Attachment 22627 Details for Bug 45871 – Patch for DataSourceRealm (trunk)

[patch] Patch for DataSourceRealm (trunk)

patch.txt (text/plain), 7.00 KB, created by Brandon DuRette on 2008-09-23 21:46:21 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Brandon DuRette

Created: 2008-09-23 21:46:21 UTC

Size: 7.00 KB

patch

obsolete

>Index: DataSourceRealm.java
>===================================================================
>--- DataSourceRealm.java	(revision 698069)
>+++ DataSourceRealm.java	(working copy)
>@@ -24,6 +24,7 @@
> import java.sql.PreparedStatement;
> import java.sql.ResultSet;
> import java.sql.SQLException;
>+import java.text.MessageFormat;
> import java.util.ArrayList;
> 
> import javax.naming.Context;
>@@ -68,6 +69,12 @@
> 
> 
>     /**
>+     * The generated string for the salt PreparedStatement
>+     */
>+    private String preparedSalt = null;
>+
>+
>+    /**
>      * The name of the JNDI JDBC DataSource
>      */
>     protected String dataSourceName = null;
>@@ -106,7 +113,7 @@
> 
> 
>     /**
>-     * The column in the user table that holds the user's credintials
>+     * The column in the user table that holds the user's credentials
>      */
>     protected String userCredCol = null;
> 
>@@ -118,6 +125,19 @@
> 
> 
>     /**
>+     * The column that holds the user's credentials salt
>+     */
>+    protected String userSaltCol = null;
>+    
>+    
>+    /**
>+     * A MessageFormat string that is used to salt the user's password before digesting.
>+     * Use {0} for the password and {1} for the salt. Default is {0}{1}.
>+     */
>+    protected String saltPattern = "{0}{1}";
>+    
>+    
>+    /**
>      * The table that holds the relation between user's and roles
>      */
>     protected String userRoleTable = null;
>@@ -201,6 +221,44 @@
>     }
> 
>     /**
>+     * Return the column in the user table that holds the user's credential salt.
>+     */
>+    public String getUserSaltCol() {
>+        return userSaltCol;
>+    }
>+
>+    /**
>+     * Set the column in the user table that holds the user's credential salt.
>+     * 
>+     * @param userSaltCol The column name
>+     */
>+    public void setUserSaltCol(String userSaltCol) {
>+        this.userSaltCol = userSaltCol;
>+    }
>+    
>+    /**
>+     * Get the <code>MessageFormat</code>-style pattern used to salt 
>+     * user passwords. The substitution strings are {0} for the user's
>+     * password and {1} for the salt.
>+     * 
>+     * @return the <code>MessageFormat</code>-style pattern used to 
>+     * salt user passwords.
>+     */
>+    public String getSaltPattern() {
>+        return saltPattern;
>+    }
>+
>+    /**
>+     * Set the <code>MessageFormat</code>-style pattern used to salt
>+     * user passwords. The substitution strings are {0} for the user's 
>+     * password and {1} for the salt.
>+     * @param saltPattern the salt pattern.
>+     */
>+    public void setSaltPattern(String saltPattern) {
>+        this.saltPattern = saltPattern;
>+    }
>+
>+    /**
>      * Return the column in the user table that holds the user's name.
>      *
>      */
>@@ -323,14 +381,22 @@
>                                                String credentials) throws SQLException{
> 
>         String dbCredentials = getPassword(dbConnection, username);
>-
>+ 
>+        String undigestedCredentials;
>+        if (isSalted() && hasMessageDigest()) {
>+            String dbSalt = getSalt(dbConnection, username);
>+            undigestedCredentials = MessageFormat.format(saltPattern,credentials,dbSalt);
>+        } else {
>+            undigestedCredentials = credentials;
>+        }
>+        
>         // Validate the user's credentials
>         boolean validated = false;
>         if (hasMessageDigest()) {
>             // Hex hashes should be compared case-insensitive
>-            validated = (digest(credentials).equalsIgnoreCase(dbCredentials));
>+            validated = (digest(undigestedCredentials).equalsIgnoreCase(dbCredentials));
>         } else
>-            validated = (digest(credentials).equals(dbCredentials));
>+            validated = (digest(undigestedCredentials).equals(dbCredentials));
> 
>         if (validated) {
>             if (containerLog.isTraceEnabled())
>@@ -483,6 +549,50 @@
> 
> 
>     /**
>+     * Return the password salt associated with the given principal's user name.
>+     * @param dbConnection The database connection to be used
>+     * @param username Username for which password salt should be retrieved
>+     */
>+    protected String getSalt(Connection dbConnection, 
>+                                 String username) {
>+
>+        ResultSet rs = null;
>+        PreparedStatement stmt = null;
>+        String dbSalt = null;
>+        try {
>+            stmt = salt(dbConnection, username);
>+            rs = stmt.executeQuery();
>+            if (rs.next()) {
>+                dbSalt = rs.getString(1);
>+            }
>+
>+            return (dbSalt != null) ? dbSalt.trim() : null;
>+            
>+        } catch(SQLException e) {
>+            containerLog.error(
>+                    sm.getString("dataSourceRealm.getPassword.exception",
>+                                 username));
>+        } finally {
>+            try {
>+                if (rs != null) {
>+                    rs.close();
>+                }
>+                if (stmt != null) {
>+                    stmt.close();
>+                }
>+            } catch (SQLException e) {
>+                    containerLog.error(
>+                        sm.getString("dataSourceRealm.getPassword.exception",
>+                             username));
>+                
>+            }
>+        }
>+        
>+        return null;
>+    }
>+    
>+    
>+    /**
>      * Return the Principal associated with the given user name.
>      */
>     protected Principal getPrincipal(String username) {
>@@ -609,6 +719,40 @@
> 
>     }
> 
>+
>+    /**
>+     * Return a PreparedStatement configured to perform the SELECT required
>+     * to retrieve the password salt for the specified username.
>+     * 
>+     * @param dbConnection The database connection to be used
>+     * @param username Username for which the password salt should be retrieved
>+     * 
>+     * @return a PreparedStatement configured to perform the SELECT required
>+     * to retrieve the password salt for the specified username.
>+     * 
>+     * @throws SQLException if a database error occurs
>+     */
>+    private PreparedStatement salt(Connection dbConnection, String username)
>+        throws SQLException {
>+        
>+        PreparedStatement salt = 
>+            dbConnection.prepareStatement(preparedSalt);
>+        
>+        salt.setString(1, username);
>+        return salt;
>+    }
>+    
>+    
>+    /**
>+     * Return true if the password is being salted.
>+     * @return true if the password is salted in the database.
>+     */
>+    private boolean isSalted()
>+    {
>+        return userSaltCol != null && userSaltCol.length() > 0;
>+    }
>+    
>+    
>     // ------------------------------------------------------ Lifecycle Methods
> 
> 
>@@ -643,6 +787,19 @@
>         temp.append(userNameCol);
>         temp.append(" = ?");
>         preparedCredentials = temp.toString();
>+
>+        // Create the salt PreparedStatement string
>+        if (isSalted())
>+        {
>+            temp = new StringBuffer("SELECT ");
>+            temp.append(userSaltCol);
>+            temp.append(" FROM ");
>+            temp.append(userTable);
>+            temp.append(" WHERE ");
>+            temp.append(userNameCol);
>+            temp.append(" = ?");
>+            preparedSalt = temp.toString();
>+        }
>     }
> 
>

Actions: View | Diff

Attachments on bug 45871: 22627