@Override public void configure(AuthenticationManagerBuilder auth) throws Exception { auth .ldapAuthentication() .userDnPatterns("uid={0},ou=people") .groupSearchBase("ou=groups") .contextSource() .url("ldap://localhost:8389/dc=springframework,dc=org") .and() .passwordCompare() .passwordEncoder(new LdapShaPasswordEncoder()) .passwordAttribute("userPassword"); }
@Test public void correctPrefixCaseIsUsed() { this.sha.setForceLowerCasePrefix(false); assertThat(this.sha.encode("somepassword").startsWith("{SSHA}")); this.sha.setForceLowerCasePrefix(true); assertThat(this.sha.encode("somepassword").startsWith("{ssha}")); this.sha = new LdapShaPasswordEncoder(KeyGenerators.shared(0)); this.sha.setForceLowerCasePrefix(false); assertThat(this.sha.encode("somepassword").startsWith("{SHA}")); this.sha.setForceLowerCasePrefix(true); assertThat(this.sha.encode("somepassword").startsWith("{SSHA}")); }
/** * Checks the validity of an unencoded password against an encoded one in the form * "{SSHA}sQuQF8vj8Eg2Y1hPdh3bkQhCKQBgjhQI". * * @param rawPassword unencoded password to be verified. * @param encodedPassword the actual SSHA or SHA encoded password * * @return true if they match (independent of the case of the prefix). */ public boolean matches(CharSequence rawPassword, String encodedPassword) { return matches(rawPassword == null ? null : rawPassword.toString(), encodedPassword); }
private String encode(CharSequence rawPassword, byte[] salt) { MessageDigest sha; try { sha = MessageDigest.getInstance("SHA"); sha.update(Utf8.encode(rawPassword)); } catch (java.security.NoSuchAlgorithmException e) { throw new IllegalStateException("No SHA implementation available!"); } if (salt != null) { sha.update(salt); } byte[] hash = combineHashAndSalt(sha.digest(), (byte[]) salt); String prefix; if (salt == null || salt.length == 0) { prefix = forceLowerCasePrefix ? SHA_PREFIX_LC : SHA_PREFIX; } else { prefix = forceLowerCasePrefix ? SSHA_PREFIX_LC : SSHA_PREFIX; } return prefix + Utf8.decode(Base64.getEncoder().encode(hash)); }
private boolean matches(String rawPassword, String encodedPassword) { String prefix = extractPrefix(encodedPassword); if (prefix == null) { return PasswordEncoderUtils.equals(encodedPassword, rawPassword); } byte[] salt; if (prefix.equals(SSHA_PREFIX) || prefix.equals(SSHA_PREFIX_LC)) { salt = extractSalt(encodedPassword); } else if (!prefix.equals(SHA_PREFIX) && !prefix.equals(SHA_PREFIX_LC)) { throw new IllegalArgumentException("Unsupported password prefix '" + prefix + "'"); } else { // Standard SHA salt = null; } int startOfHash = prefix.length(); String encodedRawPass = encode(rawPassword, salt).substring(startOfHash); return PasswordEncoderUtils .equals(encodedRawPass, encodedPassword.substring(startOfHash)); }
/** * Test values generated by 'slappasswd -s boabspasswurd' */ @Test public void validSaltedPasswordSucceeds() { this.sha.setForceLowerCasePrefix(false); assertThat(this.sha.matches("boabspasswurd", "{SSHA}25ro4PKC8jhQZ26jVsozhX/xaP0suHgX")).isTrue(); assertThat(this.sha.matches("boabspasswurd", "{ssha}PQy2j+6n5ytA+YlAKkM8Fh4p6u2JxfVd")).isTrue(); this.sha.setForceLowerCasePrefix(true); assertThat(this.sha.matches("boabspasswurd", "{SSHA}25ro4PKC8jhQZ26jVsozhX/xaP0suHgX")).isTrue(); assertThat(this.sha.matches("boabspasswurd", "{ssha}PQy2j+6n5ytA+YlAKkM8Fh4p6u2JxfVd")).isTrue(); }
Map<String, PasswordEncoder> encoders = new HashMap<>(); encoders.put(encodingId, new BCryptPasswordEncoder()); encoders.put("ldap", new org.springframework.security.crypto.password.LdapShaPasswordEncoder()); encoders.put("MD4", new org.springframework.security.crypto.password.Md4PasswordEncoder()); encoders.put("MD5", new org.springframework.security.crypto.password.MessageDigestPasswordEncoder("MD5"));
/** * Digest with SSHA the given clear password. * * @param password * the clear password to digest. * @return a SSHA digest. */ @SuppressWarnings("deprecation") private String digest(final String password) { return isClearPassword() ? password : new org.springframework.security.crypto.password.LdapShaPasswordEncoder().encode(password); }
/** * Calculates the hash of password (and salt bytes, if supplied) and returns a base64 * encoded concatenation of the hash and salt, prefixed with {SHA} (or {SSHA} if salt * was used). * * @param rawPass the password to be encoded. * * @return the encoded password in the specified format * */ public String encode(CharSequence rawPass) { byte[] salt = this.saltGenerator.generateKey(); return encode(rawPass, salt); }
private boolean matches(String rawPassword, String encodedPassword) { String prefix = extractPrefix(encodedPassword); if (prefix == null) { return PasswordEncoderUtils.equals(encodedPassword, rawPassword); } byte[] salt; if (prefix.equals(SSHA_PREFIX) || prefix.equals(SSHA_PREFIX_LC)) { salt = extractSalt(encodedPassword); } else if (!prefix.equals(SHA_PREFIX) && !prefix.equals(SHA_PREFIX_LC)) { throw new IllegalArgumentException("Unsupported password prefix '" + prefix + "'"); } else { // Standard SHA salt = null; } int startOfHash = prefix.length(); String encodedRawPass = encode(rawPassword, salt).substring(startOfHash); return PasswordEncoderUtils .equals(encodedRawPass, encodedPassword.substring(startOfHash)); }
Map<String, PasswordEncoder> encoders = new HashMap<>(); encoders.put(encodingId, new BCryptPasswordEncoder()); encoders.put("ldap", new org.springframework.security.crypto.password.LdapShaPasswordEncoder()); encoders.put("MD4", new org.springframework.security.crypto.password.Md4PasswordEncoder()); encoders.put("MD5", new org.springframework.security.crypto.password.MessageDigestPasswordEncoder("MD5"));
/** * Calculates the hash of password (and salt bytes, if supplied) and returns a base64 * encoded concatenation of the hash and salt, prefixed with {SHA} (or {SSHA} if salt * was used). * * @param rawPass the password to be encoded. * * @return the encoded password in the specified format * */ public String encode(CharSequence rawPass) { byte[] salt = this.saltGenerator.generateKey(); return encode(rawPass, salt); }
/** * Test values generated by 'slappasswd -h {SHA} -s boabspasswurd' */ @Test public void validPasswordSucceeds() { this.sha.setForceLowerCasePrefix(false); assertThat(this.sha.matches("boabspasswurd", "{SHA}ddSFGmjXYPbZC+NXR2kCzBRjqiE=")).isTrue(); assertThat(this.sha.matches("boabspasswurd", "{sha}ddSFGmjXYPbZC+NXR2kCzBRjqiE=")).isTrue(); this.sha.setForceLowerCasePrefix(true); assertThat(this.sha.matches("boabspasswurd", "{SHA}ddSFGmjXYPbZC+NXR2kCzBRjqiE=")).isTrue(); assertThat(this.sha.matches("boabspasswurd", "{sha}ddSFGmjXYPbZC+NXR2kCzBRjqiE=")).isTrue(); }
private boolean matches(String rawPassword, String encodedPassword) { String prefix = extractPrefix(encodedPassword); if (prefix == null) { return PasswordEncoderUtils.equals(encodedPassword, rawPassword); } byte[] salt; if (prefix.equals(SSHA_PREFIX) || prefix.equals(SSHA_PREFIX_LC)) { salt = extractSalt(encodedPassword); } else if (!prefix.equals(SHA_PREFIX) && !prefix.equals(SHA_PREFIX_LC)) { throw new IllegalArgumentException("Unsupported password prefix '" + prefix + "'"); } else { // Standard SHA salt = null; } int startOfHash = prefix.length(); String encodedRawPass = encode(rawPassword, salt).substring(startOfHash); return PasswordEncoderUtils .equals(encodedRawPass, encodedPassword.substring(startOfHash)); }
/** * Checks the validity of an unencoded password against an encoded one in the form * "{SSHA}sQuQF8vj8Eg2Y1hPdh3bkQhCKQBgjhQI". * * @param rawPassword unencoded password to be verified. * @param encodedPassword the actual SSHA or SHA encoded password * * @return true if they match (independent of the case of the prefix). */ public boolean matches(CharSequence rawPassword, String encodedPassword) { return matches(rawPassword == null ? null : rawPassword.toString(), encodedPassword); }
/** * Calculates the hash of password (and salt bytes, if supplied) and returns a base64 * encoded concatenation of the hash and salt, prefixed with {SHA} (or {SSHA} if salt * was used). * * @param rawPass the password to be encoded. * * @return the encoded password in the specified format * */ public String encode(CharSequence rawPass) { byte[] salt = this.saltGenerator.generateKey(); return encode(rawPass, salt); }
private String encode(CharSequence rawPassword, byte[] salt) { MessageDigest sha; try { sha = MessageDigest.getInstance("SHA"); sha.update(Utf8.encode(rawPassword)); } catch (java.security.NoSuchAlgorithmException e) { throw new IllegalStateException("No SHA implementation available!"); } if (salt != null) { sha.update(salt); } byte[] hash = combineHashAndSalt(sha.digest(), (byte[]) salt); String prefix; if (salt == null || salt.length == 0) { prefix = forceLowerCasePrefix ? SHA_PREFIX_LC : SHA_PREFIX; } else { prefix = forceLowerCasePrefix ? SSHA_PREFIX_LC : SSHA_PREFIX; } return prefix + Utf8.decode(Base64.getEncoder().encode(hash)); }
private boolean matches(String rawPassword, String encodedPassword) { String prefix = extractPrefix(encodedPassword); if (prefix == null) { return PasswordEncoderUtils.equals(encodedPassword, rawPassword); } byte[] salt; if (prefix.equals(SSHA_PREFIX) || prefix.equals(SSHA_PREFIX_LC)) { salt = extractSalt(encodedPassword); } else if (!prefix.equals(SHA_PREFIX) && !prefix.equals(SHA_PREFIX_LC)) { throw new IllegalArgumentException("Unsupported password prefix '" + prefix + "'"); } else { // Standard SHA salt = null; } int startOfHash = prefix.length(); String encodedRawPass = encode(rawPassword, salt).substring(startOfHash); return PasswordEncoderUtils .equals(encodedRawPass, encodedPassword.substring(startOfHash)); }
.and() .passwordCompare() .passwordEncoder(new LdapShaPasswordEncoder()) .passwordAttribute(passwordAttribute); } else if (activeProfiles.contains(MetronRestConstants.DEV_PROFILE) ||
@Test // SEC-1031 public void fullLengthOfHashIsUsedInComparison() throws Exception { assertThat(this.sha.matches("boabspasswurd", "{SSHA}25ro4PKC8jhQZ26jVsozhX/xaP0suHgX")).isTrue(); // Change the first hash character from '2' to '3' assertThat(this.sha.matches("boabspasswurd", "{SSHA}35ro4PKC8jhQZ26jVsozhX/xaP0suHgX")).isFalse(); // Change the last hash character from 'X' to 'Y' assertThat(this.sha.matches("boabspasswurd", "{SSHA}25ro4PKC8jhQZ26jVsozhX/xaP0suHgY")).isFalse(); }