[opencms-dev] Securing OpenCms workplace login

Jeremy Cavagnolo jeremy at paradoxcomponents.com
Thu Feb 10 20:32:47 CET 2005


Thanks for the suggestion, Sebastian.   I will try this later today. 
Anyone out there have some comments/documentation about the
passwordhandler in opencms-system.xml?

-jeremy


On Thu, 2005-02-10 at 11:18, Sebastian Himberger wrote:
> Hi Jeremy
> 
> you're right, multiple hosts for one ip are not possible because the 
> handshake is happening before the virtual host ist resolved. although it 
>   is possible to build a https proxy with mod_proxy and mod_rewrite. I 
> don't know if this helps in your particular case but i've attached an 
> example how i achieved ssl for multiple virtual hosts.
> 
> # SSL Proxy
> <VirtualHost *:443>
>    DocumentRoot "/"
>    ServerName ssl.server.de
>    SSLCertificateFile conf/ssl/server.cert
>    SSLCertificateKeyFile conf/ssl/server.key
>    SSLEngine on
>    RewriteEngine on
>    RewriteCond (%{HTTP_HOST}) host\.de
>    RewriteRule ^(.*) http://www.host.de$1 [P]
>    RewriteCond (%{HTTP_HOST}) host2\.de
>    RewriteRule ^(.*) http://www.host2.de$1 [P]
> </VirtualHost>
> 
> I don't know if this works with cookies but perhaps it may help you a 
> little bit.
> 
> Good luck
> Sebastian
> 
> Jeremy Cavagnolo wrote:
> > Thanks for the suggestions.  It seems to me that I would have to modify
> > the OpenCms login module to add javascript MD5 encryption.   However,
> > upon more digging, I found the following in opencms-system.xml:
> > 
> > <passwordhandler    
> >         class="org.opencms.security.CmsDefaultPasswordHandler">
> >      <encoding>UTF-8</encoding>
> >      <digest-type>MD5</digest-type>
> >      <param name="compatibility.convert.digestencoding">false</param>
> > </passwordhandler>
> > 
> > Is there any documentation on the passwordhandler in
> > opencms-system.xml?  Does this default configuration use javascript to
> > encrypt the password BEFORE sending it?
> > 
> > Thanks,
> > 
> > jeremy
> > 
> > 
> > 
> > On Thu, 2005-02-10 at 09:42, Jorge González wrote:
> > 
> >>Sorry if this doesn't work for you but...
> >>
> >>Why don't you send the password hash instead clear.
> >>You can use a simple javascript md5 hash and send the hash, not the password
> >>thru the wires.
> >>
> >>If you need all the info secured, this will not work, of course...
> >>
> >>
> >>
> >>_______________________________________________
> >>This mail is send to you from the opencms-dev mailing list
> >>To change your list options, or to unsubscribe from the list, please visit
> >>http://mail.opencms.org/mailman/listinfo/opencms-dev
> > 
> > 
> > 
> > 
> > _______________________________________________
> > This mail is send to you from the opencms-dev mailing list
> > To change your list options, or to unsubscribe from the list, please visit
> > http://mail.opencms.org/mailman/listinfo/opencms-dev
> > 
> 
> 
> 
> _______________________________________________
> This mail is send to you from the opencms-dev mailing list
> To change your list options, or to unsubscribe from the list, please visit
> http://mail.opencms.org/mailman/listinfo/opencms-dev




More information about the opencms-dev mailing list