You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@brooklyn.apache.org by he...@apache.org on 2015/09/15 18:53:22 UTC
[03/15] incubator-brooklyn git commit: refactor
ExplicitUsersSecurityProvider.java so it is easier to share logic
refactor ExplicitUsersSecurityProvider.java so it is easier to share logic
Project: http://git-wip-us.apache.org/repos/asf/incubator-brooklyn/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-brooklyn/commit/1e24fb52
Tree: http://git-wip-us.apache.org/repos/asf/incubator-brooklyn/tree/1e24fb52
Diff: http://git-wip-us.apache.org/repos/asf/incubator-brooklyn/diff/1e24fb52
Branch: refs/heads/master
Commit: 1e24fb52506c13582f2948ffe6a1b2da6b858db0
Parents: c217303
Author: Alex Heneveld <al...@cloudsoftcorp.com>
Authored: Tue Sep 8 14:27:06 2015 +0100
Committer: Alex Heneveld <al...@cloudsoftcorp.com>
Committed: Tue Sep 8 14:36:54 2015 +0100
----------------------------------------------------------------------
.../provider/ExplicitUsersSecurityProvider.java | 37 ++++++++++++++------
1 file changed, 26 insertions(+), 11 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-brooklyn/blob/1e24fb52/usage/rest-server/src/main/java/org/apache/brooklyn/rest/security/provider/ExplicitUsersSecurityProvider.java
----------------------------------------------------------------------
diff --git a/usage/rest-server/src/main/java/org/apache/brooklyn/rest/security/provider/ExplicitUsersSecurityProvider.java b/usage/rest-server/src/main/java/org/apache/brooklyn/rest/security/provider/ExplicitUsersSecurityProvider.java
index 4874a1f..a0795cb 100644
--- a/usage/rest-server/src/main/java/org/apache/brooklyn/rest/security/provider/ExplicitUsersSecurityProvider.java
+++ b/usage/rest-server/src/main/java/org/apache/brooklyn/rest/security/provider/ExplicitUsersSecurityProvider.java
@@ -46,6 +46,7 @@ public class ExplicitUsersSecurityProvider extends AbstractSecurityProvider impl
public ExplicitUsersSecurityProvider(ManagementContext mgmt) {
this.mgmt = mgmt;
+ initialize();
}
private synchronized void initialize() {
@@ -56,8 +57,6 @@ public class ExplicitUsersSecurityProvider extends AbstractSecurityProvider impl
allowedUsers = new LinkedHashSet<String>();
String users = properties.getConfig(BrooklynWebConfig.USERS);
if (users == null) {
- // TODO unfortunately this is only activated *when* someone tries to log in
- // (NB it seems like this class is not even instantiated until first log in)
LOG.warn("REST has no users configured; no one will be able to log in!");
} else if ("*".equals(users)) {
LOG.info("REST allowing any user (so long as valid password is set)");
@@ -70,14 +69,11 @@ public class ExplicitUsersSecurityProvider extends AbstractSecurityProvider impl
LOG.info("REST allowing users: " + allowedUsers);
}
}
-
@Override
public boolean authenticate(HttpSession session, String user, String password) {
if (session==null || user==null) return false;
- initialize();
-
if (!allowAnyUserWithValidPass) {
if (!allowedUsers.contains(user)) {
LOG.debug("REST rejecting unknown user "+user);
@@ -85,16 +81,35 @@ public class ExplicitUsersSecurityProvider extends AbstractSecurityProvider impl
}
}
+ if (checkExplicitUserPassword(mgmt, user, password)) {
+ return allow(session, user);
+ }
+ return false;
+ }
+
+ /** checks the supplied candidate user and password against the
+ * expect password (or SHA-256 + SALT thereof) defined as brooklyn properties.
+ */
+ public static boolean checkExplicitUserPassword(ManagementContext mgmt, String user, String password) {
BrooklynProperties properties = (BrooklynProperties) mgmt.getConfig();
- String expectedP = properties.getConfig(BrooklynWebConfig.PASSWORD_FOR_USER(user));
+ String expectedPassword = properties.getConfig(BrooklynWebConfig.PASSWORD_FOR_USER(user));
String salt = properties.getConfig(BrooklynWebConfig.SALT_FOR_USER(user));
String expectedSha256 = properties.getConfig(BrooklynWebConfig.SHA256_FOR_USER(user));
- if (expectedP != null) {
- return expectedP.equals(password) && allow(session, user);
- } else if (expectedSha256 != null) {
- String hashedPassword = PasswordHasher.sha256(salt, password);
- return expectedSha256.equals(hashedPassword) && allow(session, user);
+ return checkPassword(password, expectedPassword, expectedSha256, salt);
+ }
+ /**
+ * checks a candidate password against the expected credential defined for a given user.
+ * the expected credentials can be supplied as an expectedPassword OR as
+ * a combination of the SHA-256 hash of the expected password plus a defined salt.
+ * the combination of the SHA+SALT allows credentials to be supplied in a non-plaintext manner.
+ */
+ public static boolean checkPassword(String candidatePassword, String expectedPassword, String expectedPasswordSha256, String salt) {
+ if (expectedPassword != null) {
+ return expectedPassword.equals(candidatePassword);
+ } else if (expectedPasswordSha256 != null) {
+ String hashedCandidatePassword = PasswordHasher.sha256(salt, candidatePassword);
+ return expectedPasswordSha256.equals(hashedCandidatePassword);
}
return false;