ASF Bugzilla – Attachment 22627 Details for
Bug 45871
Support for salted and digested patches in DataSourceRealm
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch for DataSourceRealm (trunk)
patch.txt (text/plain), 7.00 KB, created by
Brandon DuRette
on 2008-09-23 21:46:21 UTC
(
hide
)
Description:
Patch for DataSourceRealm (trunk)
Filename:
MIME Type:
Creator:
Brandon DuRette
Created:
2008-09-23 21:46:21 UTC
Size:
7.00 KB
patch
obsolete
>Index: DataSourceRealm.java >=================================================================== >--- DataSourceRealm.java (revision 698069) >+++ DataSourceRealm.java (working copy) >@@ -24,6 +24,7 @@ > import java.sql.PreparedStatement; > import java.sql.ResultSet; > import java.sql.SQLException; >+import java.text.MessageFormat; > import java.util.ArrayList; > > import javax.naming.Context; >@@ -68,6 +69,12 @@ > > > /** >+ * The generated string for the salt PreparedStatement >+ */ >+ private String preparedSalt = null; >+ >+ >+ /** > * The name of the JNDI JDBC DataSource > */ > protected String dataSourceName = null; >@@ -106,7 +113,7 @@ > > > /** >- * The column in the user table that holds the user's credintials >+ * The column in the user table that holds the user's credentials > */ > protected String userCredCol = null; > >@@ -118,6 +125,19 @@ > > > /** >+ * The column that holds the user's credentials salt >+ */ >+ protected String userSaltCol = null; >+ >+ >+ /** >+ * A MessageFormat string that is used to salt the user's password before digesting. >+ * Use {0} for the password and {1} for the salt. Default is {0}{1}. >+ */ >+ protected String saltPattern = "{0}{1}"; >+ >+ >+ /** > * The table that holds the relation between user's and roles > */ > protected String userRoleTable = null; >@@ -201,6 +221,44 @@ > } > > /** >+ * Return the column in the user table that holds the user's credential salt. >+ */ >+ public String getUserSaltCol() { >+ return userSaltCol; >+ } >+ >+ /** >+ * Set the column in the user table that holds the user's credential salt. >+ * >+ * @param userSaltCol The column name >+ */ >+ public void setUserSaltCol(String userSaltCol) { >+ this.userSaltCol = userSaltCol; >+ } >+ >+ /** >+ * Get the <code>MessageFormat</code>-style pattern used to salt >+ * user passwords. The substitution strings are {0} for the user's >+ * password and {1} for the salt. >+ * >+ * @return the <code>MessageFormat</code>-style pattern used to >+ * salt user passwords. >+ */ >+ public String getSaltPattern() { >+ return saltPattern; >+ } >+ >+ /** >+ * Set the <code>MessageFormat</code>-style pattern used to salt >+ * user passwords. The substitution strings are {0} for the user's >+ * password and {1} for the salt. >+ * @param saltPattern the salt pattern. >+ */ >+ public void setSaltPattern(String saltPattern) { >+ this.saltPattern = saltPattern; >+ } >+ >+ /** > * Return the column in the user table that holds the user's name. > * > */ >@@ -323,14 +381,22 @@ > String credentials) throws SQLException{ > > String dbCredentials = getPassword(dbConnection, username); >- >+ >+ String undigestedCredentials; >+ if (isSalted() && hasMessageDigest()) { >+ String dbSalt = getSalt(dbConnection, username); >+ undigestedCredentials = MessageFormat.format(saltPattern,credentials,dbSalt); >+ } else { >+ undigestedCredentials = credentials; >+ } >+ > // Validate the user's credentials > boolean validated = false; > if (hasMessageDigest()) { > // Hex hashes should be compared case-insensitive >- validated = (digest(credentials).equalsIgnoreCase(dbCredentials)); >+ validated = (digest(undigestedCredentials).equalsIgnoreCase(dbCredentials)); > } else >- validated = (digest(credentials).equals(dbCredentials)); >+ validated = (digest(undigestedCredentials).equals(dbCredentials)); > > if (validated) { > if (containerLog.isTraceEnabled()) >@@ -483,6 +549,50 @@ > > > /** >+ * Return the password salt associated with the given principal's user name. >+ * @param dbConnection The database connection to be used >+ * @param username Username for which password salt should be retrieved >+ */ >+ protected String getSalt(Connection dbConnection, >+ String username) { >+ >+ ResultSet rs = null; >+ PreparedStatement stmt = null; >+ String dbSalt = null; >+ try { >+ stmt = salt(dbConnection, username); >+ rs = stmt.executeQuery(); >+ if (rs.next()) { >+ dbSalt = rs.getString(1); >+ } >+ >+ return (dbSalt != null) ? dbSalt.trim() : null; >+ >+ } catch(SQLException e) { >+ containerLog.error( >+ sm.getString("dataSourceRealm.getPassword.exception", >+ username)); >+ } finally { >+ try { >+ if (rs != null) { >+ rs.close(); >+ } >+ if (stmt != null) { >+ stmt.close(); >+ } >+ } catch (SQLException e) { >+ containerLog.error( >+ sm.getString("dataSourceRealm.getPassword.exception", >+ username)); >+ >+ } >+ } >+ >+ return null; >+ } >+ >+ >+ /** > * Return the Principal associated with the given user name. > */ > protected Principal getPrincipal(String username) { >@@ -609,6 +719,40 @@ > > } > >+ >+ /** >+ * Return a PreparedStatement configured to perform the SELECT required >+ * to retrieve the password salt for the specified username. >+ * >+ * @param dbConnection The database connection to be used >+ * @param username Username for which the password salt should be retrieved >+ * >+ * @return a PreparedStatement configured to perform the SELECT required >+ * to retrieve the password salt for the specified username. >+ * >+ * @throws SQLException if a database error occurs >+ */ >+ private PreparedStatement salt(Connection dbConnection, String username) >+ throws SQLException { >+ >+ PreparedStatement salt = >+ dbConnection.prepareStatement(preparedSalt); >+ >+ salt.setString(1, username); >+ return salt; >+ } >+ >+ >+ /** >+ * Return true if the password is being salted. >+ * @return true if the password is salted in the database. >+ */ >+ private boolean isSalted() >+ { >+ return userSaltCol != null && userSaltCol.length() > 0; >+ } >+ >+ > // ------------------------------------------------------ Lifecycle Methods > > >@@ -643,6 +787,19 @@ > temp.append(userNameCol); > temp.append(" = ?"); > preparedCredentials = temp.toString(); >+ >+ // Create the salt PreparedStatement string >+ if (isSalted()) >+ { >+ temp = new StringBuffer("SELECT "); >+ temp.append(userSaltCol); >+ temp.append(" FROM "); >+ temp.append(userTable); >+ temp.append(" WHERE "); >+ temp.append(userNameCol); >+ temp.append(" = ?"); >+ preparedSalt = temp.toString(); >+ } > } > >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 45871
: 22627