You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@jspwiki.apache.org by ju...@apache.org on 2021/04/24 09:26:54 UTC
[jspwiki] 01/09: feat: Add SHA-256 prefix and handling to password
validation
This is an automated email from the ASF dual-hosted git repository.
juanpablo pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/jspwiki.git
commit e17e57331f0ae4129104cb3ba9e537d53b8f2060
Author: samhareem <sa...@museoliitto.fi>
AuthorDate: Wed Mar 24 17:52:32 2021 +0200
feat: Add SHA-256 prefix and handling to password validation
---
.../wiki/auth/user/AbstractUserDatabase.java | 22 ++++++++++------------
1 file changed, 10 insertions(+), 12 deletions(-)
diff --git a/jspwiki-main/src/main/java/org/apache/wiki/auth/user/AbstractUserDatabase.java b/jspwiki-main/src/main/java/org/apache/wiki/auth/user/AbstractUserDatabase.java
index 43f382d..c738e88 100644
--- a/jspwiki-main/src/main/java/org/apache/wiki/auth/user/AbstractUserDatabase.java
+++ b/jspwiki-main/src/main/java/org/apache/wiki/auth/user/AbstractUserDatabase.java
@@ -46,6 +46,7 @@ public abstract class AbstractUserDatabase implements UserDatabase {
protected static final Logger log = Logger.getLogger( AbstractUserDatabase.class );
protected static final String SHA_PREFIX = "{SHA}";
protected static final String SSHA_PREFIX = "{SSHA}";
+ protected static final String SHA256_PREFIX = "{SHA-256}";
/**
* Looks up and returns the first {@link UserProfile} in the user database that whose login name, full name, or wiki name matches the
@@ -187,29 +188,26 @@ public abstract class AbstractUserDatabase implements UserDatabase {
*/
@Override
public boolean validatePassword( final String loginName, final String password ) {
- final String hashedPassword;
+ String hashedPassword;
try {
final UserProfile profile = findByLoginName( loginName );
String storedPassword = profile.getPassword();
+ boolean verified = false;
- // Is the password stored as a salted hash (the new 2.8 format?)
- final boolean newPasswordFormat = storedPassword.startsWith( SSHA_PREFIX );
-
- // If new format, verify the hash
- if( newPasswordFormat ) {
- hashedPassword = getHash( password );
- return CryptoUtil.verifySaltedPassword( password.getBytes( StandardCharsets.UTF_8 ), storedPassword );
+ // If the password is stored as SHA-256 or SSHA, verify the hash
+ if( storedPassword.startsWith( SHA256_PREFIX ) || storedPassword.startsWith( SSHA_PREFIX ) ) {
+ verified = CryptoUtil.verifySaltedPassword( password.getBytes( StandardCharsets.UTF_8 ), storedPassword );
}
- // If old format, verify using the old SHA verification algorithm
+ // Use older verification algorithm if password is stored as SHA
if( storedPassword.startsWith( SHA_PREFIX ) ) {
storedPassword = storedPassword.substring( SHA_PREFIX.length() );
+ hashedPassword = getOldHash( password );
+ verified = hashedPassword.equals( storedPassword );
}
- hashedPassword = getOldHash( password );
- final boolean verified = hashedPassword.equals( storedPassword );
// If in the old format and password verified, upgrade the hash to SSHA
- if( verified ) {
+ if( verified && !storedPassword.startsWith( SHA256_PREFIX ) ) {
profile.setPassword( password );
save( profile );
}