Rob Winch
parent
40fd8d7aa7
commit
12dbf2e961
|
|
@ -15,10 +15,10 @@
|
|||
*/
|
||||
package org.springframework.security.config.annotation.authentication.ldap;
|
||||
|
||||
import org.springframework.security.authentication.encoding.PlaintextPasswordEncoder;
|
||||
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
|
||||
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
|
||||
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
|
||||
import org.springframework.security.crypto.password.NoOpPasswordEncoder;
|
||||
import org.springframework.security.ldap.userdetails.LdapAuthoritiesPopulator;
|
||||
import org.springframework.security.ldap.userdetails.PersonContextMapper;
|
||||
|
||||
|
|
@ -90,7 +90,7 @@ public class NamespaceLdapAuthenticationProviderTestsConfigs {
|
|||
.groupSearchBase("ou=groups")
|
||||
.userSearchFilter("(uid={0})")
|
||||
.passwordCompare()
|
||||
.passwordEncoder(new PlaintextPasswordEncoder()) // ldap-authentication-provider/password-compare/password-encoder@ref
|
||||
.passwordEncoder(NoOpPasswordEncoder.getInstance()) // ldap-authentication-provider/password-compare/password-encoder@ref
|
||||
.passwordAttribute("userPassword"); // ldap-authentication-provider/password-compare@password-attribute
|
||||
}
|
||||
// @formatter:on
|
||||
|
|
|
|||
|
|
@ -22,7 +22,6 @@ import org.springframework.ldap.core.support.BaseLdapPathContextSource;
|
|||
import org.springframework.security.authentication.AuthenticationManager;
|
||||
import org.springframework.security.authentication.AuthenticationProvider;
|
||||
import org.springframework.security.authentication.encoding.PasswordEncoder;
|
||||
import org.springframework.security.authentication.encoding.PlaintextPasswordEncoder;
|
||||
import org.springframework.security.config.annotation.ObjectPostProcessor;
|
||||
import org.springframework.security.config.annotation.SecurityConfigurerAdapter;
|
||||
import org.springframework.security.config.annotation.authentication.ProviderManagerBuilder;
|
||||
|
|
@ -30,6 +29,7 @@ import org.springframework.security.config.annotation.web.configurers.ChannelSec
|
|||
import org.springframework.security.config.core.GrantedAuthorityDefaults;
|
||||
import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper;
|
||||
import org.springframework.security.core.authority.mapping.SimpleAuthorityMapper;
|
||||
import org.springframework.security.crypto.password.NoOpPasswordEncoder;
|
||||
import org.springframework.security.ldap.DefaultSpringSecurityContextSource;
|
||||
import org.springframework.security.ldap.authentication.AbstractLdapAuthenticator;
|
||||
import org.springframework.security.ldap.authentication.BindAuthenticator;
|
||||
|
|
@ -401,7 +401,7 @@ public class LdapAuthenticationProviderConfigurer<B extends ProviderManagerBuild
|
|||
|
||||
/**
|
||||
* Allows specifying the {@link PasswordEncoder} to use. The default is
|
||||
* {@link PlaintextPasswordEncoder}.
|
||||
* {@link org.springframework.security.crypto.password.NoOpPasswordEncoder}.
|
||||
* @param passwordEncoder the {@link PasswordEncoder} to use
|
||||
* @return the {@link PasswordEncoder} to use
|
||||
*/
|
||||
|
|
@ -410,6 +410,17 @@ public class LdapAuthenticationProviderConfigurer<B extends ProviderManagerBuild
|
|||
return this;
|
||||
}
|
||||
|
||||
/**
|
||||
* Allows specifying the {@link org.springframework.security.crypto.password.PasswordEncoder} to use. The default is
|
||||
* {@link org.springframework.security.crypto.password.NoOpPasswordEncoder}.
|
||||
* @param passwordEncoder the {@link org.springframework.security.crypto.password.PasswordEncoder} to use
|
||||
* @return the {@link org.springframework.security.crypto.password.PasswordEncoder} to use
|
||||
*/
|
||||
public PasswordCompareConfigurer passwordEncoder(org.springframework.security.crypto.password.PasswordEncoder passwordEncoder) {
|
||||
LdapAuthenticationProviderConfigurer.this.passwordEncoder = passwordEncoder;
|
||||
return this;
|
||||
}
|
||||
|
||||
/**
|
||||
* The attribute in the directory which contains the user password. Defaults to
|
||||
* "userPassword".
|
||||
|
|
@ -614,6 +625,6 @@ public class LdapAuthenticationProviderConfigurer<B extends ProviderManagerBuild
|
|||
*/
|
||||
public PasswordCompareConfigurer passwordCompare() {
|
||||
return new PasswordCompareConfigurer().passwordAttribute("password")
|
||||
.passwordEncoder(new PlaintextPasswordEncoder());
|
||||
.passwordEncoder(NoOpPasswordEncoder.getInstance());
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -29,7 +29,6 @@ import org.springframework.beans.factory.xml.ParserContext;
|
|||
import org.springframework.security.authentication.encoding.BaseDigestPasswordEncoder;
|
||||
import org.springframework.security.authentication.encoding.LdapShaPasswordEncoder;
|
||||
import org.springframework.security.authentication.encoding.Md4PasswordEncoder;
|
||||
import org.springframework.security.authentication.encoding.PlaintextPasswordEncoder;
|
||||
import org.springframework.security.config.Elements;
|
||||
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
|
||||
import org.springframework.util.StringUtils;
|
||||
|
|
@ -48,7 +47,6 @@ public class PasswordEncoderParser {
|
|||
public static final String ATT_HASH = "hash";
|
||||
static final String ATT_BASE_64 = "base64";
|
||||
static final String OPT_HASH_BCRYPT = "bcrypt";
|
||||
static final String OPT_HASH_PLAINTEXT = "plaintext";
|
||||
static final String OPT_HASH_MD4 = "md4";
|
||||
static final String OPT_HASH_LDAP_SHA = "{sha}";
|
||||
static final String OPT_HASH_LDAP_SSHA = "{ssha}";
|
||||
|
|
@ -57,7 +55,6 @@ public class PasswordEncoderParser {
|
|||
|
||||
static {
|
||||
ENCODER_CLASSES = new HashMap<String, Class<?>>();
|
||||
ENCODER_CLASSES.put(OPT_HASH_PLAINTEXT, PlaintextPasswordEncoder.class);
|
||||
ENCODER_CLASSES.put(OPT_HASH_BCRYPT, BCryptPasswordEncoder.class);
|
||||
ENCODER_CLASSES.put(OPT_HASH_MD4, Md4PasswordEncoder.class);
|
||||
ENCODER_CLASSES.put(OPT_HASH_LDAP_SHA, LdapShaPasswordEncoder.class);
|
||||
|
|
|
|||
|
|
@ -12,7 +12,6 @@
|
|||
<xs:simpleType>
|
||||
<xs:restriction base="xs:token">
|
||||
<xs:enumeration value="bcrypt"/>
|
||||
<xs:enumeration value="plaintext"/>
|
||||
<xs:enumeration value="md4"/>
|
||||
<xs:enumeration value="{sha}"/>
|
||||
<xs:enumeration value="{ssha}"/>
|
||||
|
|
@ -144,7 +143,6 @@
|
|||
<xs:simpleType>
|
||||
<xs:restriction base="xs:token">
|
||||
<xs:enumeration value="bcrypt"/>
|
||||
<xs:enumeration value="plaintext"/>
|
||||
<xs:enumeration value="md4"/>
|
||||
<xs:enumeration value="{sha}"/>
|
||||
<xs:enumeration value="{ssha}"/>
|
||||
|
|
@ -524,7 +522,6 @@
|
|||
<xs:simpleType>
|
||||
<xs:restriction base="xs:token">
|
||||
<xs:enumeration value="bcrypt"/>
|
||||
<xs:enumeration value="plaintext"/>
|
||||
<xs:enumeration value="md4"/>
|
||||
<xs:enumeration value="{sha}"/>
|
||||
<xs:enumeration value="{ssha}"/>
|
||||
|
|
|
|||
|
|
@ -21,11 +21,11 @@ import org.springframework.security.authentication.BadCredentialsException;
|
|||
import org.springframework.security.authentication.InternalAuthenticationServiceException;
|
||||
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
|
||||
import org.springframework.security.authentication.encoding.PasswordEncoder;
|
||||
import org.springframework.security.authentication.encoding.PlaintextPasswordEncoder;
|
||||
import org.springframework.security.core.AuthenticationException;
|
||||
import org.springframework.security.core.userdetails.UserDetails;
|
||||
import org.springframework.security.core.userdetails.UserDetailsService;
|
||||
import org.springframework.security.core.userdetails.UsernameNotFoundException;
|
||||
import org.springframework.security.crypto.password.NoOpPasswordEncoder;
|
||||
import org.springframework.util.Assert;
|
||||
|
||||
/**
|
||||
|
|
@ -65,7 +65,7 @@ public class DaoAuthenticationProvider extends AbstractUserDetailsAuthentication
|
|||
private UserDetailsService userDetailsService;
|
||||
|
||||
public DaoAuthenticationProvider() {
|
||||
setPasswordEncoder(new PlaintextPasswordEncoder());
|
||||
setPasswordEncoder(NoOpPasswordEncoder.getInstance());
|
||||
}
|
||||
|
||||
// ~ Methods
|
||||
|
|
|
|||
|
|
@ -1,97 +0,0 @@
|
|||
/*
|
||||
* Copyright 2004, 2005, 2006 Acegi Technology Pty Limited
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.springframework.security.authentication.encoding;
|
||||
|
||||
import java.util.Locale;
|
||||
|
||||
/**
|
||||
* <p>
|
||||
* Plaintext implementation of PasswordEncoder.
|
||||
* </p>
|
||||
* <P>
|
||||
* As callers may wish to extract the password and salts separately from the encoded
|
||||
* password, the salt must not contain reserved characters (specifically '{' and '}').
|
||||
* </p>
|
||||
*
|
||||
* @author colin sampaleanu
|
||||
* @author Ben Alex
|
||||
*/
|
||||
public class PlaintextPasswordEncoder extends BasePasswordEncoder {
|
||||
// ~ Instance fields
|
||||
// ================================================================================================
|
||||
|
||||
private boolean ignorePasswordCase = false;
|
||||
|
||||
// ~ Methods
|
||||
// ========================================================================================================
|
||||
|
||||
public String encodePassword(String rawPass, Object salt) {
|
||||
return mergePasswordAndSalt(rawPass, salt, true);
|
||||
}
|
||||
|
||||
public boolean isIgnorePasswordCase() {
|
||||
return ignorePasswordCase;
|
||||
}
|
||||
|
||||
public boolean isPasswordValid(String encPass, String rawPass, Object salt) {
|
||||
String pass1 = encPass + "";
|
||||
|
||||
// Strict delimiters is false because pass2 never persisted anywhere
|
||||
// and we want to avoid unnecessary exceptions as a result (the
|
||||
// authentication will fail as the encodePassword never allows them)
|
||||
String pass2 = mergePasswordAndSalt(rawPass, salt, false);
|
||||
|
||||
if (ignorePasswordCase) {
|
||||
// Note: per String javadoc to get correct results for Locale insensitive, use
|
||||
// English
|
||||
pass1 = pass1.toLowerCase(Locale.ENGLISH);
|
||||
pass2 = pass2.toLowerCase(Locale.ENGLISH);
|
||||
}
|
||||
return PasswordEncoderUtils.equals(pass1, pass2);
|
||||
}
|
||||
|
||||
/**
|
||||
* Demerges the previously {@link #encodePassword(String, Object)}<code>String</code>.
|
||||
* <P>
|
||||
* The resulting array is guaranteed to always contain two elements. The first is the
|
||||
* password, and the second is the salt.
|
||||
* </p>
|
||||
* <P>
|
||||
* Throws an exception if <code>null</code> or an empty <code>String</code> is passed
|
||||
* to the method.
|
||||
* </p>
|
||||
*
|
||||
* @param password from {@link #encodePassword(String, Object)}
|
||||
*
|
||||
* @return an array containing the password and salt
|
||||
*/
|
||||
public String[] obtainPasswordAndSalt(String password) {
|
||||
return demergePasswordAndSalt(password);
|
||||
}
|
||||
|
||||
/**
|
||||
* Indicates whether the password comparison is case sensitive.
|
||||
* <P>
|
||||
* Defaults to <code>false</code>, meaning an exact case match is required.
|
||||
* </p>
|
||||
*
|
||||
* @param ignorePasswordCase set to <code>true</code> for less stringent comparison
|
||||
*/
|
||||
public void setIgnorePasswordCase(boolean ignorePasswordCase) {
|
||||
this.ignorePasswordCase = ignorePasswordCase;
|
||||
}
|
||||
}
|
||||
|
|
@ -1,73 +0,0 @@
|
|||
/*
|
||||
* Copyright 2004, 2005, 2006 Acegi Technology Pty Limited
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.springframework.security.authentication.encoding;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
|
||||
import org.junit.Test;
|
||||
|
||||
/**
|
||||
* <p>
|
||||
* TestCase for PlaintextPasswordEncoder.
|
||||
* </p>
|
||||
*
|
||||
* @author colin sampaleanu
|
||||
* @author Ben Alex
|
||||
*/
|
||||
public class PlaintextPasswordEncoderTests {
|
||||
|
||||
// ~ Methods
|
||||
// ========================================================================================================
|
||||
@Test
|
||||
public void testBasicFunctionality() {
|
||||
PlaintextPasswordEncoder pe = new PlaintextPasswordEncoder();
|
||||
|
||||
String raw = "abc123";
|
||||
String rawDiffCase = "AbC123";
|
||||
String badRaw = "abc321";
|
||||
String salt = "THIS_IS_A_SALT";
|
||||
|
||||
String encoded = pe.encodePassword(raw, salt);
|
||||
assertThat(encoded).isEqualTo("abc123{THIS_IS_A_SALT}");
|
||||
assertThat(pe.isPasswordValid(encoded, raw, salt)).isTrue();
|
||||
assertThat(pe.isPasswordValid(encoded, badRaw, salt)).isFalse();
|
||||
|
||||
// make sure default is not to ignore password case
|
||||
assertThat(pe.isIgnorePasswordCase()).isFalse();
|
||||
encoded = pe.encodePassword(rawDiffCase, salt);
|
||||
assertThat(pe.isPasswordValid(encoded, raw, salt)).isFalse();
|
||||
|
||||
// now check for ignore password case
|
||||
pe = new PlaintextPasswordEncoder();
|
||||
pe.setIgnorePasswordCase(true);
|
||||
|
||||
// should be able to validate even without encoding
|
||||
encoded = pe.encodePassword(rawDiffCase, salt);
|
||||
assertThat(pe.isPasswordValid(encoded, raw, salt)).isTrue();
|
||||
assertThat(pe.isPasswordValid(encoded, badRaw, salt)).isFalse();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testMergeDemerge() {
|
||||
PlaintextPasswordEncoder pwd = new PlaintextPasswordEncoder();
|
||||
|
||||
String merged = pwd.encodePassword("password", "foo");
|
||||
String[] demerged = pwd.obtainPasswordAndSalt(merged);
|
||||
assertThat(demerged[0]).isEqualTo("password");
|
||||
assertThat(demerged[1]).isEqualTo("foo");
|
||||
}
|
||||
}
|
||||
|
|
@ -21,9 +21,9 @@ import org.springframework.security.authentication.BadCredentialsException;
|
|||
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
|
||||
import org.springframework.security.authentication.encoding.LdapShaPasswordEncoder;
|
||||
import org.springframework.security.authentication.encoding.PasswordEncoder;
|
||||
import org.springframework.security.authentication.encoding.PlaintextPasswordEncoder;
|
||||
import org.springframework.security.core.Authentication;
|
||||
import org.springframework.security.core.userdetails.UsernameNotFoundException;
|
||||
import org.springframework.security.crypto.password.NoOpPasswordEncoder;
|
||||
import org.springframework.security.ldap.AbstractLdapIntegrationTests;
|
||||
|
||||
import org.springframework.ldap.core.DirContextAdapter;
|
||||
|
|
@ -50,7 +50,7 @@ public class PasswordComparisonAuthenticatorTests extends AbstractLdapIntegratio
|
|||
@Before
|
||||
public void setUp() throws Exception {
|
||||
authenticator = new PasswordComparisonAuthenticator(getContextSource());
|
||||
authenticator.setPasswordEncoder(new PlaintextPasswordEncoder());
|
||||
authenticator.setPasswordEncoder(NoOpPasswordEncoder.getInstance());
|
||||
authenticator.setUserDnPatterns(new String[] { "uid={0},ou=people" });
|
||||
bob = new UsernamePasswordAuthenticationToken("bob", "bobspassword");
|
||||
ben = new UsernamePasswordAuthenticationToken("ben", "benspassword");
|
||||
|
|
@ -140,7 +140,7 @@ public class PasswordComparisonAuthenticatorTests extends AbstractLdapIntegratio
|
|||
@Test
|
||||
public void testWithUserSearch() {
|
||||
authenticator = new PasswordComparisonAuthenticator(getContextSource());
|
||||
authenticator.setPasswordEncoder(new PlaintextPasswordEncoder());
|
||||
authenticator.setPasswordEncoder(NoOpPasswordEncoder.getInstance());
|
||||
assertThat(authenticator.getUserDns("Bob")).withFailMessage("User DN matches shouldn't be available").isEmpty();
|
||||
|
||||
DirContextAdapter ctx = new DirContextAdapter(new DistinguishedName(
|
||||
|
|
|
|||
Loading…
Reference in New Issue