<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Hi Balz<br>
<br>
Thanks very much for your debugging and patch!<br>
<br>
I am back now from vacation and will have a look at your patch
more closely very soon and will keep you posted when integrating
it.<br>
<br>
All the best<br>
<br>
Michael<br>
<br>
Am 12.08.16 um 15:16 schrieb basZero:<br>
</div>
<blockquote
cite="mid:CAOXzDSGE2Jak4+Nw3PBaUM7shNa+75jPg7iAfpc-PNi6nJLO9A@mail.gmail.com"
type="cite">
<div dir="ltr">Hi Michael,
<div><br>
</div>
<div>I've implemented the following which works as expected:</div>
<div>- fast performance, equal to the yanel version before the
introduction of BCrypt</div>
<div>- also does the autoupdate of passwords in old formats</div>
<div><br>
</div>
<div>Code Changes in
org.wyona.security.impl.yarep.YarepUser.java:</div>
<div><br>
</div>
<div>Constructor public YarepUser(UserManager userManager,
GroupManager groupManager, Node node):</div>
<div>I just removed this section:</div>
<div>
<div>if(hashingAlgorithm != null &&
!hashingAlgorithm.startsWith("bcrypt")) {</div>
<div> upgradeDoubleHash(this.hashedPassword,
this.hashingAlgorithm);</div>
<div>}</div>
</div>
<div><br>
</div>
<div>and inserted it into a new overriding method:</div>
<div><br>
</div>
<div>
<div>@Override</div>
<div>public void save() throws AccessManagementException {</div>
<div> try {</div>
<div> // Check if we need to upgrade the password hash</div>
<div> if(hashingAlgorithm != null &&
!hashingAlgorithm.startsWith("bcrypt")) {</div>
<div> upgradeDoubleHash(this.hashedPassword,
this.hashingAlgorithm);</div>
<div> }</div>
<div> } catch (Exception e) {</div>
<div> }</div>
<div> super.save();</div>
<div>}</div>
</div>
<div><br>
</div>
<div><br>
</div>
<div>The result is obvious, only if the user object gets saved
and the password is not yet in the new format (bcrypt), the
hashed passwords gets upgraded and then saved (calling save()
of the YarepItem class).</div>
<div><br>
</div>
<div>This seems to me a very solid solution.</div>
<div><br>
</div>
<div>What do you think?</div>
<div><br>
</div>
<div>Do you need a git pull request for this?</div>
<div><br>
</div>
<div>This is NOT URGENT for me personally, as I have overwritten
the class YarepUser in my realm, but I think it is an
essential patch for yanel and users who are using yanel with a
high user base.</div>
<div><br>
</div>
<div>Cheers, </div>
<div>Balz</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Fri, Aug 12, 2016 at 2:45 PM,
basZero <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:baszero@gmail.com" target="_blank">baszero@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">Hi Michael,
<div><br>
</div>
<div>I found the root cause for the very poor performance!</div>
<div>As you know of course, the user's passwords are
encrypted and generated with the newly introduced bcrypt
algorithm.</div>
<div><br>
</div>
<div>When I did the upgrade to the latest Yanel version I
was aware of this upgrade, however I somehow assumed
that the password-update in the user XML would only be
updated at LOGIN or when the user XML gets saved.</div>
<div><br>
</div>
<div>My assumption was wrong.</div>
<div><br>
</div>
<div>In the YarepUser.java class file I see in the
constructor, that for each user object that gets created
(even if it is created for read-only purposes), it is
checked whether the password is stored in another format
than bcrypt, and if so, the new password hash gets
generated. And THIS consumes TIME!</div>
<div><br>
</div>
<div>Code Line:</div>
<div>upgradeDoubleHash(this.<wbr>hashedPassword,
this.hashingAlgorithm);<br>
</div>
<div><br>
</div>
<div>I think it is a very bad approach to put that logic
in the constructor, because reading an object means that
you want to get an object as represented by a stored
XML.</div>
<div><br>
</div>
<div>A better way would be to put the logic into the
save-logic of a user, because then it makes sense to
store the new hashed password.</div>
<div><br>
</div>
<div>What do you think?</div>
<div><br>
</div>
<div>I will now code a workaround and let you know where I
put it. </div>
<div><br>
</div>
<div>Cheers, Balz</div>
<span class="">
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, Aug 11, 2016 at 7:49
PM, Michael Wechner <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:michael.wechner@wyona.com"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:michael.wechner@wyona.com">michael.wechner@wyona.com</a></a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px
0px 0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>Hi Balz<br>
<br>
I am currently on vacation (until August
17th), but what you describe sounds really not
good at all.<br>
<br>
I will have a look at it as soon as I will be
back. Please keep us posted in case you find
something out in the meantime.<br>
<br>
Thanks<br>
<br>
Michael<br>
<br>
Am 11.08.16 um 09:59 schrieb basZero:<br>
</div>
<div>
<div>
<blockquote type="cite">
<div dir="ltr">
<div>Hi,</div>
<div><br>
</div>
<div>please read this with high priority
as it could be very critical to
performance of Yanel with many users:</div>
<div><a moz-do-not-send="true"
href="https://github.com/wyona/security/issues/6"
target="_blank">https://github.com/wyona/secur<wbr>ity/issues/6</a><br>
</div>
<div><br>
</div>
<div>Cheers, Bas</div>
</div>
<br>
<fieldset></fieldset>
<br>
</blockquote>
<br>
</div>
</div>
</div>
<br>
--<br>
Yanel-development mailing list <a
moz-do-not-send="true"
href="mailto:Yanel-development@wyona.com"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:Yanel-development@wyona.com">Yanel-development@wyona.com</a></a><br>
<a moz-do-not-send="true"
href="http://mx2.wyona.com/cgi-bin/mailman/listinfo/yanel-development"
rel="noreferrer" target="_blank">http://mx2.wyona.com/cgi-bin/m<wbr>ailman/listinfo/yanel-developm<wbr>ent</a><br>
</blockquote>
</div>
<br>
</div>
</span></div>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
</body>
</html>