Commit e0393a19 authored by Ard Schrijvers's avatar Ard Schrijvers

REPO-2180 [Backport 12.6] Use the hashed pwd instead of a boolean

developers can't guess the hashed pwd

(cherry picked from commit 047b24b4)
parent ffc402f6
...@@ -47,7 +47,7 @@ public class RepositoryUserManager extends AbstractUserManager { ...@@ -47,7 +47,7 @@ public class RepositoryUserManager extends AbstractUserManager {
// note we include a random uuid to make sure that *before* a successful login the attribute name is not known // note we include a random uuid to make sure that *before* a successful login the attribute name is not known
// on the SimpleCredentials object // on the SimpleCredentials object
private static final String LOGIN_RESULT_ATTR = RepositoryUserManager.class.getName() private static final String LOGIN_PWD_HASH = RepositoryUserManager.class.getName()
+ UUID.randomUUID().toString() + ".loginSuccess"; + UUID.randomUUID().toString() + ".loginSuccess";
private static final long ONEDAYMS = 1000 * 3600 * 24; private static final long ONEDAYMS = 1000 * 3600 * 24;
...@@ -118,19 +118,22 @@ public class RepositoryUserManager extends AbstractUserManager { ...@@ -118,19 +118,22 @@ public class RepositoryUserManager extends AbstractUserManager {
return true; return true;
} }
final Boolean loginResult = (Boolean)creds.getAttribute(LOGIN_RESULT_ATTR); // user's password hash was (maybe) stored on previous login and can be reused directly
final String passwordHash = (String)creds.getAttribute(LOGIN_PWD_HASH);
if (loginResult != null) { final String storedHash = getPasswordHash(userinfo);
return loginResult; if (passwordHash != null) {
return passwordHash.equals(storedHash);
} }
// do regular password check // do regular password check
final boolean success = PasswordHelper.checkHash(password, getPasswordHash(userinfo)); final boolean success = PasswordHelper.checkHash(password, storedHash);
// purge the credentials and store the success outcome // store the hash in an attribute for reuse later, but clear the actual password to avoid plaintext attack
creds.setAttribute(LOGIN_RESULT_ATTR, success); if (success) {
creds.setAttribute(LOGIN_PWD_HASH, storedHash);
}
zeroOutPassword(creds.getPassword()); zeroOutPassword(creds.getPassword());
return success; return success;
} catch (NoSuchAlgorithmException e) { } catch (NoSuchAlgorithmException e) {
throw new RepositoryException("Unknown algorithm found when authenticating user: " + creds.getUserID(), e); throw new RepositoryException("Unknown algorithm found when authenticating user: " + creds.getUserID(), e);
...@@ -140,9 +143,7 @@ public class RepositoryUserManager extends AbstractUserManager { ...@@ -140,9 +143,7 @@ public class RepositoryUserManager extends AbstractUserManager {
} }
private void zeroOutPassword(final char[] password) { private void zeroOutPassword(final char[] password) {
for (int i = 0; i < password.length ; i++) { Arrays.fill(password, (char)0);
password[i] = 0;
}
} }
public String getNodeType() { public String getNodeType() {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment