Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Remove ShaPasswordEncoder from core 

Issue: gh-4674
This commit is contained in:
Rob Winch 2017-10-22 10:26:09 -05:00
parent e98fc3556e
commit 40fd8d7aa7
7 changed files with 14 additions and 205 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
config/src/main/java/org/springframework/security/config/authentication/PasswordEncoderParser.java
View File

@ -30,7 +30,6 @@ import org.springframework.security.authentication.encoding.BaseDigestPasswordEn
import org.springframework.security.authentication.encoding.LdapShaPasswordEncoder;
import org.springframework.security.authentication.encoding.Md4PasswordEncoder;
import org.springframework.security.authentication.encoding.PlaintextPasswordEncoder;
import org.springframework.security.authentication.encoding.ShaPasswordEncoder;
import org.springframework.security.config.Elements;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.util.StringUtils;
@ -50,8 +49,6 @@ public class PasswordEncoderParser {
static final String ATT_BASE_64 = "base64";
static final String OPT_HASH_BCRYPT = "bcrypt";
static final String OPT_HASH_PLAINTEXT = "plaintext";
static final String OPT_HASH_SHA = "sha";
static final String OPT_HASH_SHA256 = "sha-256";
static final String OPT_HASH_MD4 = "md4";
static final String OPT_HASH_LDAP_SHA = "{sha}";
static final String OPT_HASH_LDAP_SSHA = "{ssha}";
@ -62,8 +59,6 @@ public class PasswordEncoderParser {
ENCODER_CLASSES = new HashMap<String, Class<?>>();
ENCODER_CLASSES.put(OPT_HASH_PLAINTEXT, PlaintextPasswordEncoder.class);
ENCODER_CLASSES.put(OPT_HASH_BCRYPT, BCryptPasswordEncoder.class);
ENCODER_CLASSES.put(OPT_HASH_SHA, ShaPasswordEncoder.class);
ENCODER_CLASSES.put(OPT_HASH_SHA256, ShaPasswordEncoder.class);
ENCODER_CLASSES.put(OPT_HASH_MD4, Md4PasswordEncoder.class);
ENCODER_CLASSES.put(OPT_HASH_LDAP_SHA, LdapShaPasswordEncoder.class);
ENCODER_CLASSES.put(OPT_HASH_LDAP_SSHA, LdapShaPasswordEncoder.class);
@ -119,10 +114,6 @@ public class PasswordEncoderParser {
BeanDefinitionBuilder beanBldr = BeanDefinitionBuilder
.rootBeanDefinition(beanClass);
if (OPT_HASH_SHA256.equals(hash)) {
beanBldr.addConstructorArgValue(Integer.valueOf(256));
}
if (useBase64) {
if (BaseDigestPasswordEncoder.class.isAssignableFrom(beanClass)) {
beanBldr.addPropertyValue("encodeHashAsBase64", "true");

2
config/src/main/resources/org/springframework/security/config/spring-security-5.0.rnc
View File

@ -7,7 +7,7 @@ start = http | ldap-server | authentication-provider | ldap-authentication-provi
hash =
## Defines the hashing algorithm used on user passwords. Bcrypt is recommended.
attribute hash {"bcrypt" | "plaintext" | "sha" | "sha-256" | "md4" | "{sha}" | "{ssha}"}
attribute hash {"bcrypt" | "plaintext" | "md4" | "{sha}" | "{ssha}"}
base64 =
## Whether a string should be base64 encoded
attribute base64 {xsd:boolean}

6
config/src/main/resources/org/springframework/security/config/spring-security-5.0.xsd
View File

@ -13,8 +13,6 @@
<xs:restriction base="xs:token">
<xs:enumeration value="bcrypt"/>
<xs:enumeration value="plaintext"/>
<xs:enumeration value="sha"/>
<xs:enumeration value="sha-256"/>
<xs:enumeration value="md4"/>
<xs:enumeration value="{sha}"/>
<xs:enumeration value="{ssha}"/>
@ -147,8 +145,6 @@
<xs:restriction base="xs:token">
<xs:enumeration value="bcrypt"/>
<xs:enumeration value="plaintext"/>
<xs:enumeration value="sha"/>
<xs:enumeration value="sha-256"/>
<xs:enumeration value="md4"/>
<xs:enumeration value="{sha}"/>
<xs:enumeration value="{ssha}"/>
@ -529,8 +525,6 @@
<xs:restriction base="xs:token">
<xs:enumeration value="bcrypt"/>
<xs:enumeration value="plaintext"/>
<xs:enumeration value="sha"/>
<xs:enumeration value="sha-256"/>
<xs:enumeration value="md4"/>
<xs:enumeration value="{sha}"/>
<xs:enumeration value="{ssha}"/>

17
config/src/test/java/org/springframework/security/config/authentication/AuthenticationProviderBeanDefinitionParserTests.java
View File

@ -15,17 +15,13 @@
*/
package org.springframework.security.config.authentication;
import static org.assertj.core.api.Assertions.*;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.ProviderManager;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.authentication.dao.ReflectionSaltSource;
import org.springframework.security.authentication.encoding.ShaPasswordEncoder;
import org.springframework.security.config.BeanIds;
import org.springframework.security.config.util.InMemoryXmlApplicationContext;
import org.springframework.security.crypto.password.MessageDigestPasswordEncoder;
import org.springframework.security.util.FieldUtils;
import org.springframework.beans.factory.parsing.BeanDefinitionParsingException;
import org.springframework.context.support.AbstractXmlApplicationContext;
@ -132,19 +128,6 @@ public class AuthenticationProviderBeanDefinitionParserTests {
getProvider().authenticate(bob);
}
@Test
public void providerWithSha256PasswordEncoderIsSupported() throws Exception {
setContext(" <authentication-provider>"
+ " <password-encoder hash='sha-256'/>"
+ " <user-service>"
+ " <user name='bob' password='notused' authorities='ROLE_A' />"
+ " </user-service>" + " </authentication-provider>");
ShaPasswordEncoder encoder = (ShaPasswordEncoder) FieldUtils.getFieldValue(
getProvider(), "passwordEncoder");
assertThat(encoder.getAlgorithm()).isEqualTo("SHA-256");
}
@Test
public void passwordIsBase64EncodedWhenBase64IsEnabled() throws Exception {
appContext = new InMemoryXmlApplicationContext(

63
core/src/main/java/org/springframework/security/authentication/encoding/ShaPasswordEncoder.java
View File

@ -1,63 +0,0 @@
/*
* Copyright 2004, 2005, 2006 Acegi Technology Pty Limited
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.authentication.encoding;
/**
* <p>
* SHA implementation of PasswordEncoder.
* </p>
* <p>
* If a <code>null</code> password is presented, it will be treated as an empty
* <code>String</code> ("") password.
* </p>
* <p>
* As SHA is a one-way hash, the salt can contain any characters. The default strength for
* the SHA encoding is SHA-1. If you wish to use higher strengths use the parametrised
* constructor. {@link #ShaPasswordEncoder(int strength)}
* </p>
* <p>
* The applicationContext example...
*
* <pre>
* &lt;bean id="passwordEncoder" class="org.springframework.security.authentication.encoding.ShaPasswordEncoder"&gt;
* &lt;constructor-arg value="256"/&gt;
* &lt;/bean&gt;
* </pre>
*
* @author Ray Krueger
* @author colin sampaleanu
* @author Ben Alex
*/
public class ShaPasswordEncoder extends MessageDigestPasswordEncoder {
/**
* Initializes the ShaPasswordEncoder for SHA-1 strength
*/
public ShaPasswordEncoder() {
this(1);
}
/**
* Initialize the ShaPasswordEncoder with a given SHA stength as supported by the JVM
* EX: <code>ShaPasswordEncoder encoder = new ShaPasswordEncoder(256);</code>
* initializes with SHA-256
*
* @param strength EX: 1, 256, 384, 512
*/
public ShaPasswordEncoder(int strength) {
super("SHA-" + strength);
}
}

43
core/src/test/java/org/springframework/security/authentication/dao/DaoAuthenticationProviderTests.java
View File

@ -40,7 +40,6 @@ import org.springframework.security.authentication.InternalAuthenticationService
import org.springframework.security.authentication.LockedException;
import org.springframework.security.authentication.TestingAuthenticationToken;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.authentication.encoding.ShaPasswordEncoder;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.AuthorityUtils;
@ -348,33 +347,6 @@ public class DaoAuthenticationProviderTests {
assertThat(result2.getCredentials()).isEqualTo(result.getCredentials());
}
@Test
public void testAuthenticatesWhenASaltIsUsed() {
UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(
"rod", "koala");
SystemWideSaltSource salt = new SystemWideSaltSource();
salt.setSystemWideSalt("SYSTEM_SALT_VALUE");
DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
provider.setUserDetailsService(new MockAuthenticationDaoUserrodWithSalt());
provider.setSaltSource(salt);
provider.setUserCache(new MockUserCache());
Authentication result = provider.authenticate(token);
if (!(result instanceof UsernamePasswordAuthenticationToken)) {
fail("Should have returned instance of UsernamePasswordAuthenticationToken");
}
assertThat(result.getPrincipal().getClass()).isEqualTo(User.class);
// We expect original credentials user submitted to be returned
assertThat(result.getCredentials()).isEqualTo("koala");
assertThat(AuthorityUtils.authorityListToSet(result.getAuthorities())).contains(
"ROLE_ONE", "ROLE_TWO");
}
@Test
public void testAuthenticatesWithForcePrincipalAsString() {
UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(
@ -418,9 +390,9 @@ public class DaoAuthenticationProviderTests {
@Test
public void testGettersSetters() {
DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
provider.setPasswordEncoder(new ShaPasswordEncoder());
provider.setPasswordEncoder(new PWE());
assertThat(provider.getPasswordEncoder().getClass()).isEqualTo(
ShaPasswordEncoder.class);
PWE.class);
provider.setSaltSource(new SystemWideSaltSource());
assertThat(provider.getSaltSource().getClass()).isEqualTo(
@ -435,6 +407,17 @@ public class DaoAuthenticationProviderTests {
assertThat(provider.isForcePrincipalAsString()).isTrue();
}
static class PWE implements org.springframework.security.authentication.encoding.PasswordEncoder {
@Override public String encodePassword(String rawPass, Object salt) {
return null;
}
@Override public boolean isPasswordValid(String encPass, String rawPass,
Object salt) {
return false;
}
}
@Test
public void testGoesBackToAuthenticationDaoToObtainLatestPasswordIfCachedPasswordSeemsIncorrect() {
UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(

79
core/src/test/java/org/springframework/security/authentication/encoding/ShaPasswordEncoderTests.java
View File

@ -1,79 +0,0 @@
/*
* Copyright 2004, 2005, 2006 Acegi Technology Pty Limited
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.authentication.encoding;
import static org.assertj.core.api.Assertions.*;
import org.junit.Test;
import org.springframework.security.authentication.encoding.ShaPasswordEncoder;
/**
* <p>
* TestCase for ShaPasswordEncoder.
* </p>
*
* @author colin sampaleanu
* @author Ben Alex
* @author Ray Krueger
*/
public class ShaPasswordEncoderTests {
// ~ Methods
// ========================================================================================================
@Test
public void testBasicFunctionality() {
ShaPasswordEncoder pe = new ShaPasswordEncoder();
String raw = "abc123";
String badRaw = "abc321";
String salt = "THIS_IS_A_SALT";
String encoded = pe.encodePassword(raw, salt);
assertThat(pe.isPasswordValid(encoded, raw, salt)).isTrue();
assertThat(pe.isPasswordValid(encoded, badRaw, salt)).isFalse();
assertThat(encoded).isEqualTo("b2f50ffcbd3407fe9415c062d55f54731f340d32");
}
@Test
public void testBase64() throws Exception {
ShaPasswordEncoder pe = new ShaPasswordEncoder();
pe.setEncodeHashAsBase64(true);
String raw = "abc123";
String badRaw = "abc321";
String salt = "THIS_IS_A_SALT";
String encoded = pe.encodePassword(raw, salt);
assertThat(pe.isPasswordValid(encoded, raw, salt)).isTrue();
assertThat(pe.isPasswordValid(encoded, badRaw, salt)).isFalse();
assertThat(encoded.length() != 40).isTrue();
}
@Test
public void test256() throws Exception {
ShaPasswordEncoder pe = new ShaPasswordEncoder(256);
String encoded = pe.encodePassword("abc123", null);
assertThat(encoded).isEqualTo("6ca13d52ca70c883e0f0bb101e425a89e8624de51db2d2392593af6a84118090");
String encodedWithSalt = pe.encodePassword("abc123", "THIS_IS_A_SALT");
assertThat(encodedWithSalt).isEqualTo("4b79b7de23eb23b78cc5ede227d532b8a51f89b2ec166f808af76b0dbedc47d7");
}
@Test
public void testInvalidStrength() throws Exception {
try {
new ShaPasswordEncoder(666);
fail("IllegalArgumentException expected");
}
catch (IllegalArgumentException e) {
// expected
}
}
}