You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jetspeed-dev@portals.apache.org by at...@apache.org on 2006/06/30 10:56:48 UTC
svn commit: r418204 -
/portals/jetspeed-2/trunk/components/security/src/java/org/apache/jetspeed/security/spi/impl/MessageDigestCredentialPasswordEncoder.java
Author: ate
Date: Fri Jun 30 01:56:48 2006
New Revision: 418204
URL: http://svn.apache.org/viewvc?rev=418204&view=rev
Log:
Feature request by Michael Lipp: http://issues.apache.org/jira/browse/JS2-550?page=comments#action_12418584
Enhancement to allow using "simple" password digesting without "salting" it with the userName.
Note: this opens the door for copying encoded passwords between users and can allow a user with access to the database to impose as another user...
Modified:
portals/jetspeed-2/trunk/components/security/src/java/org/apache/jetspeed/security/spi/impl/MessageDigestCredentialPasswordEncoder.java
Modified: portals/jetspeed-2/trunk/components/security/src/java/org/apache/jetspeed/security/spi/impl/MessageDigestCredentialPasswordEncoder.java
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/trunk/components/security/src/java/org/apache/jetspeed/security/spi/impl/MessageDigestCredentialPasswordEncoder.java?rev=418204&r1=418203&r2=418204&view=diff
==============================================================================
--- portals/jetspeed-2/trunk/components/security/src/java/org/apache/jetspeed/security/spi/impl/MessageDigestCredentialPasswordEncoder.java (original)
+++ portals/jetspeed-2/trunk/components/security/src/java/org/apache/jetspeed/security/spi/impl/MessageDigestCredentialPasswordEncoder.java Fri Jun 30 01:56:48 2006
@@ -31,16 +31,29 @@
*/
public class MessageDigestCredentialPasswordEncoder implements CredentialPasswordEncoder
{
+ // Allow copying of encoded passwords or salt the digest with the userName preventing that
+ boolean simpleEncryption = false;
MessageDigest digester;
public MessageDigestCredentialPasswordEncoder() throws NoSuchAlgorithmException
{
- this("SHA-1");
+ this("SHA-1", false);
+ }
+
+ public MessageDigestCredentialPasswordEncoder(boolean simpleEncryption) throws NoSuchAlgorithmException
+ {
+ this("SHA-1", simpleEncryption);
}
public MessageDigestCredentialPasswordEncoder(String algorithm) throws NoSuchAlgorithmException
{
+ this(algorithm, false);
+ }
+
+ public MessageDigestCredentialPasswordEncoder(String algorithm, boolean simpleEncryption) throws NoSuchAlgorithmException
+ {
this.digester = MessageDigest.getInstance(algorithm);
+ this.simpleEncryption = simpleEncryption;
}
public String getAlgorithm()
@@ -58,9 +71,12 @@
synchronized(digester)
{
digester.reset();
- value = digester.digest(clearTextPassword.getBytes());
- // don't allow copying of encoded passwords
- digester.update(userName.getBytes());
+ value = digester.digest(clearTextPassword.getBytes());
+ if (!simpleEncryption)
+ {
+ // don't allow copying of encoded passwords
+ digester.update(userName.getBytes());
+ }
value = digester.digest(value);
}
return new String(Base64.encodeBase64(value));
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org