You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@roller.apache.org by mb...@apache.org on 2021/09/13 02:12:11 UTC

[roller] 01/10: RememberMeService should use a better hash function.

This is an automated email from the ASF dual-hosted git repository.

mbien pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/roller.git

commit 2d5bc971cab183df5ee0d1b1ffecc3946a1e9f2c
Author: Michael Bien <mb...@gmail.com>
AuthorDate: Sun Aug 22 03:44:19 2021 +0200

    RememberMeService should use a better hash function.
---
 .../weblogger/ui/core/security/RollerRememberMeServices.java      | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/app/src/main/java/org/apache/roller/weblogger/ui/core/security/RollerRememberMeServices.java b/app/src/main/java/org/apache/roller/weblogger/ui/core/security/RollerRememberMeServices.java
index af1afc2..2566a43 100644
--- a/app/src/main/java/org/apache/roller/weblogger/ui/core/security/RollerRememberMeServices.java
+++ b/app/src/main/java/org/apache/roller/weblogger/ui/core/security/RollerRememberMeServices.java
@@ -31,8 +31,8 @@ import java.security.NoSuchAlgorithmException;
 
 
 public class RollerRememberMeServices extends TokenBasedRememberMeServices {
-    private static final Log log = LogFactory.getLog(RollerRememberMeServices.class);
 
+    private static final Log log = LogFactory.getLog(RollerRememberMeServices.class);
 
     public RollerRememberMeServices(UserDetailsService userDetailsService) {
         
@@ -51,7 +51,7 @@ public class RollerRememberMeServices extends TokenBasedRememberMeServices {
 
     /**
      * Calculates the digital signature to be put in the cookie. Default value is
-     * MD5 ("username:tokenExpiryTime:password:key")
+     * SHA-512 ("username:tokenExpiryTime:password:key")
      *
      * If LDAP is enabled then a configurable dummy password is used in the calculation.
      */
@@ -70,9 +70,9 @@ public class RollerRememberMeServices extends TokenBasedRememberMeServices {
         String data = username + ":" + tokenExpiryTime + ":" + password + ":" + getKey();
         MessageDigest digest;
         try {
-            digest = MessageDigest.getInstance("MD5");
+            digest = MessageDigest.getInstance("SHA-512");
         } catch (NoSuchAlgorithmException e) {
-            throw new IllegalStateException("No MD5 algorithm available!");
+            throw new IllegalStateException("Required by Spec.", e);
         }
 
         return new String(Hex.encode(digest.digest(data.getBytes())));