You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@brooklyn.apache.org by he...@apache.org on 2015/09/15 18:53:22 UTC

[03/15] incubator-brooklyn git commit: refactor ExplicitUsersSecurityProvider.java so it is easier to share logic

refactor ExplicitUsersSecurityProvider.java so it is easier to share logic


Project: http://git-wip-us.apache.org/repos/asf/incubator-brooklyn/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-brooklyn/commit/1e24fb52
Tree: http://git-wip-us.apache.org/repos/asf/incubator-brooklyn/tree/1e24fb52
Diff: http://git-wip-us.apache.org/repos/asf/incubator-brooklyn/diff/1e24fb52

Branch: refs/heads/master
Commit: 1e24fb52506c13582f2948ffe6a1b2da6b858db0
Parents: c217303
Author: Alex Heneveld <al...@cloudsoftcorp.com>
Authored: Tue Sep 8 14:27:06 2015 +0100
Committer: Alex Heneveld <al...@cloudsoftcorp.com>
Committed: Tue Sep 8 14:36:54 2015 +0100

----------------------------------------------------------------------
 .../provider/ExplicitUsersSecurityProvider.java | 37 ++++++++++++++------
 1 file changed, 26 insertions(+), 11 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-brooklyn/blob/1e24fb52/usage/rest-server/src/main/java/org/apache/brooklyn/rest/security/provider/ExplicitUsersSecurityProvider.java
----------------------------------------------------------------------
diff --git a/usage/rest-server/src/main/java/org/apache/brooklyn/rest/security/provider/ExplicitUsersSecurityProvider.java b/usage/rest-server/src/main/java/org/apache/brooklyn/rest/security/provider/ExplicitUsersSecurityProvider.java
index 4874a1f..a0795cb 100644
--- a/usage/rest-server/src/main/java/org/apache/brooklyn/rest/security/provider/ExplicitUsersSecurityProvider.java
+++ b/usage/rest-server/src/main/java/org/apache/brooklyn/rest/security/provider/ExplicitUsersSecurityProvider.java
@@ -46,6 +46,7 @@ public class ExplicitUsersSecurityProvider extends AbstractSecurityProvider impl
 
     public ExplicitUsersSecurityProvider(ManagementContext mgmt) {
         this.mgmt = mgmt;
+        initialize();
     }
 
     private synchronized void initialize() {
@@ -56,8 +57,6 @@ public class ExplicitUsersSecurityProvider extends AbstractSecurityProvider impl
         allowedUsers = new LinkedHashSet<String>();
         String users = properties.getConfig(BrooklynWebConfig.USERS);
         if (users == null) {
-            // TODO unfortunately this is only activated *when* someone tries to log in
-            // (NB it seems like this class is not even instantiated until first log in)
             LOG.warn("REST has no users configured; no one will be able to log in!");
         } else if ("*".equals(users)) {
             LOG.info("REST allowing any user (so long as valid password is set)");
@@ -70,14 +69,11 @@ public class ExplicitUsersSecurityProvider extends AbstractSecurityProvider impl
             LOG.info("REST allowing users: " + allowedUsers);
         }
     }
-
     
     @Override
     public boolean authenticate(HttpSession session, String user, String password) {
         if (session==null || user==null) return false;
         
-        initialize();
-        
         if (!allowAnyUserWithValidPass) {
             if (!allowedUsers.contains(user)) {
                 LOG.debug("REST rejecting unknown user "+user);
@@ -85,16 +81,35 @@ public class ExplicitUsersSecurityProvider extends AbstractSecurityProvider impl
             }
         }
 
+        if (checkExplicitUserPassword(mgmt, user, password)) {
+            return allow(session, user);
+        }
+        return false;
+    }
+
+    /** checks the supplied candidate user and password against the
+     * expect password (or SHA-256 + SALT thereof) defined as brooklyn properties.
+     */
+    public static boolean checkExplicitUserPassword(ManagementContext mgmt, String user, String password) {
         BrooklynProperties properties = (BrooklynProperties) mgmt.getConfig();
-        String expectedP = properties.getConfig(BrooklynWebConfig.PASSWORD_FOR_USER(user));
+        String expectedPassword = properties.getConfig(BrooklynWebConfig.PASSWORD_FOR_USER(user));
         String salt = properties.getConfig(BrooklynWebConfig.SALT_FOR_USER(user));
         String expectedSha256 = properties.getConfig(BrooklynWebConfig.SHA256_FOR_USER(user));
         
-        if (expectedP != null) {
-            return expectedP.equals(password) && allow(session, user);
-        } else if (expectedSha256 != null) {
-            String hashedPassword = PasswordHasher.sha256(salt, password);
-            return expectedSha256.equals(hashedPassword) && allow(session, user);
+        return checkPassword(password, expectedPassword, expectedSha256, salt);
+    }
+    /** 
+     * checks a candidate password against the expected credential defined for a given user.
+     * the expected credentials can be supplied as an expectedPassword OR as
+     * a combination of the SHA-256 hash of the expected password plus a defined salt.
+     * the combination of the SHA+SALT allows credentials to be supplied in a non-plaintext manner.
+     */
+    public static boolean checkPassword(String candidatePassword, String expectedPassword, String expectedPasswordSha256, String salt) {
+        if (expectedPassword != null) {
+            return expectedPassword.equals(candidatePassword);
+        } else if (expectedPasswordSha256 != null) {
+            String hashedCandidatePassword = PasswordHasher.sha256(salt, candidatePassword);
+            return expectedPasswordSha256.equals(hashedCandidatePassword);
         }
 
         return false;