Added support for LDAP SSHA (salted SHA) encoded passwords.
This commit is contained in:
Luke Taylor
parent
c6dd545de0
commit
7a0a87a167
|
|
@ -16,6 +16,12 @@
|
|||
package org.acegisecurity.providers.ldap.authenticator;
|
||||
|
||||
import org.acegisecurity.providers.encoding.ShaPasswordEncoder;
|
||||
import org.acegisecurity.providers.encoding.PasswordEncoder;
|
||||
import org.acegisecurity.ldap.LdapDataAccessException;
|
||||
import org.apache.commons.codec.binary.Base64;
|
||||
import org.springframework.util.Assert;
|
||||
|
||||
import java.security.MessageDigest;
|
||||
|
||||
/**
|
||||
* A version of {@link ShaPasswordEncoder} which usesBase-64 encoding
|
||||
|
|
@ -24,12 +30,88 @@ import org.acegisecurity.providers.encoding.ShaPasswordEncoder;
|
|||
* @author Luke Taylor
|
||||
* @version $Id$
|
||||
*/
|
||||
public class LdapShaPasswordEncoder extends ShaPasswordEncoder {
|
||||
public class LdapShaPasswordEncoder implements PasswordEncoder {
|
||||
/** The nuber of bytes in a SHA hash */
|
||||
private static final int SHA_LENGTH = 20;
|
||||
|
||||
private static final String SSHA_PREFIX = "{SSHA}";
|
||||
|
||||
private static final String SHA_PREFIX = "{SHA}";
|
||||
|
||||
public LdapShaPasswordEncoder() {
|
||||
super.setEncodeHashAsBase64(true);
|
||||
}
|
||||
|
||||
/**
|
||||
* Checks the validity of an unencoded password against an encoded one in the form
|
||||
* "{SSHA}sQuQF8vj8Eg2Y1hPdh3bkQhCKQBgjhQI".
|
||||
*
|
||||
* @param encPass the SSHA or SHA encoded password
|
||||
* @param rawPass unencoded password to be verified.
|
||||
* @param salt ignored. If the format is SSHA the salt
|
||||
* bytes will be extracted from the encoded password.
|
||||
* @return true if they match.
|
||||
*/
|
||||
public boolean isPasswordValid(String encPass, String rawPass, Object salt) {
|
||||
if(encPass.startsWith(SSHA_PREFIX)) {
|
||||
salt = extractSalt(encPass);
|
||||
} else {
|
||||
salt = null;
|
||||
}
|
||||
|
||||
return encPass.equals(encodePassword(rawPass, salt));
|
||||
}
|
||||
|
||||
private byte[] extractSalt(String encPass) {
|
||||
String encPassNoLabel = encPass.substring(6);
|
||||
|
||||
byte[] hashAndSalt = Base64.decodeBase64(encPassNoLabel.getBytes());
|
||||
int saltLength = hashAndSalt.length - SHA_LENGTH;
|
||||
byte[] salt = new byte[saltLength];
|
||||
System.arraycopy(hashAndSalt, SHA_LENGTH, salt, 0, saltLength);
|
||||
|
||||
return salt;
|
||||
}
|
||||
|
||||
/**
|
||||
*
|
||||
* @param rawPass the password to be encoded.
|
||||
* @param salt the salt. Must be a byte array or null.
|
||||
*
|
||||
* @return base64 encoded concatenation of password hash and salt,
|
||||
* prefixed with {SHA} or {SSHA} depending on whether salt
|
||||
* bytes were supplied.
|
||||
*/
|
||||
public String encodePassword(String rawPass, Object salt) {
|
||||
return "{SHA}" + super.encodePassword(rawPass, salt);
|
||||
MessageDigest sha;
|
||||
|
||||
try {
|
||||
sha = MessageDigest.getInstance("SHA");
|
||||
} catch (java.security.NoSuchAlgorithmException e) {
|
||||
throw new LdapDataAccessException("No SHA implementation available!");
|
||||
}
|
||||
|
||||
sha.update(rawPass.getBytes());
|
||||
|
||||
if(salt != null) {
|
||||
Assert.isInstanceOf(byte[].class, salt, "Salt value must be a byte array");
|
||||
sha.update((byte[])salt);
|
||||
}
|
||||
|
||||
byte[] hash = combineHashAndSalt(sha.digest(), (byte[])salt);
|
||||
|
||||
return (salt == null ? SHA_PREFIX : SSHA_PREFIX) +
|
||||
new String(Base64.encodeBase64(hash));
|
||||
}
|
||||
|
||||
private byte[] combineHashAndSalt(byte[] hash, byte[] salt) {
|
||||
if(salt == null) {
|
||||
return hash;
|
||||
}
|
||||
|
||||
byte[] hashAndSalt = new byte[hash.length + salt.length];
|
||||
System.arraycopy(hash, 0, hashAndSalt, 0, hash.length);
|
||||
System.arraycopy(salt, 0, hashAndSalt, hash.length, salt.length);
|
||||
|
||||
return hashAndSalt;
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -0,0 +1,49 @@
|
|||
/* Copyright 2004, 2005 Acegi Technology Pty Limited
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.acegisecurity.providers.ldap.authenticator;
|
||||
|
||||
import junit.framework.TestCase;
|
||||
|
||||
/**
|
||||
* Tests {@link LdapShaPasswordEncoder}.
|
||||
*
|
||||
* @author Luke Taylor
|
||||
* @version $Id$
|
||||
*/
|
||||
public class LdapShaPasswordEncoderTests extends TestCase {
|
||||
LdapShaPasswordEncoder sha;
|
||||
|
||||
protected void setUp() throws Exception {
|
||||
super.setUp();
|
||||
sha = new LdapShaPasswordEncoder();
|
||||
}
|
||||
|
||||
/** Test values generated by 'slappasswd -h {SHA} -s boabspasswurd' */
|
||||
public void testValidPasswordSucceeds() {
|
||||
assertTrue(sha.isPasswordValid("{SHA}ddSFGmjXYPbZC+NXR2kCzBRjqiE=", "boabspasswurd", null));
|
||||
}
|
||||
|
||||
/** Test values generated by 'slappasswd -s boabspasswurd' */
|
||||
public void testValidSaltedPasswordSucceeds() {
|
||||
assertTrue(sha.isPasswordValid("{SSHA}25ro4PKC8jhQZ26jVsozhX/xaP0suHgX", "boabspasswurd", null));
|
||||
assertTrue(sha.isPasswordValid("{SSHA}PQy2j+6n5ytA+YlAKkM8Fh4p6u2JxfVd", "boabspasswurd", null));
|
||||
}
|
||||
|
||||
public void testInvalidSaltedPasswordFails() {
|
||||
assertFalse(sha.isPasswordValid("{SSHA}25ro4PKC8jhQZ26jVsozhX/xaP0suHgX", "wrongpassword", null));
|
||||
assertFalse(sha.isPasswordValid("{SSHA}PQy2j+6n5ytA+YlAKkM8Fh4p6u2JxfVd", "wrongpassword", null));
|
||||
}
|
||||
}
|
||||
Loading…
Reference in New Issue