uPortal IRC Logs-2009-05-22
- Apereo Infrastructure
[09:05:56 EDT(-0400)] * fj4000 (n=Main@CPE0018f85ab63e-CM001692f5798c.cpe.net.cable.rogers.com) has joined ##uportal
[09:09:14 EDT(-0400)] * EricDalquist (n=EricDalq@adsl-71-150-248-237.dsl.mdsnwi.sbcglobal.net) has joined ##uportal
[09:24:21 EDT(-0400)] * lennard1 (n=sparhk@ip68-98-56-21.ph.ph.cox.net) has joined ##uportal
[09:34:10 EDT(-0400)] * [jlee] (n=jlee@adsl-074-184-125-241.sip.asm.bellsouth.net) has joined ##uportal
[09:36:25 EDT(-0400)] * jessm (n=Jess@c-71-232-1-65.hsd1.ma.comcast.net) has joined ##uportal
[09:50:57 EDT(-0400)] * athena (n=athena@99.129.100.66) has joined ##uportal
[10:37:27 EDT(-0400)] * colinclark (n=colin@bas2-toronto09-1176130873.dsl.bell.ca) has joined ##uportal
[11:13:23 EDT(-0400)] * lennard1 (n=sparhk@ip68-98-56-21.ph.ph.cox.net) has left ##uportal
[11:17:04 EDT(-0400)] <athena> should i go ahead and commit the encrypted cache password changes to the trunk?
[11:17:16 EDT(-0400)] <EricDalquist> sure
[11:17:23 EDT(-0400)] <athena> ok
[11:17:40 EDT(-0400)] <athena> i guess that also has somewhat of an issue of having a default key
[11:17:52 EDT(-0400)] <EricDalquist> yeah
[11:17:58 EDT(-0400)] <athena> i guess we could explicitly mention that in the documentation for how to turn on password caching
[11:18:00 EDT(-0400)] <EricDalquist> we're best off probably not having a key specified by default
[11:18:11 EDT(-0400)] <EricDalquist> and have the code error if no key is specified with a helpful error message
[11:18:16 EDT(-0400)] <athena> yeah
[11:18:19 EDT(-0400)] <athena> that sounds reasonable
[11:18:37 EDT(-0400)] <athena> hm
[11:18:49 EDT(-0400)] <athena> the way it's configured right now it just takes a jasypt PBEStringEncryptor
[11:19:04 EDT(-0400)] <athena> i wonder if the spring bean initialization will succeed if the PBEStringEncryptor doesn't have a password
[11:19:41 EDT(-0400)] <athena> it's not part of the constructor, so i guess it probably will
[11:20:09 EDT(-0400)] <athena> got a favorite default algorithm? triple DES?
[11:20:29 EDT(-0400)] <EricDalquist> AES is the current 'standard'
[11:21:11 EDT(-0400)] <athena> yeah
[11:21:28 EDT(-0400)] <athena> i just hate to do AES by default because it requires the enhanced JCE policy files
[11:21:39 EDT(-0400)] <athena> and because the bouncycastle dependency is jvm version specific
[11:21:47 EDT(-0400)] <athena> there's different versions for java 5 and 6
[11:22:24 EDT(-0400)] <EricDalquist> ah
[11:22:25 EDT(-0400)] <EricDalquist> thats no fun
[11:22:33 EDT(-0400)] <EricDalquist> there is no AES impl included in the JDK?
[11:22:34 EDT(-0400)] <athena> yeah
[11:22:38 EDT(-0400)] <athena> that is correct
[11:22:45 EDT(-0400)] <EricDalquist> annoying
[11:22:56 EDT(-0400)] <EricDalquist> yeah I honestly don't care much about the algorithm
[11:23:08 EDT(-0400)] <athena> at least, i thought that was the case
[11:23:09 EDT(-0400)] <athena> yeah
[11:23:26 EDT(-0400)] <athena> i guess if the password is missing it'll take some manual configuration anyway
[11:23:40 EDT(-0400)] <athena> and we can recommend in the docs that people switch to bouncycastle-powered AES and tell them how to do it
[11:24:15 EDT(-0400)] <EricDalquist> I don't think it is that important
[11:24:31 EDT(-0400)] <EricDalquist> if someone wants to break this they likely have already gained access to the machine
[11:24:38 EDT(-0400)] <EricDalquist> which means they can get the crypto key too
[11:24:51 EDT(-0400)] <EricDalquist> I think it is more important to document what this addresses and what it does not address
[11:25:07 EDT(-0400)] <athena> yeah, pretty much
[11:25:08 EDT(-0400)] <EricDalquist> namely that anyone that has access to the machine could decrypt the passwords
[11:25:14 EDT(-0400)] <athena> yeah
[11:25:30 EDT(-0400)] <EricDalquist> it only really protects them if they get accidentally written to a log file or otherwise pushed outside of the machine
[11:25:34 EDT(-0400)] <athena> exactly
[11:28:48 EDT(-0400)] * lennard1 (n=sparhk@wsip-98-174-242-39.ph.ph.cox.net) has joined ##uportal
[11:39:37 EDT(-0400)] * holdorph (n=holdorph@wsip-98-174-242-39.ph.ph.cox.net) has joined ##uportal
[11:46:08 EDT(-0400)] <EricDalquist> biab
[12:10:18 EDT(-0400)] <holdorph> channel manager + portlet preferences + cpd = not "reentrant" in uPortal 3.1.1
[12:18:04 EDT(-0400)] <holdorph> UP-2447
[13:16:38 EDT(-0400)] * hoffmaz (n=hoffmaz@deanw-1.sunyit.edu) has joined ##uportal
[13:19:39 EDT(-0400)] <hoffmaz> having an issue with uportal behind apache2. trying to use JkExtractSSL to provide tomcat with the cert but getting SSLHandshakeException
[13:20:48 EDT(-0400)] <EricDalquist> hoffmaz: how are you hosting tomcat behind apache?
[13:20:58 EDT(-0400)] <hoffmaz> ajp13
[13:21:01 EDT(-0400)] <EricDalquist> mod_jk, mod_proxy_apj, oteher?
[13:21:04 EDT(-0400)] <hoffmaz> jk
[13:21:32 EDT(-0400)] <hoffmaz> JkExtractSSL directive is supposed to forward certification to tomcat
[13:21:36 EDT(-0400)] <hoffmaz> via ajp13
[13:21:41 EDT(-0400)] <EricDalquist> why do you need to forward the cert?
[13:21:50 EDT(-0400)] <hoffmaz> for CAS
[13:22:06 EDT(-0400)] <EricDalquist> ah, sorry I don't have any experience with CAS
[13:22:34 EDT(-0400)] <hoffmaz> this is the built-in cas with uPortal 3.1
[13:24:09 EDT(-0400)] <hoffmaz> i don't suppose you know of a Jasig supported CAS channel? 
[13:24:27 EDT(-0400)] <EricDalquist> I don't think they have an IRC channel
[13:24:30 EDT(-0400)] <EricDalquist> just the email lists
[13:29:12 EDT(-0400)] <hoffmaz> i do have a more uPortal-specific question concerning this: could the BROKEN_SECURITY_ALLOW_NON_SSL parameter in web.xml cause problems if my apache is automatically redirecting to an SSL connection?
[13:29:46 EDT(-0400)] <EricDalquist> I think the issue is there are hardcoded http://localhost:8080 URLs in the CAS configuration in that web.xml file
[13:29:51 EDT(-0400)] <EricDalquist> so you would need to change those to https
[13:30:43 EDT(-0400)] <hoffmaz> those have been changed according to the documentation
[13:31:26 EDT(-0400)] <EricDalquist> that was my only guess
[13:32:57 EDT(-0400)] <hoffmaz> alright, thanks anyway
[13:34:12 EDT(-0400)] * hoffmaz (n=hoffmaz@deanw-1.sunyit.edu) has left ##uportal
[18:03:17 EDT(-0400)] * lennard1 (n=sparhk@wsip-98-174-242-39.ph.ph.cox.net) has left ##uportal
[23:40:20 EDT(-0400)] * lennard1 (n=sparhk@ip68-98-56-21.ph.ph.cox.net) has joined ##uportal
[23:53:12 EDT(-0400)] * EricDalquist (n=EricDalq@adsl-71-150-248-237.dsl.mdsnwi.sbcglobal.net) has joined ##uportal