| <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" lang="en"><head><meta http-equiv="Content-Type" content="text/html;charset=UTF-8"/><link rel="stylesheet" href="../jacoco-resources/report.css" type="text/css"/><link rel="shortcut icon" href="../jacoco-resources/report.gif" type="image/gif"/><title>DefaultPasswordService.java</title><link rel="stylesheet" href="../jacoco-resources/prettify.css" type="text/css"/><script type="text/javascript" src="../jacoco-resources/prettify.js"></script></head><body onload="window['PR_TAB_WIDTH']=4;prettyPrint()"><div class="breadcrumb" id="breadcrumb"><span class="info"><a href="../jacoco-sessions.html" class="el_session">Sessions</a></span><a href="../index.html" class="el_report">Apache Shiro :: Core</a> > <a href="index.source.html" class="el_package">org.apache.shiro.authc.credential</a> > <span class="el_source">DefaultPasswordService.java</span></div><h1>DefaultPasswordService.java</h1><pre class="source lang-java linenums">/* |
| * Licensed to the Apache Software Foundation (ASF) under one |
| * or more contributor license agreements. See the NOTICE file |
| * distributed with this work for additional information |
| * regarding copyright ownership. The ASF licenses this file |
| * to you under the Apache License, Version 2.0 (the |
| * "License"); you may not use this file except in compliance |
| * with the License. You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, |
| * software distributed under the License is distributed on an |
| * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| * KIND, either express or implied. See the License for the |
| * specific language governing permissions and limitations |
| * under the License. |
| */ |
| package org.apache.shiro.authc.credential; |
| |
| import org.apache.shiro.crypto.hash.DefaultHashService; |
| import org.apache.shiro.crypto.hash.Hash; |
| import org.apache.shiro.crypto.hash.HashRequest; |
| import org.apache.shiro.crypto.hash.HashService; |
| import org.apache.shiro.crypto.hash.format.*; |
| import org.apache.shiro.util.ByteSource; |
| import org.slf4j.Logger; |
| import org.slf4j.LoggerFactory; |
| |
| /** |
| * Default implementation of the {@link PasswordService} interface that relies on an internal |
| * {@link HashService}, {@link HashFormat}, and {@link HashFormatFactory} to function: |
| * <h2>Hashing Passwords</h2> |
| * |
| * <h2>Comparing Passwords</h2> |
| * All hashing operations are performed by the internal {@link #getHashService() hashService}. After the hash |
| * is computed, it is formatted into a String value via the internal {@link #getHashFormat() hashFormat}. |
| * |
| * @since 1.2 |
| */ |
| public class DefaultPasswordService implements HashingPasswordService { |
| |
| public static final String DEFAULT_HASH_ALGORITHM = "SHA-256"; |
| public static final int DEFAULT_HASH_ITERATIONS = 500000; //500,000 |
| |
| <span class="fc" id="L46"> private static final Logger log = LoggerFactory.getLogger(DefaultPasswordService.class);</span> |
| |
| private HashService hashService; |
| private HashFormat hashFormat; |
| private HashFormatFactory hashFormatFactory; |
| |
| private volatile boolean hashFormatWarned; //used to avoid excessive log noise |
| |
| <span class="fc" id="L54"> public DefaultPasswordService() {</span> |
| <span class="fc" id="L55"> this.hashFormatWarned = false;</span> |
| |
| <span class="fc" id="L57"> DefaultHashService hashService = new DefaultHashService();</span> |
| <span class="fc" id="L58"> hashService.setHashAlgorithmName(DEFAULT_HASH_ALGORITHM);</span> |
| <span class="fc" id="L59"> hashService.setHashIterations(DEFAULT_HASH_ITERATIONS);</span> |
| <span class="fc" id="L60"> hashService.setGeneratePublicSalt(true); //always want generated salts for user passwords to be most secure</span> |
| <span class="fc" id="L61"> this.hashService = hashService;</span> |
| |
| <span class="fc" id="L63"> this.hashFormat = new Shiro1CryptFormat();</span> |
| <span class="fc" id="L64"> this.hashFormatFactory = new DefaultHashFormatFactory();</span> |
| <span class="fc" id="L65"> }</span> |
| |
| public String encryptPassword(Object plaintext) { |
| <span class="fc" id="L68"> Hash hash = hashPassword(plaintext);</span> |
| <span class="fc" id="L69"> checkHashFormatDurability();</span> |
| <span class="fc" id="L70"> return this.hashFormat.format(hash);</span> |
| } |
| |
| public Hash hashPassword(Object plaintext) { |
| <span class="fc" id="L74"> ByteSource plaintextBytes = createByteSource(plaintext);</span> |
| <span class="pc bpc" id="L75" title="1 of 4 branches missed."> if (plaintextBytes == null || plaintextBytes.isEmpty()) {</span> |
| <span class="fc" id="L76"> return null;</span> |
| } |
| <span class="fc" id="L78"> HashRequest request = createHashRequest(plaintextBytes);</span> |
| <span class="fc" id="L79"> return hashService.computeHash(request);</span> |
| } |
| |
| public boolean passwordsMatch(Object plaintext, Hash saved) { |
| <span class="fc" id="L83"> ByteSource plaintextBytes = createByteSource(plaintext);</span> |
| |
| <span class="pc bpc" id="L85" title="1 of 4 branches missed."> if (saved == null || saved.isEmpty()) {</span> |
| <span class="pc bpc" id="L86" title="3 of 4 branches missed."> return plaintextBytes == null || plaintextBytes.isEmpty();</span> |
| } else { |
| <span class="pc bpc" id="L88" title="1 of 4 branches missed."> if (plaintextBytes == null || plaintextBytes.isEmpty()) {</span> |
| <span class="fc" id="L89"> return false;</span> |
| } |
| } |
| |
| <span class="fc" id="L93"> HashRequest request = buildHashRequest(plaintextBytes, saved);</span> |
| |
| <span class="fc" id="L95"> Hash computed = this.hashService.computeHash(request);</span> |
| |
| <span class="fc" id="L97"> return saved.equals(computed);</span> |
| } |
| |
| protected void checkHashFormatDurability() { |
| |
| <span class="pc bpc" id="L102" title="1 of 2 branches missed."> if (!this.hashFormatWarned) {</span> |
| |
| <span class="fc" id="L104"> HashFormat format = this.hashFormat;</span> |
| |
| <span class="pc bpc" id="L106" title="1 of 4 branches missed."> if (!(format instanceof ParsableHashFormat) && log.isWarnEnabled()) {</span> |
| <span class="fc" id="L107"> String msg = "The configured hashFormat instance [" + format.getClass().getName() + "] is not a " +</span> |
| <span class="fc" id="L108"> ParsableHashFormat.class.getName() + " implementation. This is " +</span> |
| "required if you wish to support backwards compatibility for saved password checking (almost " + |
| <span class="fc" id="L110"> "always desirable). Without a " + ParsableHashFormat.class.getSimpleName() + " instance, " +</span> |
| "any hashService configuration changes will break previously hashed/saved passwords."; |
| <span class="fc" id="L112"> log.warn(msg);</span> |
| <span class="fc" id="L113"> this.hashFormatWarned = true;</span> |
| } |
| } |
| <span class="fc" id="L116"> }</span> |
| |
| protected HashRequest createHashRequest(ByteSource plaintext) { |
| <span class="fc" id="L119"> return new HashRequest.Builder().setSource(plaintext).build();</span> |
| } |
| |
| protected ByteSource createByteSource(Object o) { |
| <span class="fc" id="L123"> return ByteSource.Util.bytes(o);</span> |
| } |
| |
| public boolean passwordsMatch(Object submittedPlaintext, String saved) { |
| <span class="fc" id="L127"> ByteSource plaintextBytes = createByteSource(submittedPlaintext);</span> |
| |
| <span class="fc bfc" id="L129" title="All 4 branches covered."> if (saved == null || saved.length() == 0) {</span> |
| <span class="pc bpc" id="L130" title="1 of 4 branches missed."> return plaintextBytes == null || plaintextBytes.isEmpty();</span> |
| } else { |
| <span class="pc bpc" id="L132" title="1 of 4 branches missed."> if (plaintextBytes == null || plaintextBytes.isEmpty()) {</span> |
| <span class="fc" id="L133"> return false;</span> |
| } |
| } |
| |
| //First check to see if we can reconstitute the original hash - this allows us to |
| //perform password hash comparisons even for previously saved passwords that don't |
| //match the current HashService configuration values. This is a very nice feature |
| //for password comparisons because it ensures backwards compatibility even after |
| //configuration changes. |
| <span class="fc" id="L142"> HashFormat discoveredFormat = this.hashFormatFactory.getInstance(saved);</span> |
| |
| <span class="pc bpc" id="L144" title="1 of 4 branches missed."> if (discoveredFormat != null && discoveredFormat instanceof ParsableHashFormat) {</span> |
| |
| <span class="fc" id="L146"> ParsableHashFormat parsableHashFormat = (ParsableHashFormat)discoveredFormat;</span> |
| <span class="fc" id="L147"> Hash savedHash = parsableHashFormat.parse(saved);</span> |
| |
| <span class="fc" id="L149"> return passwordsMatch(submittedPlaintext, savedHash);</span> |
| } |
| |
| //If we're at this point in the method's execution, We couldn't reconstitute the original hash. |
| //So, we need to hash the submittedPlaintext using current HashService configuration and then |
| //compare the formatted output with the saved string. This will correctly compare passwords, |
| //but does not allow changing the HashService configuration without breaking previously saved |
| //passwords: |
| |
| //The saved text value can't be reconstituted into a Hash instance. We need to format the |
| //submittedPlaintext and then compare this formatted value with the saved value: |
| <span class="fc" id="L160"> HashRequest request = createHashRequest(plaintextBytes);</span> |
| <span class="fc" id="L161"> Hash computed = this.hashService.computeHash(request);</span> |
| <span class="fc" id="L162"> String formatted = this.hashFormat.format(computed);</span> |
| |
| <span class="fc" id="L164"> return saved.equals(formatted);</span> |
| } |
| |
| protected HashRequest buildHashRequest(ByteSource plaintext, Hash saved) { |
| //keep everything from the saved hash except for the source: |
| <span class="fc" id="L169"> return new HashRequest.Builder().setSource(plaintext)</span> |
| //now use the existing saved data: |
| <span class="fc" id="L171"> .setAlgorithmName(saved.getAlgorithmName())</span> |
| <span class="fc" id="L172"> .setSalt(saved.getSalt())</span> |
| <span class="fc" id="L173"> .setIterations(saved.getIterations())</span> |
| <span class="fc" id="L174"> .build();</span> |
| } |
| |
| public HashService getHashService() { |
| <span class="fc" id="L178"> return hashService;</span> |
| } |
| |
| public void setHashService(HashService hashService) { |
| <span class="fc" id="L182"> this.hashService = hashService;</span> |
| <span class="fc" id="L183"> }</span> |
| |
| public HashFormat getHashFormat() { |
| <span class="fc" id="L186"> return hashFormat;</span> |
| } |
| |
| public void setHashFormat(HashFormat hashFormat) { |
| <span class="fc" id="L190"> this.hashFormat = hashFormat;</span> |
| <span class="fc" id="L191"> }</span> |
| |
| public HashFormatFactory getHashFormatFactory() { |
| <span class="fc" id="L194"> return hashFormatFactory;</span> |
| } |
| |
| public void setHashFormatFactory(HashFormatFactory hashFormatFactory) { |
| <span class="fc" id="L198"> this.hashFormatFactory = hashFormatFactory;</span> |
| <span class="fc" id="L199"> }</span> |
| } |
| </pre><div class="footer"><span class="right">Created with <a href="http://www.eclemma.org/jacoco">JaCoCo</a> 0.7.7.201606060606</span></div></body></html> |