You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2005/01/04 17:52:04 UTC
DO NOT REPLY [Bug 32938] New: -
SSHA passwords in JNDIRealm
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=32938>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=32938
Summary: SSHA passwords in JNDIRealm
Product: Tomcat 5
Version: 5.5.4
Platform: All
OS/Version: All
Status: NEW
Keywords: PatchAvailable
Severity: enhancement
Priority: P2
Component: Catalina
AssignedTo: tomcat-dev@jakarta.apache.org
ReportedBy: Andrew_Polozov@yahoo.com
Current implementation of JNDIRealm does not support "Salted" SHA passwords.
So, if the password was set by iPlaned Admin server - it can't be verified by
JNDIRealm.
Here is the patch to make it work.
*** orig/catalina/src/share/org/apache/catalina/realm/JNDIRealm.java Tue Jan 4
11:34:07 2005
---
jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm/JNDIRealm.java
Tue Jan 4 11:16:54 2005
*************** import javax.naming.directory.SearchCont
*** 43,48 ****
--- 43,50 ----
import javax.naming.directory.SearchResult;
import org.apache.catalina.LifecycleException;
import org.apache.catalina.util.Base64;
+ import org.apache.tomcat.util.buf.ByteChunk;
+ import org.apache.tomcat.util.buf.CharChunk;
/**
*************** public class JNDIRealm extends RealmBase
*** 1191,1196 ****
--- 1193,1231 ----
new String(Base64.encode(md.digest()));
validated = password.equals(digestedPassword);
}
+ } else if (password.startsWith("{SSHA}")) {
+ /* sync since super.digest() does this same thing */
+ synchronized (this) {
+ password = password.substring(6);
+
+ md.reset();
+ md.update(credentials.getBytes());
+ //Decode stored password.
+ ByteChunk pwbc = new ByteChunk(password.length());
+ try {
+ pwbc.append(password.getBytes(), 0, password.length());
+ } catch (java.io.IOException e) {
+ e.printStackTrace(); //Hopefully will never happen.
+ }
+ CharChunk decoded = new CharChunk();
+ Base64.decode(pwbc, decoded);
+ char[] pwarray = decoded.getBuffer();
+ // Split decoded password into hash and salt.
+ final int saltpos = 20;
+ byte[] hash = new byte[saltpos];
+ for (int i=0; i< hash.length; i++)
+ hash[i] = (byte)pwarray[i];
+
+ byte[] salt = new byte[pwarray.length - saltpos];
+ for (int i=0; i< salt.length; i++)
+ salt[i] = (byte)pwarray[i+saltpos];
+
+ md.update(salt);
+
+ byte[] dp = md.digest();
+
+ validated = java.util.Arrays.equals(dp, hash);
+ }
} else {
// Hex hashes should be compared case-insensitive
validated = (digest(credentials).equalsIgnoreCase(password));
*************** public class JNDIRealm extends RealmBase
*** 1202,1208 ****
}
-
/**
* Check credentials by binding to the directory as the user
*
--- 1237,1242 ----
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org