From 64d301dfb36019dcbfd14db70ee7110df75796b4 Mon Sep 17 00:00:00 2001 From: Michael Jumper Date: Tue, 26 Feb 2013 12:15:40 -0800 Subject: [PATCH] Ticket #269: Refactor password service to not depend on Credentials (password only). Remove database semantics from non-database password service. --- .../mysql/MySQLAuthenticationProvider.java | 7 ++-- .../service/PasswordEncryptionService.java | 35 +++++++++++-------- .../Sha256PasswordEncryptionService.java | 13 +++---- 3 files changed, 28 insertions(+), 27 deletions(-) diff --git a/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/MySQLAuthenticationProvider.java b/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/MySQLAuthenticationProvider.java index 9229578d2..25604baad 100644 --- a/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/MySQLAuthenticationProvider.java +++ b/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/MySQLAuthenticationProvider.java @@ -119,11 +119,12 @@ public class MySQLAuthenticationProvider implements AuthenticationProvider { UserWithBLOBs user = users.get(0); // Get password service - PasswordEncryptionService passwordService = injector.getInstance(PasswordEncryptionService.class); + PasswordEncryptionService passwordService = + injector.getInstance(PasswordEncryptionService.class); // Check password, if invalid return null - if (!passwordService.checkCredentials(credentials, - user.getPassword_hash(), user.getUsername(), user.getPassword_salt())) + if (!passwordService.checkPassword(credentials.getPassword(), + user.getPassword_hash(), user.getPassword_salt())) return null; MySQLUserContext context = injector.getInstance(MySQLUserContext.class); diff --git a/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/service/PasswordEncryptionService.java b/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/service/PasswordEncryptionService.java index 0b1460b69..a1cdaf412 100644 --- a/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/service/PasswordEncryptionService.java +++ b/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/service/PasswordEncryptionService.java @@ -1,3 +1,6 @@ + +package net.sourceforge.guacamole.net.auth.mysql.service; + /* ***** BEGIN LICENSE BLOCK ***** * Version: MPL 1.1/GPL 2.0/LGPL 2.1 * @@ -33,9 +36,6 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -package net.sourceforge.guacamole.net.auth.mysql.service; - -import net.sourceforge.guacamole.net.auth.Credentials; /** * A service to perform password encryption and checking. @@ -44,21 +44,26 @@ import net.sourceforge.guacamole.net.auth.Credentials; public interface PasswordEncryptionService { /** - * Checks if the provided Credentials are correct, compared with what the values from the database. - * @param credentials - * @param dbPasswordHash - * @param dbUsername - * @param dbSalt - * @return true if the provided credentials match what's in the database for that user. + * Checks whether the provided, unhashed password matches the given + * hash/salt pair. + * + * @param credentials The credentials to validate. + * @param hashedPassword The hashed password to compare the given password + * against. + * @param salt The salt used when the hashed password given was created. + * @return true if the provided credentials match the values given, false + * otherwise. */ - public boolean checkCredentials(Credentials credentials, byte[] dbPasswordHash, String dbUsername, byte[] dbSalt); + public boolean checkPassword(String password, byte[] hashedPassword, + byte[] salt); /** - * Creates a password hash based on the provided username, password, and salt. - * @param username - * @param password - * @param salt - * @return the generated password hash. + * Creates a password hash based on the provided username, password, and + * salt. + * + * @param password The password to hash. + * @param salt The salt to use when hashing the password. + * @return The generated password hash. */ public byte[] createPasswordHash(String password, byte[] salt); } diff --git a/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/service/Sha256PasswordEncryptionService.java b/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/service/Sha256PasswordEncryptionService.java index 0725efc99..4ac6eff93 100644 --- a/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/service/Sha256PasswordEncryptionService.java +++ b/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/service/Sha256PasswordEncryptionService.java @@ -42,7 +42,6 @@ import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; import java.util.Arrays; import javax.xml.bind.DatatypeConverter; -import net.sourceforge.guacamole.net.auth.Credentials; /** * Provides a SHA-256 based implementation of the password encryption functionality. @@ -51,16 +50,12 @@ import net.sourceforge.guacamole.net.auth.Credentials; public class Sha256PasswordEncryptionService implements PasswordEncryptionService { @Override - public boolean checkCredentials(Credentials credentials, - byte[] dbPasswordHash, String dbUsername, byte[] dbSalt) { - - // If usernames don't match, don't bother comparing passwords, just fail - if (!dbUsername.equals(credentials.getUsername())) - return false; + public boolean checkPassword(String password, byte[] hashedPassword, + byte[] salt) { // Compare bytes of password in credentials against hashed password - byte[] passwordBytes = createPasswordHash(credentials.getPassword(), dbSalt); - return Arrays.equals(passwordBytes, dbPasswordHash); + byte[] passwordBytes = createPasswordHash(password, salt); + return Arrays.equals(passwordBytes, hashedPassword); }