Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

SEC-728: Change use of String.getBytes() in password encoders to use UTF-8

This commit is contained in:
Luke Taylor 2008-03-29 15:21:31 +00:00
parent 91a5a6c266
commit b98c72056a
3 changed files with 26 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
core/src/main/java/org/springframework/security/providers/encoding/Md4PasswordEncoder.java
View File

@ -14,6 +14,8 @@
*/
package org.springframework.security.providers.encoding;
import java.io.UnsupportedEncodingException;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.codec.binary.Hex;
@ -43,8 +45,18 @@ public class Md4PasswordEncoder extends BaseDigestPasswordEncoder {
*/
public String encodePassword(String rawPass, Object salt) {
String saltedPass = mergePasswordAndSalt(rawPass, salt, false);
byte[] passBytes;
try {
passBytes = saltedPass.getBytes("UTF-8");
} catch (UnsupportedEncodingException e) {
throw new IllegalStateException("UTF-8 not supported!", e);
}
Md4 md4 = new Md4();
md4.update(saltedPass.getBytes(), 0, saltedPass.length());
md4.update(passBytes, 0, saltedPass.length());
byte[] resBuf = md4.digest();
if (getEncodeHashAsBase64()) {

9
core/src/main/java/org/springframework/security/providers/encoding/MessageDigestPasswordEncoder.java
View File

@ -3,6 +3,7 @@ package org.springframework.security.providers.encoding;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.codec.binary.Hex;
import java.io.UnsupportedEncodingException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
@ -72,7 +73,13 @@ public class MessageDigestPasswordEncoder extends BaseDigestPasswordEncoder {
MessageDigest messageDigest = getMessageDigest();
byte[] digest = messageDigest.digest(saltedPass.getBytes());
byte[] digest;
try {
digest = messageDigest.digest(saltedPass.getBytes("UTF-8"));
} catch (UnsupportedEncodingException e) {
throw new IllegalStateException("UTF-8 not supported!");
}
if (getEncodeHashAsBase64()) {
return new String(Base64.encodeBase64(digest));

8
core/src/main/java/org/springframework/security/providers/ldap/authenticator/LdapShaPasswordEncoder.java
View File

@ -22,6 +22,7 @@ import org.apache.commons.codec.binary.Base64;
import org.springframework.util.Assert;
import java.io.UnsupportedEncodingException;
import java.security.MessageDigest;
@ -82,11 +83,12 @@ public class LdapShaPasswordEncoder implements PasswordEncoder {
try {
sha = MessageDigest.getInstance("SHA");
sha.update(rawPass.getBytes("UTF-8"));
} catch (java.security.NoSuchAlgorithmException e) {
throw new IllegalStateException("No SHA implementation available!", e);
}
sha.update(rawPass.getBytes());
} catch (UnsupportedEncodingException ue) {
throw new IllegalStateException("UTF-8 not supported!", ue);
}
if (salt != null) {
Assert.isInstanceOf(byte[].class, salt, "Salt value must be a byte array");