From 12dbf2e9612cddd775904952d01bfc044fb1d1bb Mon Sep 17 00:00:00 2001 From: Rob Winch Date: Mon, 23 Oct 2017 07:35:45 -0500 Subject: [PATCH] Remove PlainTextPasswordEncoder from core Issue: gh-4674 --- ...dapAuthenticationProviderTestsConfigs.java | 4 +- .../LdapAuthenticationProviderConfigurer.java | 17 +++- .../authentication/PasswordEncoderParser.java | 3 - .../security/config/spring-security-5.0.xsd | 3 - .../dao/DaoAuthenticationProvider.java | 4 +- .../encoding/PlaintextPasswordEncoder.java | 97 ------------------- .../PlaintextPasswordEncoderTests.java | 73 -------------- .../PasswordComparisonAuthenticatorTests.java | 6 +- 8 files changed, 21 insertions(+), 186 deletions(-) delete mode 100644 core/src/main/java/org/springframework/security/authentication/encoding/PlaintextPasswordEncoder.java delete mode 100644 core/src/test/java/org/springframework/security/authentication/encoding/PlaintextPasswordEncoderTests.java diff --git a/config/src/integration-test/java/org/springframework/security/config/annotation/authentication/ldap/NamespaceLdapAuthenticationProviderTestsConfigs.java b/config/src/integration-test/java/org/springframework/security/config/annotation/authentication/ldap/NamespaceLdapAuthenticationProviderTestsConfigs.java index b3565d6133..ca9e06e0ac 100644 --- a/config/src/integration-test/java/org/springframework/security/config/annotation/authentication/ldap/NamespaceLdapAuthenticationProviderTestsConfigs.java +++ b/config/src/integration-test/java/org/springframework/security/config/annotation/authentication/ldap/NamespaceLdapAuthenticationProviderTestsConfigs.java @@ -15,10 +15,10 @@ */ package org.springframework.security.config.annotation.authentication.ldap; -import org.springframework.security.authentication.encoding.PlaintextPasswordEncoder; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; +import org.springframework.security.crypto.password.NoOpPasswordEncoder; import org.springframework.security.ldap.userdetails.LdapAuthoritiesPopulator; import org.springframework.security.ldap.userdetails.PersonContextMapper; @@ -90,7 +90,7 @@ public class NamespaceLdapAuthenticationProviderTestsConfigs { .groupSearchBase("ou=groups") .userSearchFilter("(uid={0})") .passwordCompare() - .passwordEncoder(new PlaintextPasswordEncoder()) // ldap-authentication-provider/password-compare/password-encoder@ref + .passwordEncoder(NoOpPasswordEncoder.getInstance()) // ldap-authentication-provider/password-compare/password-encoder@ref .passwordAttribute("userPassword"); // ldap-authentication-provider/password-compare@password-attribute } // @formatter:on diff --git a/config/src/main/java/org/springframework/security/config/annotation/authentication/configurers/ldap/LdapAuthenticationProviderConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/authentication/configurers/ldap/LdapAuthenticationProviderConfigurer.java index ba4780c9f4..f001216158 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/authentication/configurers/ldap/LdapAuthenticationProviderConfigurer.java +++ b/config/src/main/java/org/springframework/security/config/annotation/authentication/configurers/ldap/LdapAuthenticationProviderConfigurer.java @@ -22,7 +22,6 @@ import org.springframework.ldap.core.support.BaseLdapPathContextSource; import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.authentication.AuthenticationProvider; import org.springframework.security.authentication.encoding.PasswordEncoder; -import org.springframework.security.authentication.encoding.PlaintextPasswordEncoder; import org.springframework.security.config.annotation.ObjectPostProcessor; import org.springframework.security.config.annotation.SecurityConfigurerAdapter; import org.springframework.security.config.annotation.authentication.ProviderManagerBuilder; @@ -30,6 +29,7 @@ import org.springframework.security.config.annotation.web.configurers.ChannelSec import org.springframework.security.config.core.GrantedAuthorityDefaults; import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper; import org.springframework.security.core.authority.mapping.SimpleAuthorityMapper; +import org.springframework.security.crypto.password.NoOpPasswordEncoder; import org.springframework.security.ldap.DefaultSpringSecurityContextSource; import org.springframework.security.ldap.authentication.AbstractLdapAuthenticator; import org.springframework.security.ldap.authentication.BindAuthenticator; @@ -401,7 +401,7 @@ public class LdapAuthenticationProviderConfigurer>(); - ENCODER_CLASSES.put(OPT_HASH_PLAINTEXT, PlaintextPasswordEncoder.class); ENCODER_CLASSES.put(OPT_HASH_BCRYPT, BCryptPasswordEncoder.class); ENCODER_CLASSES.put(OPT_HASH_MD4, Md4PasswordEncoder.class); ENCODER_CLASSES.put(OPT_HASH_LDAP_SHA, LdapShaPasswordEncoder.class); diff --git a/config/src/main/resources/org/springframework/security/config/spring-security-5.0.xsd b/config/src/main/resources/org/springframework/security/config/spring-security-5.0.xsd index d14438da4f..886ee5bfc8 100644 --- a/config/src/main/resources/org/springframework/security/config/spring-security-5.0.xsd +++ b/config/src/main/resources/org/springframework/security/config/spring-security-5.0.xsd @@ -12,7 +12,6 @@ - @@ -144,7 +143,6 @@ - @@ -524,7 +522,6 @@ - diff --git a/core/src/main/java/org/springframework/security/authentication/dao/DaoAuthenticationProvider.java b/core/src/main/java/org/springframework/security/authentication/dao/DaoAuthenticationProvider.java index e82f9d247d..067d29dade 100644 --- a/core/src/main/java/org/springframework/security/authentication/dao/DaoAuthenticationProvider.java +++ b/core/src/main/java/org/springframework/security/authentication/dao/DaoAuthenticationProvider.java @@ -21,11 +21,11 @@ import org.springframework.security.authentication.BadCredentialsException; import org.springframework.security.authentication.InternalAuthenticationServiceException; import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; import org.springframework.security.authentication.encoding.PasswordEncoder; -import org.springframework.security.authentication.encoding.PlaintextPasswordEncoder; import org.springframework.security.core.AuthenticationException; import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.core.userdetails.UsernameNotFoundException; +import org.springframework.security.crypto.password.NoOpPasswordEncoder; import org.springframework.util.Assert; /** @@ -65,7 +65,7 @@ public class DaoAuthenticationProvider extends AbstractUserDetailsAuthentication private UserDetailsService userDetailsService; public DaoAuthenticationProvider() { - setPasswordEncoder(new PlaintextPasswordEncoder()); + setPasswordEncoder(NoOpPasswordEncoder.getInstance()); } // ~ Methods diff --git a/core/src/main/java/org/springframework/security/authentication/encoding/PlaintextPasswordEncoder.java b/core/src/main/java/org/springframework/security/authentication/encoding/PlaintextPasswordEncoder.java deleted file mode 100644 index 9e49dc18bd..0000000000 --- a/core/src/main/java/org/springframework/security/authentication/encoding/PlaintextPasswordEncoder.java +++ /dev/null @@ -1,97 +0,0 @@ -/* - * Copyright 2004, 2005, 2006 Acegi Technology Pty Limited - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.springframework.security.authentication.encoding; - -import java.util.Locale; - -/** - *

- * Plaintext implementation of PasswordEncoder. - *

- *

- * As callers may wish to extract the password and salts separately from the encoded - * password, the salt must not contain reserved characters (specifically '{' and '}'). - *

- * - * @author colin sampaleanu - * @author Ben Alex - */ -public class PlaintextPasswordEncoder extends BasePasswordEncoder { - // ~ Instance fields - // ================================================================================================ - - private boolean ignorePasswordCase = false; - - // ~ Methods - // ======================================================================================================== - - public String encodePassword(String rawPass, Object salt) { - return mergePasswordAndSalt(rawPass, salt, true); - } - - public boolean isIgnorePasswordCase() { - return ignorePasswordCase; - } - - public boolean isPasswordValid(String encPass, String rawPass, Object salt) { - String pass1 = encPass + ""; - - // Strict delimiters is false because pass2 never persisted anywhere - // and we want to avoid unnecessary exceptions as a result (the - // authentication will fail as the encodePassword never allows them) - String pass2 = mergePasswordAndSalt(rawPass, salt, false); - - if (ignorePasswordCase) { - // Note: per String javadoc to get correct results for Locale insensitive, use - // English - pass1 = pass1.toLowerCase(Locale.ENGLISH); - pass2 = pass2.toLowerCase(Locale.ENGLISH); - } - return PasswordEncoderUtils.equals(pass1, pass2); - } - - /** - * Demerges the previously {@link #encodePassword(String, Object)}String. - *

- * The resulting array is guaranteed to always contain two elements. The first is the - * password, and the second is the salt. - *

- *

- * Throws an exception if null or an empty String is passed - * to the method. - *

- * - * @param password from {@link #encodePassword(String, Object)} - * - * @return an array containing the password and salt - */ - public String[] obtainPasswordAndSalt(String password) { - return demergePasswordAndSalt(password); - } - - /** - * Indicates whether the password comparison is case sensitive. - *

- * Defaults to false, meaning an exact case match is required. - *

- * - * @param ignorePasswordCase set to true for less stringent comparison - */ - public void setIgnorePasswordCase(boolean ignorePasswordCase) { - this.ignorePasswordCase = ignorePasswordCase; - } -} diff --git a/core/src/test/java/org/springframework/security/authentication/encoding/PlaintextPasswordEncoderTests.java b/core/src/test/java/org/springframework/security/authentication/encoding/PlaintextPasswordEncoderTests.java deleted file mode 100644 index fcc0eefacd..0000000000 --- a/core/src/test/java/org/springframework/security/authentication/encoding/PlaintextPasswordEncoderTests.java +++ /dev/null @@ -1,73 +0,0 @@ -/* - * Copyright 2004, 2005, 2006 Acegi Technology Pty Limited - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.springframework.security.authentication.encoding; - -import static org.assertj.core.api.Assertions.assertThat; - -import org.junit.Test; - -/** - *

- * TestCase for PlaintextPasswordEncoder. - *

- * - * @author colin sampaleanu - * @author Ben Alex - */ -public class PlaintextPasswordEncoderTests { - - // ~ Methods - // ======================================================================================================== - @Test - public void testBasicFunctionality() { - PlaintextPasswordEncoder pe = new PlaintextPasswordEncoder(); - - String raw = "abc123"; - String rawDiffCase = "AbC123"; - String badRaw = "abc321"; - String salt = "THIS_IS_A_SALT"; - - String encoded = pe.encodePassword(raw, salt); - assertThat(encoded).isEqualTo("abc123{THIS_IS_A_SALT}"); - assertThat(pe.isPasswordValid(encoded, raw, salt)).isTrue(); - assertThat(pe.isPasswordValid(encoded, badRaw, salt)).isFalse(); - - // make sure default is not to ignore password case - assertThat(pe.isIgnorePasswordCase()).isFalse(); - encoded = pe.encodePassword(rawDiffCase, salt); - assertThat(pe.isPasswordValid(encoded, raw, salt)).isFalse(); - - // now check for ignore password case - pe = new PlaintextPasswordEncoder(); - pe.setIgnorePasswordCase(true); - - // should be able to validate even without encoding - encoded = pe.encodePassword(rawDiffCase, salt); - assertThat(pe.isPasswordValid(encoded, raw, salt)).isTrue(); - assertThat(pe.isPasswordValid(encoded, badRaw, salt)).isFalse(); - } - - @Test - public void testMergeDemerge() { - PlaintextPasswordEncoder pwd = new PlaintextPasswordEncoder(); - - String merged = pwd.encodePassword("password", "foo"); - String[] demerged = pwd.obtainPasswordAndSalt(merged); - assertThat(demerged[0]).isEqualTo("password"); - assertThat(demerged[1]).isEqualTo("foo"); - } -} diff --git a/ldap/src/integration-test/java/org/springframework/security/ldap/authentication/PasswordComparisonAuthenticatorTests.java b/ldap/src/integration-test/java/org/springframework/security/ldap/authentication/PasswordComparisonAuthenticatorTests.java index 6c735c6ffc..41f2e277fa 100644 --- a/ldap/src/integration-test/java/org/springframework/security/ldap/authentication/PasswordComparisonAuthenticatorTests.java +++ b/ldap/src/integration-test/java/org/springframework/security/ldap/authentication/PasswordComparisonAuthenticatorTests.java @@ -21,9 +21,9 @@ import org.springframework.security.authentication.BadCredentialsException; import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; import org.springframework.security.authentication.encoding.LdapShaPasswordEncoder; import org.springframework.security.authentication.encoding.PasswordEncoder; -import org.springframework.security.authentication.encoding.PlaintextPasswordEncoder; import org.springframework.security.core.Authentication; import org.springframework.security.core.userdetails.UsernameNotFoundException; +import org.springframework.security.crypto.password.NoOpPasswordEncoder; import org.springframework.security.ldap.AbstractLdapIntegrationTests; import org.springframework.ldap.core.DirContextAdapter; @@ -50,7 +50,7 @@ public class PasswordComparisonAuthenticatorTests extends AbstractLdapIntegratio @Before public void setUp() throws Exception { authenticator = new PasswordComparisonAuthenticator(getContextSource()); - authenticator.setPasswordEncoder(new PlaintextPasswordEncoder()); + authenticator.setPasswordEncoder(NoOpPasswordEncoder.getInstance()); authenticator.setUserDnPatterns(new String[] { "uid={0},ou=people" }); bob = new UsernamePasswordAuthenticationToken("bob", "bobspassword"); ben = new UsernamePasswordAuthenticationToken("ben", "benspassword"); @@ -140,7 +140,7 @@ public class PasswordComparisonAuthenticatorTests extends AbstractLdapIntegratio @Test public void testWithUserSearch() { authenticator = new PasswordComparisonAuthenticator(getContextSource()); - authenticator.setPasswordEncoder(new PlaintextPasswordEncoder()); + authenticator.setPasswordEncoder(NoOpPasswordEncoder.getInstance()); assertThat(authenticator.getUserDns("Bob")).withFailMessage("User DN matches shouldn't be available").isEmpty(); DirContextAdapter ctx = new DirContextAdapter(new DistinguishedName(