Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

SEC-1031: LdapShaPasswordEncoder.isPasswordValid startOfHash off by one 

http://jira.springframework.org/browse/SEC-1031. Fixed startOfHash value and added tests to check full length of password is used.
This commit is contained in:
Luke Taylor 2008-11-11 23:34:40 +00:00
parent 0ba690fb0e
commit 0bbab88504
2 changed files with 33 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
core/src/main/java/org/springframework/security/providers/ldap/authenticator/LdapShaPasswordEncoder.java
View File

@ -145,7 +145,7 @@ public class LdapShaPasswordEncoder implements PasswordEncoder {
salt = null;
}
int startOfHash = prefix.length() + 1;
int startOfHash = prefix.length();
String encodedRawPass = encodePassword(rawPass, salt).substring(startOfHash);

9
core/src/test/java/org/springframework/security/providers/ldap/authenticator/LdapShaPasswordEncoderTests.java
View File

@ -81,6 +81,15 @@ public class LdapShaPasswordEncoderTests {
assertTrue(sha.isPasswordValid("{ssha}PQy2j+6n5ytA+YlAKkM8Fh4p6u2JxfVd", "boabspasswurd", null));
}
@Test
// SEC-1031
public void fullLengthOfHashIsUsedInComparison() throws Exception {
// Change the first hash character from '2' to '3'
assertFalse(sha.isPasswordValid("{SSHA}35ro4PKC8jhQZ26jVsozhX/xaP0suHgX", "boabspasswurd", null));
// Change the last hash character from 'X' to 'Y'
assertFalse(sha.isPasswordValid("{SSHA}25ro4PKC8jhQZ26jVsozhX/xaP0suHgY", "boabspasswurd", null));
}
@Test
public void correctPrefixCaseIsUsed() {
sha.setForceLowerCasePrefix(false);