portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From a..@apache.org
Subject svn commit: r418136 - in /portals/jetspeed-2/trunk: components/security/src/java/org/apache/jetspeed/security/spi/impl/ components/security/src/java/org/apache/jetspeed/security/util/ components/security/src/test/org/apache/jetspeed/security/util/ jets...
Date Thu, 29 Jun 2006 20:57:43 GMT
Author: ate
Date: Thu Jun 29 13:57:43 2006
New Revision: 418136

URL: http://svn.apache.org/viewvc?rev=418136&view=rev
Log:
Implementation of JS2-550: A new Two-way password encoding service allowing decoding of encoded
passwords
See: http://issues.apache.org/jira/browse/JS2-550

Added:
    portals/jetspeed-2/trunk/components/security/src/java/org/apache/jetspeed/security/spi/impl/PBEPasswordService.java
    portals/jetspeed-2/trunk/components/security/src/java/org/apache/jetspeed/security/util/PBEPasswordTool.java
    portals/jetspeed-2/trunk/components/security/src/test/org/apache/jetspeed/security/util/
    portals/jetspeed-2/trunk/components/security/src/test/org/apache/jetspeed/security/util/TestPBEPasswordTool.java
    portals/jetspeed-2/trunk/jetspeed-api/src/java/org/apache/jetspeed/security/PasswordEncodingService.java
Modified:
    portals/jetspeed-2/trunk/src/webapp/WEB-INF/assembly/jetspeed-services.xml
    portals/jetspeed-2/trunk/src/webapp/WEB-INF/assembly/security-spi-atn.xml

Added: portals/jetspeed-2/trunk/components/security/src/java/org/apache/jetspeed/security/spi/impl/PBEPasswordService.java
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/trunk/components/security/src/java/org/apache/jetspeed/security/spi/impl/PBEPasswordService.java?rev=418136&view=auto
==============================================================================
--- portals/jetspeed-2/trunk/components/security/src/java/org/apache/jetspeed/security/spi/impl/PBEPasswordService.java
(added)
+++ portals/jetspeed-2/trunk/components/security/src/java/org/apache/jetspeed/security/spi/impl/PBEPasswordService.java
Thu Jun 29 13:57:43 2006
@@ -0,0 +1,44 @@
+/* Copyright 2004 Apache Software Foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jetspeed.security.spi.impl;
+
+import java.security.NoSuchAlgorithmException;
+import java.security.spec.InvalidKeySpecException;
+
+import org.apache.jetspeed.security.PasswordEncodingService;
+import org.apache.jetspeed.security.spi.CredentialPasswordEncoder;
+import org.apache.jetspeed.security.util.PBEPasswordTool;
+
+/**
+ * <p>
+ * PBEPasswordService provides an PBE based PasswordEncodingService, allowing decoding of
user passwords
+ * </p>
+ * 
+ * @author <a href="mailto:ate@douma.nu">Ate Douma</a>
+ * @version $Id$
+ */
+public class PBEPasswordService extends PBEPasswordTool implements PasswordEncodingService,
CredentialPasswordEncoder
+{
+
+    /**
+     * @param cipherPassword
+     * @throws InvalidKeySpecException
+     * @throws NoSuchAlgorithmException
+     */
+    public PBEPasswordService(String pbePassword) throws InvalidKeySpecException, NoSuchAlgorithmException
+    {
+        super(pbePassword);
+    }
+}

Added: portals/jetspeed-2/trunk/components/security/src/java/org/apache/jetspeed/security/util/PBEPasswordTool.java
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/trunk/components/security/src/java/org/apache/jetspeed/security/util/PBEPasswordTool.java?rev=418136&view=auto
==============================================================================
--- portals/jetspeed-2/trunk/components/security/src/java/org/apache/jetspeed/security/util/PBEPasswordTool.java
(added)
+++ portals/jetspeed-2/trunk/components/security/src/java/org/apache/jetspeed/security/util/PBEPasswordTool.java
Thu Jun 29 13:57:43 2006
@@ -0,0 +1,135 @@
+/* Copyright 2004 Apache Software Foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jetspeed.security.util;
+
+import java.security.NoSuchAlgorithmException;
+import java.security.spec.InvalidKeySpecException;
+
+import javax.crypto.Cipher;
+import javax.crypto.SecretKey;
+import javax.crypto.SecretKeyFactory;
+import javax.crypto.spec.PBEKeySpec;
+import javax.crypto.spec.PBEParameterSpec;
+
+import org.apache.commons.codec.binary.Base64;
+import org.apache.jetspeed.security.SecurityException;
+
+/**
+ * <p>
+ * PBEPasswordTool encodes and decodes user passwords using Password Based encryptionl
+ * </p>
+ * 
+ * @author <a href="mailto:ate@douma.nu">Ate Douma</a>
+ * @version $Id$
+ */
+public class PBEPasswordTool
+{
+    // PKCS #5 (PBE) algoritm
+    private static final String CIPHER_ALGORITM = "PBEwithMD5andDES";
+    // PKCS #5 iteration count is advised to be at least  1000
+    private static final int PKCS_5_ITERATIONCOUNT = 1111;
+    // pseudo random base salt which will be overlayed with userName.getBytes()
+    private static final byte[] PKCS_5_BASE_SALT = {(byte)0xA9, (byte)0x9B, (byte)0xC8, (byte)0x32,
(byte)0x56, (byte)0x35, (byte)0xE3, (byte)0x03};
+    
+    // PBE cipher
+    private SecretKey pbeKey;
+    
+    public PBEPasswordTool(String pbePassword) throws InvalidKeySpecException, NoSuchAlgorithmException
+    {
+        pbeKey = SecretKeyFactory.getInstance(CIPHER_ALGORITM).generateSecret(new PBEKeySpec(pbePassword.toCharArray()));
+    }
+
+    /* (non-Javadoc)
+     * @see org.apache.jetspeed.security.spi.CredentialPasswordEncoder#encode(java.lang.String,
java.lang.String)
+     * @see org.apache.jetspeed.security.PasswordEncodingService#encode(java.lang.String,
java.lang.String)
+     */
+    public String encode(String userName, String clearTextPassword) throws SecurityException
+    {
+        try
+        {
+            // prevent dictionary attacks as well as copying of encoded passwords by using
the userName as salt
+            PBEParameterSpec cipherSpec = new PBEParameterSpec(createSalt(userName.getBytes("UTF-8")),
PKCS_5_ITERATIONCOUNT);
+            
+            Cipher cipher = Cipher.getInstance(CIPHER_ALGORITM);
+            cipher.init(Cipher.ENCRYPT_MODE,pbeKey,cipherSpec);
+            
+            return new String(Base64.encodeBase64(cipher.doFinal(clearTextPassword.getBytes("UTF-8"))),
"UTF-8");
+        }
+        catch (Exception e)
+        {
+            throw new SecurityException(SecurityException.UNEXPECTED.create("PBEPasswordTool","encode",e.getMessage()),
e);
+        }
+    }
+    
+    /* (non-Javadoc)
+     * @see org.apache.jetspeed.security.PasswordEncodingService#decode(java.lang.String,
java.lang.String)
+     */
+    public String decode(String userName, String encodedPassword) throws SecurityException
+    {
+        try
+        {
+            // prevent dictionary attacks as well as copying of encoded passwords by using
the userName as salt
+            PBEParameterSpec cipherSpec = new PBEParameterSpec(createSalt(userName.getBytes("UTF-8")),
PKCS_5_ITERATIONCOUNT);
+            
+            Cipher cipher = Cipher.getInstance(CIPHER_ALGORITM);
+            cipher.init(Cipher.DECRYPT_MODE,pbeKey,cipherSpec);
+            
+            return new String(cipher.doFinal(Base64.decodeBase64(encodedPassword.getBytes("UTF-8"))),
"UTF-8");
+        }
+        catch (Exception e)
+        {
+            throw new SecurityException(SecurityException.UNEXPECTED.create("PBEPasswordTool","decode",e.getMessage()),
e);
+        }
+    }
+    
+    /*
+     * Create a PCKS #5 salt using the BASE_PCKS_5_SALT overlayed with the provided secret
parameter
+     */
+    private byte[] createSalt(byte[] secret)
+    {
+        byte[] salt = new byte[PKCS_5_BASE_SALT.length];
+        int i = 0;
+        for (;i < salt.length && i < secret.length; i++)
+        {
+            salt[i] = secret[i];
+        }
+        for (; i < salt.length; i++)
+        {
+            salt[i] = PKCS_5_BASE_SALT[i];
+        }
+        return salt;
+    }
+
+    public static void main(String args[]) throws Exception
+    {
+        if (args.length != 4 || (!args[0].equals("encode") && !args[0].equals("decode")))
+        {
+            System.err.println("Encode/Decode a user password using Password Based Encryption");
+            System.err.println("Usage: PBEPasswordTool <encode|decode> <encoding-password>
<username> <password>");
+            System.err.println("  encode|decode    : specify if to encode or decode the provided
password");
+            System.err.println("  encoding-password: the password to be used for encoding
and decoding");
+            System.err.println("  username         : the name of the user to which the provided
password belongs");
+            System.err.println("  password         : the cleartext password to encode, or
the encoded password to decode\n");
+        }
+        else if (args[0].toLowerCase().equals("encode"))
+        {
+            System.out.println("Encoded password: "+new PBEPasswordTool(args[1]).encode(args[2],args[3]));
+        }
+        else
+        {
+            System.out.println("Decoded password: "+new PBEPasswordTool(args[1]).decode(args[2],args[3]));
+        }
+    }
+}

Added: portals/jetspeed-2/trunk/components/security/src/test/org/apache/jetspeed/security/util/TestPBEPasswordTool.java
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/trunk/components/security/src/test/org/apache/jetspeed/security/util/TestPBEPasswordTool.java?rev=418136&view=auto
==============================================================================
--- portals/jetspeed-2/trunk/components/security/src/test/org/apache/jetspeed/security/util/TestPBEPasswordTool.java
(added)
+++ portals/jetspeed-2/trunk/components/security/src/test/org/apache/jetspeed/security/util/TestPBEPasswordTool.java
Thu Jun 29 13:57:43 2006
@@ -0,0 +1,51 @@
+/*
+ * Copyright 2000-2001,2004 The Apache Software Foundation.
+ * 
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jetspeed.security.util;
+
+import junit.framework.TestCase;
+
+/**
+ * <p>
+ * TestPBEPasswordTool
+ * </p>
+ * 
+ * @author <a href="mailto:ate@douma.nu">Ate Douma</a>
+ * @version $Id$
+ */
+public class TestPBEPasswordTool extends TestCase
+{
+
+    /*
+     * Test method for 'org.apache.jetspeed.security.util.PBEPasswordTool.encode(String,
String)'
+     */
+    public void testEncode() throws Exception
+    {
+        PBEPasswordTool pbe = new PBEPasswordTool("123");
+        // check the same password is encoded differently for different usernames
+        this.assertNotSame("Encoded password should not be the same for different users",
pbe.encode("user1","abc123"), pbe.encode("user2","abc123"));
+    }
+
+    /*
+     * Test method for 'org.apache.jetspeed.security.util.PBEPasswordTool.decode(String,
String)'
+     */
+    public void testDecode() throws Exception
+    {
+        PBEPasswordTool pbe = new PBEPasswordTool("123");
+        // check the same password is encoded differently for different usernames
+        this.assertEquals("Decoded password doesn't match original", "abc123", pbe.decode("user1",
pbe.encode("user1","abc123")));
+    }
+
+}

Added: portals/jetspeed-2/trunk/jetspeed-api/src/java/org/apache/jetspeed/security/PasswordEncodingService.java
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/trunk/jetspeed-api/src/java/org/apache/jetspeed/security/PasswordEncodingService.java?rev=418136&view=auto
==============================================================================
--- portals/jetspeed-2/trunk/jetspeed-api/src/java/org/apache/jetspeed/security/PasswordEncodingService.java
(added)
+++ portals/jetspeed-2/trunk/jetspeed-api/src/java/org/apache/jetspeed/security/PasswordEncodingService.java
Thu Jun 29 13:57:43 2006
@@ -0,0 +1,29 @@
+/* Copyright 2004 Apache Software Foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jetspeed.security;
+
+/**
+ * <p>
+ * PasswordEncodingService allows decoding of user passwords provided that a two-way encryption
algoritmn is used.
+ * </p>
+ * 
+ * @author <a href="mailto:ate@douma.nu">Ate Douma</a>
+ * @version $Id$
+ */
+public interface PasswordEncodingService
+{
+    String encode(String userName, String clearTextPassword) throws SecurityException;
+    String decode(String userName, String encodedPassword) throws SecurityException;
+}

Modified: portals/jetspeed-2/trunk/src/webapp/WEB-INF/assembly/jetspeed-services.xml
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/trunk/src/webapp/WEB-INF/assembly/jetspeed-services.xml?rev=418136&r1=418135&r2=418136&view=diff
==============================================================================
--- portals/jetspeed-2/trunk/src/webapp/WEB-INF/assembly/jetspeed-services.xml (original)
+++ portals/jetspeed-2/trunk/src/webapp/WEB-INF/assembly/jetspeed-services.xml Thu Jun 29
13:57:43 2006
@@ -95,6 +95,11 @@
           <entry key="PreferencesProvider">
             <ref bean="org.apache.jetspeed.prefs.PreferencesProvider"/>
           </entry>
+<!-- first uncomment the below service bean in security-spi-atn.xml
+         <entry key="PasswordEncodingService">
+           <ref bean="org.apache.jetspeed.security.PasswordEncodingService" />
+         </entry>
+-->          
   	   	</map>
   	   </constructor-arg>
   </bean>

Modified: portals/jetspeed-2/trunk/src/webapp/WEB-INF/assembly/security-spi-atn.xml
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/trunk/src/webapp/WEB-INF/assembly/security-spi-atn.xml?rev=418136&r1=418135&r2=418136&view=diff
==============================================================================
--- portals/jetspeed-2/trunk/src/webapp/WEB-INF/assembly/security-spi-atn.xml (original)
+++ portals/jetspeed-2/trunk/src/webapp/WEB-INF/assembly/security-spi-atn.xml Thu Jun 29 13:57:43
2006
@@ -35,6 +35,18 @@
        <constructor-arg index="1"><ref bean="org.apache.jetspeed.security.spi.CredentialPasswordEncoder"/></constructor-arg>
      
   </bean>       
 
+  <!-- A Two-way encoding password service which also implements CredentialPasswordEncoder
+         this Service can be used instead of for example the default provided MessageDigestCredentialPasswordEncoder
+  <bean id="org.apache.jetspeed.security.PasswordEncodingService"
+        name="org.apache.jetspeed.security.spi.CredentialPasswordEncoder"
+        class="org.apache.jetspeed.security.spi.impl.PBEPasswordService">
+    <constructor-arg index="0">
+      <!- secret PBE key password ->
+      <value>********</value>
+    </constructor-arg>       
+  </bean>       
+-->
+
   <!-- allow multiple InternalPasswordCredentialInterceptors to be used for DefaultCredentialHandler
--> 
   <bean id="org.apache.jetspeed.security.spi.InternalPasswordCredentialInterceptor"
        class="org.apache.jetspeed.security.spi.impl.InternalPasswordCredentialInterceptorsProxy">



---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org


Mime
View raw message