<div dir="ltr">Hi Michael,<div><br></div><div>I've implemented the following which works as expected:</div><div>- fast performance, equal to the yanel version before the introduction of BCrypt</div><div>- also does the autoupdate of passwords in old formats</div><div><br></div><div>Code Changes in org.wyona.security.impl.yarep.YarepUser.java:</div><div><br></div><div>Constructor public YarepUser(UserManager userManager, GroupManager groupManager, Node node):</div><div>I just removed this section:</div><div><div>if(hashingAlgorithm != null && !hashingAlgorithm.startsWith("bcrypt")) {</div><div> upgradeDoubleHash(this.hashedPassword, this.hashingAlgorithm);</div><div>}</div></div><div><br></div><div>and inserted it into a new overriding method:</div><div><br></div><div><div>@Override</div><div>public void save() throws AccessManagementException {</div><div> try {</div><div> // Check if we need to upgrade the password hash</div><div> if(hashingAlgorithm != null && !hashingAlgorithm.startsWith("bcrypt")) {</div><div> upgradeDoubleHash(this.hashedPassword, this.hashingAlgorithm);</div><div> }</div><div> } catch (Exception e) {</div><div> }</div><div> super.save();</div><div>}</div></div><div><br></div><div><br></div><div>The result is obvious, only if the user object gets saved and the password is not yet in the new format (bcrypt), the hashed passwords gets upgraded and then saved (calling save() of the YarepItem class).</div><div><br></div><div>This seems to me a very solid solution.</div><div><br></div><div>What do you think?</div><div><br></div><div>Do you need a git pull request for this?</div><div><br></div><div>This is NOT URGENT for me personally, as I have overwritten the class YarepUser in my realm, but I think it is an essential patch for yanel and users who are using yanel with a high user base.</div><div><br></div><div>Cheers, </div><div>Balz</div><div><br></div><div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Aug 12, 2016 at 2:45 PM, basZero <span dir="ltr"><<a href="mailto:baszero@gmail.com" target="_blank">baszero@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi Michael,<div><br></div><div>I found the root cause for the very poor performance!</div><div>As you know of course, the user's passwords are encrypted and generated with the newly introduced bcrypt algorithm.</div><div><br></div><div>When I did the upgrade to the latest Yanel version I was aware of this upgrade, however I somehow assumed that the password-update in the user XML would only be updated at LOGIN or when the user XML gets saved.</div><div><br></div><div>My assumption was wrong.</div><div><br></div><div>In the YarepUser.java class file I see in the constructor, that for each user object that gets created (even if it is created for read-only purposes), it is checked whether the password is stored in another format than bcrypt, and if so, the new password hash gets generated. And THIS consumes TIME!</div><div><br></div><div>Code Line:</div><div>upgradeDoubleHash(this.<wbr>hashedPassword, this.hashingAlgorithm);<br></div><div><br></div><div>I think it is a very bad approach to put that logic in the constructor, because reading an object means that you want to get an object as represented by a stored XML.</div><div><br></div><div>A better way would be to put the logic into the save-logic of a user, because then it makes sense to store the new hashed password.</div><div><br></div><div>What do you think?</div><div><br></div><div>I will now code a workaround and let you know where I put it. </div><div><br></div><div>Cheers, Balz</div><span class=""><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Aug 11, 2016 at 7:49 PM, Michael Wechner <span dir="ltr"><<a href="mailto:michael.wechner@wyona.com" target="_blank">michael.wechner@wyona.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>Hi Balz<br>
<br>
I am currently on vacation (until August 17th), but what you
describe sounds really not good at all.<br>
<br>
I will have a look at it as soon as I will be back. Please keep us
posted in case you find something out in the meantime.<br>
<br>
Thanks<br>
<br>
Michael<br>
<br>
Am 11.08.16 um 09:59 schrieb basZero:<br>
</div><div><div>
<blockquote type="cite">
<div dir="ltr">
<div>Hi,</div>
<div><br>
</div>
<div>please read this with high priority as it could be very
critical to performance of Yanel with many users:</div>
<div><a href="https://github.com/wyona/security/issues/6" target="_blank">https://github.com/wyona/secur<wbr>ity/issues/6</a><br>
</div>
<div><br>
</div>
<div>Cheers, Bas</div>
</div>
<br>
<fieldset></fieldset>
<br>
</blockquote>
<br>
</div></div></div>
<br>--<br>
Yanel-development mailing list <a href="mailto:Yanel-development@wyona.com" target="_blank">Yanel-development@wyona.com</a><br>
<a href="http://mx2.wyona.com/cgi-bin/mailman/listinfo/yanel-development" rel="noreferrer" target="_blank">http://mx2.wyona.com/cgi-bin/m<wbr>ailman/listinfo/yanel-developm<wbr>ent</a><br></blockquote></div><br></div></span></div>
</blockquote></div><br></div>