You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jetspeed-dev@portals.apache.org by at...@apache.org on 2006/06/30 10:56:48 UTC
svn commit: r418204 - /portals/jetspeed-2/trunk/components/security/src/java/org/apache/jetspeed/security/spi/impl/MessageDigestCredentialPasswordEncoder.java

Author: ate
Date: Fri Jun 30 01:56:48 2006
New Revision: 418204

URL: http://svn.apache.org/viewvc?rev=418204&view=rev
Log:
Feature request by Michael Lipp: http://issues.apache.org/jira/browse/JS2-550?page=comments#action_12418584
Enhancement to allow using "simple" password digesting without "salting" it with the userName.
Note: this opens the door for copying encoded passwords between users and can allow a user with access to the database to impose as another user...

Modified:
    portals/jetspeed-2/trunk/components/security/src/java/org/apache/jetspeed/security/spi/impl/MessageDigestCredentialPasswordEncoder.java

Modified: portals/jetspeed-2/trunk/components/security/src/java/org/apache/jetspeed/security/spi/impl/MessageDigestCredentialPasswordEncoder.java
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/trunk/components/security/src/java/org/apache/jetspeed/security/spi/impl/MessageDigestCredentialPasswordEncoder.java?rev=418204&r1=418203&r2=418204&view=diff
==============================================================================
--- portals/jetspeed-2/trunk/components/security/src/java/org/apache/jetspeed/security/spi/impl/MessageDigestCredentialPasswordEncoder.java (original)
+++ portals/jetspeed-2/trunk/components/security/src/java/org/apache/jetspeed/security/spi/impl/MessageDigestCredentialPasswordEncoder.java Fri Jun 30 01:56:48 2006
@@ -31,16 +31,29 @@
  */
 public class MessageDigestCredentialPasswordEncoder implements CredentialPasswordEncoder
 {
+    // Allow copying of encoded passwords or salt the digest with the userName preventing that
+    boolean simpleEncryption = false;
     MessageDigest digester;
     
     public MessageDigestCredentialPasswordEncoder() throws NoSuchAlgorithmException
     {
-        this("SHA-1");
+        this("SHA-1", false);
+    }
+    
+    public MessageDigestCredentialPasswordEncoder(boolean simpleEncryption) throws NoSuchAlgorithmException
+    {
+        this("SHA-1", simpleEncryption);
     }
     
     public MessageDigestCredentialPasswordEncoder(String algorithm) throws NoSuchAlgorithmException
     {
+        this(algorithm, false);
+    }
+    
+    public MessageDigestCredentialPasswordEncoder(String algorithm, boolean simpleEncryption) throws NoSuchAlgorithmException
+    {
         this.digester = MessageDigest.getInstance(algorithm);
+        this.simpleEncryption = simpleEncryption;
     }
     
     public String getAlgorithm()
@@ -58,9 +71,12 @@
         synchronized(digester)
         {
             digester.reset();
-            value = digester.digest(clearTextPassword.getBytes());            
-            // don't allow copying of encoded passwords
-            digester.update(userName.getBytes());
+            value = digester.digest(clearTextPassword.getBytes());
+            if (!simpleEncryption)
+            {
+                // don't allow copying of encoded passwords
+                digester.update(userName.getBytes());
+            }
             value = digester.digest(value);
         }
         return new String(Base64.encodeBase64(value));



---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org