diff --git a/core/src/main/java/org/acegisecurity/providers/ldap/authenticator/LdapShaPasswordEncoder.java b/core/src/main/java/org/acegisecurity/providers/ldap/authenticator/LdapShaPasswordEncoder.java index 0b29083a02..89dbd5b4a8 100644 --- a/core/src/main/java/org/acegisecurity/providers/ldap/authenticator/LdapShaPasswordEncoder.java +++ b/core/src/main/java/org/acegisecurity/providers/ldap/authenticator/LdapShaPasswordEncoder.java @@ -16,6 +16,12 @@ package org.acegisecurity.providers.ldap.authenticator; import org.acegisecurity.providers.encoding.ShaPasswordEncoder; +import org.acegisecurity.providers.encoding.PasswordEncoder; +import org.acegisecurity.ldap.LdapDataAccessException; +import org.apache.commons.codec.binary.Base64; +import org.springframework.util.Assert; + +import java.security.MessageDigest; /** * A version of {@link ShaPasswordEncoder} which usesBase-64 encoding @@ -24,12 +30,88 @@ import org.acegisecurity.providers.encoding.ShaPasswordEncoder; * @author Luke Taylor * @version $Id$ */ -public class LdapShaPasswordEncoder extends ShaPasswordEncoder { +public class LdapShaPasswordEncoder implements PasswordEncoder { + /** The nuber of bytes in a SHA hash */ + private static final int SHA_LENGTH = 20; + + private static final String SSHA_PREFIX = "{SSHA}"; + + private static final String SHA_PREFIX = "{SHA}"; + public LdapShaPasswordEncoder() { - super.setEncodeHashAsBase64(true); } + /** + * Checks the validity of an unencoded password against an encoded one in the form + * "{SSHA}sQuQF8vj8Eg2Y1hPdh3bkQhCKQBgjhQI". + * + * @param encPass the SSHA or SHA encoded password + * @param rawPass unencoded password to be verified. + * @param salt ignored. If the format is SSHA the salt + * bytes will be extracted from the encoded password. + * @return true if they match. + */ + public boolean isPasswordValid(String encPass, String rawPass, Object salt) { + if(encPass.startsWith(SSHA_PREFIX)) { + salt = extractSalt(encPass); + } else { + salt = null; + } + + return encPass.equals(encodePassword(rawPass, salt)); + } + + private byte[] extractSalt(String encPass) { + String encPassNoLabel = encPass.substring(6); + + byte[] hashAndSalt = Base64.decodeBase64(encPassNoLabel.getBytes()); + int saltLength = hashAndSalt.length - SHA_LENGTH; + byte[] salt = new byte[saltLength]; + System.arraycopy(hashAndSalt, SHA_LENGTH, salt, 0, saltLength); + + return salt; + } + + /** + * + * @param rawPass the password to be encoded. + * @param salt the salt. Must be a byte array or null. + * + * @return base64 encoded concatenation of password hash and salt, + * prefixed with {SHA} or {SSHA} depending on whether salt + * bytes were supplied. + */ public String encodePassword(String rawPass, Object salt) { - return "{SHA}" + super.encodePassword(rawPass, salt); + MessageDigest sha; + + try { + sha = MessageDigest.getInstance("SHA"); + } catch (java.security.NoSuchAlgorithmException e) { + throw new LdapDataAccessException("No SHA implementation available!"); + } + + sha.update(rawPass.getBytes()); + + if(salt != null) { + Assert.isInstanceOf(byte[].class, salt, "Salt value must be a byte array"); + sha.update((byte[])salt); + } + + byte[] hash = combineHashAndSalt(sha.digest(), (byte[])salt); + + return (salt == null ? SHA_PREFIX : SSHA_PREFIX) + + new String(Base64.encodeBase64(hash)); + } + + private byte[] combineHashAndSalt(byte[] hash, byte[] salt) { + if(salt == null) { + return hash; + } + + byte[] hashAndSalt = new byte[hash.length + salt.length]; + System.arraycopy(hash, 0, hashAndSalt, 0, hash.length); + System.arraycopy(salt, 0, hashAndSalt, hash.length, salt.length); + + return hashAndSalt; } } diff --git a/core/src/test/java/org/acegisecurity/providers/ldap/authenticator/LdapShaPasswordEncoderTests.java b/core/src/test/java/org/acegisecurity/providers/ldap/authenticator/LdapShaPasswordEncoderTests.java new file mode 100644 index 0000000000..e4f35d14c9 --- /dev/null +++ b/core/src/test/java/org/acegisecurity/providers/ldap/authenticator/LdapShaPasswordEncoderTests.java @@ -0,0 +1,49 @@ +/* Copyright 2004, 2005 Acegi Technology Pty Limited + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.acegisecurity.providers.ldap.authenticator; + +import junit.framework.TestCase; + +/** + * Tests {@link LdapShaPasswordEncoder}. + * + * @author Luke Taylor + * @version $Id$ + */ +public class LdapShaPasswordEncoderTests extends TestCase { + LdapShaPasswordEncoder sha; + + protected void setUp() throws Exception { + super.setUp(); + sha = new LdapShaPasswordEncoder(); + } + + /** Test values generated by 'slappasswd -h {SHA} -s boabspasswurd' */ + public void testValidPasswordSucceeds() { + assertTrue(sha.isPasswordValid("{SHA}ddSFGmjXYPbZC+NXR2kCzBRjqiE=", "boabspasswurd", null)); + } + + /** Test values generated by 'slappasswd -s boabspasswurd' */ + public void testValidSaltedPasswordSucceeds() { + assertTrue(sha.isPasswordValid("{SSHA}25ro4PKC8jhQZ26jVsozhX/xaP0suHgX", "boabspasswurd", null)); + assertTrue(sha.isPasswordValid("{SSHA}PQy2j+6n5ytA+YlAKkM8Fh4p6u2JxfVd", "boabspasswurd", null)); + } + + public void testInvalidSaltedPasswordFails() { + assertFalse(sha.isPasswordValid("{SSHA}25ro4PKC8jhQZ26jVsozhX/xaP0suHgX", "wrongpassword", null)); + assertFalse(sha.isPasswordValid("{SSHA}PQy2j+6n5ytA+YlAKkM8Fh4p6u2JxfVd", "wrongpassword", null)); + } +}