Manna
RE: Decrypting portal user password
August 16, 2010 12:12 PM
Answer

Mahmudur Rahman Manna

Rank: New Member

Posts: 6

Join Date: July 9, 2010

Recent Posts

Ok, I got a scenario here, I am working with liferay 5.2.3, CAS 3.4 and OpenLDAP 2.4.

Liferay needs to import users from LDAP at startup or while login if the user is not existing in liferay database. The funny thing i got is :
1ldap.security.credentials=secret
. How can I put LDAP root user credentials in such plain way in this property file, is not it breaking security of the whole Enterprise?

Ok I have decided not to use import in this way. But whenever a single user will try to login if he doesnot exist in Liferay only his data will be imported from LDAP through his credentials that he has entered in login ui of CAS. But where is password? Is there any way to do it such way.

Please advise me.


-Manna
Hugh Martin
RE: Decrypting portal user password
October 9, 2010 12:20 PM
Answer

Hugh Martin

Rank: Junior Member

Posts: 75

Join Date: June 15, 2010

Recent Posts

Brian,

Did you ever achieve yor SSO issue with Notes? We have the same issue and are assuming we'll have to implement LTPA within the app server, such as by deploying Liferay on WebSphere Application Server.

Hugh