safebox/guacamole-client
4
0
Fork 0
mirror of https://github.com/gyurix1968/guacamole-client.git synced 2025-10-30 00:23:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

GUAC-1109: Do not rely on SHA2(). Handle password hashing in Java.

Browse Source
This commit is contained in:
Michael Jumper
2015-03-04 14:23:56 -08:00
parent 969db70be9
commit a4a3de002b
3 changed files with 23 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/user/UserMapper.java
View File

@@ -32,23 +32,6 @@ import org.apache.ibatis.annotations.Param;
*/ */
public interface UserMapper extends DirectoryObjectMapper<UserModel> { public interface UserMapper extends DirectoryObjectMapper<UserModel> {
/**
* Returns the user having the given username and password, if any. If no
* such user exists, null is returned.
*
* @param username
* The username of the user to return.
*
* @param password
* The password of the user to return.
*
* @return
* The user having the given username and password, or null if no such
* user exists.
*/
UserModel selectOneByCredentials(@Param("username") String username,
@Param("password") String password);
/** /**
* Returns the user having the given username, if any. If no such user * Returns the user having the given username, if any. If no such user
* exists, null is returned. * exists, null is returned.

21
extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/glyptodon/guacamole/auth/jdbc/user/UserService.java
View File

@@ -24,6 +24,7 @@ package org.glyptodon.guacamole.auth.jdbc.user;
import com.google.inject.Inject; import com.google.inject.Inject;
import com.google.inject.Provider; import com.google.inject.Provider;
import java.util.Arrays;
import java.util.Collection; import java.util.Collection;
import java.util.Collections; import java.util.Collections;
import org.glyptodon.guacamole.net.auth.Credentials; import org.glyptodon.guacamole.net.auth.Credentials;
@@ -33,6 +34,7 @@ import org.glyptodon.guacamole.GuacamoleClientException;
import org.glyptodon.guacamole.GuacamoleException; import org.glyptodon.guacamole.GuacamoleException;
import org.glyptodon.guacamole.auth.jdbc.permission.ObjectPermissionMapper; import org.glyptodon.guacamole.auth.jdbc.permission.ObjectPermissionMapper;
import org.glyptodon.guacamole.auth.jdbc.permission.UserPermissionMapper; import org.glyptodon.guacamole.auth.jdbc.permission.UserPermissionMapper;
import org.glyptodon.guacamole.auth.jdbc.security.PasswordEncryptionService;
import org.glyptodon.guacamole.net.auth.User; import org.glyptodon.guacamole.net.auth.User;
import org.glyptodon.guacamole.net.auth.permission.ObjectPermissionSet; import org.glyptodon.guacamole.net.auth.permission.ObjectPermissionSet;
import org.glyptodon.guacamole.net.auth.permission.SystemPermission; import org.glyptodon.guacamole.net.auth.permission.SystemPermission;
@@ -64,6 +66,12 @@ public class UserService extends DirectoryObjectService<ModeledUser, User, UserM
@Inject @Inject
private Provider<ModeledUser> userProvider; private Provider<ModeledUser> userProvider;
/**
* Service for hashing passwords.
*/
@Inject
private PasswordEncryptionService encryptionService;
@Override @Override
protected DirectoryObjectMapper<UserModel> getObjectMapper() { protected DirectoryObjectMapper<UserModel> getObjectMapper() {
return userMapper; return userMapper;
@@ -169,11 +177,15 @@ public class UserService extends DirectoryObjectService<ModeledUser, User, UserM
String username = credentials.getUsername(); String username = credentials.getUsername();
String password = credentials.getPassword(); String password = credentials.getPassword();
// Retrieve user model, if the user exists // Retrieve corresponding user model, if such a user exists
UserModel userModel = userMapper.selectOneByCredentials(username, password); UserModel userModel = userMapper.selectOne(username);
if (userModel == null) if (userModel == null)
return null; return null;
// If password hash matches, return the retrieved user
byte[] hash = encryptionService.createPasswordHash(password, userModel.getPasswordSalt());
if (Arrays.equals(hash, userModel.getPasswordHash())) {
// Return corresponding user, set up cyclic reference // Return corresponding user, set up cyclic reference
ModeledUser user = getObjectInstance(null, userModel); ModeledUser user = getObjectInstance(null, userModel);
user.setCurrentUser(new AuthenticatedUser(user, credentials)); user.setCurrentUser(new AuthenticatedUser(user, credentials));
@@ -181,4 +193,9 @@ public class UserService extends DirectoryObjectService<ModeledUser, User, UserM
} }
// Otherwise, the credentials do not match
return null;
}
} }

13
extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/resources/org/glyptodon/guacamole/auth/jdbc/user/UserMapper.xml
View File

@@ -87,19 +87,6 @@
</select> </select>
<!-- Select single user by credentials -->
<select id="selectOneByCredentials" resultMap="UserResultMap">
SELECT
user_id,
username,
password_hash,
password_salt
FROM guacamole_user
WHERE
username = #{username,jdbcType=VARCHAR}
AND password_hash = UNHEX(SHA2(CONCAT(#{password,jdbcType=VARCHAR}, HEX(password_salt)), 256))
</select>
<!-- Select single user by username --> <!-- Select single user by username -->
<select id="selectOne" resultMap="UserResultMap"> <select id="selectOne" resultMap="UserResultMap">