view src/org/eclipse/jetty/util/security/Credential.java @ 894:c33a99fca826

remove _confidentialScheme
author Franklin Schmidt <fschmidt@gmail.com>
date Thu, 06 Oct 2016 23:40:29 -0600
parents 8e9db0bbf4f9
children
line wrap: on
line source

//
//  ========================================================================
//  Copyright (c) 1995-2014 Mort Bay Consulting Pty. Ltd.
//  ------------------------------------------------------------------------
//  All rights reserved. This program and the accompanying materials
//  are made available under the terms of the Eclipse Public License v1.0
//  and Apache License v2.0 which accompanies this distribution.
//
//      The Eclipse Public License is available at
//      http://www.eclipse.org/legal/epl-v10.html
//
//      The Apache License v2.0 is available at
//      http://www.opensource.org/licenses/apache2.0.php
//
//  You may elect to redistribute this code under either of these licenses.
//  ========================================================================
//

package org.eclipse.jetty.util.security;

import java.io.Serializable;
import java.security.MessageDigest;

import org.eclipse.jetty.util.StringUtil;
import org.eclipse.jetty.util.TypeUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* ------------------------------------------------------------ */
/**
 * Credentials. The Credential class represents an abstract mechanism for
 * checking authentication credentials. A credential instance either represents
 * a secret, or some data that could only be derived from knowing the secret.
 * <p>
 * Often a Credential is related to a Password via a one way algorithm, so while
 * a Password itself is a Credential, a UnixCrypt or MD5 digest of a a password
 * is only a credential that can be checked against the password.
 * <p>
 * This class includes an implementation for unix Crypt an MD5 digest.
 * 
 * @see Password
 * 
 */
public abstract class Credential implements Serializable
{
    private static final Logger LOG = LoggerFactory.getLogger(Credential.class);

    private static final long serialVersionUID = -7760551052768181572L;

    /* ------------------------------------------------------------ */
    /**
     * Check a credential
     * 
     * @param credentials The credential to check against. This may either be
     *                another Credential object, a Password object or a String
     *                which is interpreted by this credential.
     * @return True if the credentials indicated that the shared secret is known
     *         to both this Credential and the passed credential.
     */
    public abstract boolean check(Object credentials);

    /* ------------------------------------------------------------ */
    /**
     * Get a credential from a String. If the credential String starts with a
     * known Credential type (eg "CRYPT:" or "MD5:" ) then a Credential of that
     * type is returned. Else the credential is assumed to be a Password.
     * 
     * @param credential String representation of the credential
     * @return A Credential or Password instance.
     */
    public static Credential getCredential(String credential)
    {
        if (credential.startsWith(Crypt.__TYPE)) return new Crypt(credential);
        if (credential.startsWith(MD5.__TYPE)) return new MD5(credential);

        return new Password(credential);
    }

    /* ------------------------------------------------------------ */
    /**
     * Unix Crypt Credentials
     */
    public static class Crypt extends Credential
    {
        private static final long serialVersionUID = -2027792997664744210L;

        public static final String __TYPE = "CRYPT:";

        private final String _cooked;

        Crypt(String cooked)
        {
            _cooked = cooked.startsWith(Crypt.__TYPE) ? cooked.substring(__TYPE.length()) : cooked;
        }

        @Override
        public boolean check(Object credentials)
        {
            if (credentials instanceof char[])
                credentials=new String((char[])credentials);
            if (!(credentials instanceof String) && !(credentials instanceof Password)) 
                LOG.warn("Can't check " + credentials.getClass() + " against CRYPT");

            String passwd = credentials.toString();
            return _cooked.equals(UnixCrypt.crypt(passwd, _cooked));
        }

        public static String crypt(String user, String pw)
        {
            return "CRYPT:" + UnixCrypt.crypt(pw, user);
        }
    }

    /* ------------------------------------------------------------ */
    /**
     * MD5 Credentials
     */
    public static class MD5 extends Credential
    {
        private static final long serialVersionUID = 5533846540822684240L;

        public static final String __TYPE = "MD5:";

        public static final Object __md5Lock = new Object();

        private static MessageDigest __md;

        private final byte[] _digest;

        /* ------------------------------------------------------------ */
        MD5(String digest)
        {
            digest = digest.startsWith(__TYPE) ? digest.substring(__TYPE.length()) : digest;
            _digest = TypeUtil.parseBytes(digest, 16);
        }

        /* ------------------------------------------------------------ */
        public byte[] getDigest()
        {
            return _digest;
        }

        /* ------------------------------------------------------------ */
        @Override
        public boolean check(Object credentials)
        {
            try
            {
                byte[] digest = null;

                if (credentials instanceof char[])
                    credentials=new String((char[])credentials);
                if (credentials instanceof Password || credentials instanceof String)
                {
                    synchronized (__md5Lock)
                    {
                        if (__md == null) __md = MessageDigest.getInstance("MD5");
                        __md.reset();
                        __md.update(credentials.toString().getBytes(StringUtil.__ISO_8859_1));
                        digest = __md.digest();
                    }
                    if (digest == null || digest.length != _digest.length) return false;
                    for (int i = 0; i < digest.length; i++)
                        if (digest[i] != _digest[i]) return false;
                    return true;
                }
                else if (credentials instanceof MD5)
                {
                    MD5 md5 = (MD5) credentials;
                    if (_digest.length != md5._digest.length) return false;
                    for (int i = 0; i < _digest.length; i++)
                        if (_digest[i] != md5._digest[i]) return false;
                    return true;
                }
                else if (credentials instanceof Credential)
                {
                    // Allow credential to attempt check - i.e. this'll work
                    // for DigestAuthModule$Digest credentials
                    return ((Credential) credentials).check(this);
                }
                else
                {
                    LOG.warn("Can't check " + credentials.getClass() + " against MD5");
                    return false;
                }
            }
            catch (Exception e)
            {
                LOG.warn("",e);
                return false;
            }
        }

        /* ------------------------------------------------------------ */
        public static String digest(String password)
        {
            try
            {
                byte[] digest;
                synchronized (__md5Lock)
                {
                    if (__md == null)
                    {
                        try
                        {
                            __md = MessageDigest.getInstance("MD5");
                        }
                        catch (Exception e)
                        {
                            LOG.warn("",e);
                            return null;
                        }
                    }

                    __md.reset();
                    __md.update(password.getBytes(StringUtil.__ISO_8859_1));
                    digest = __md.digest();
                }

                return __TYPE + TypeUtil.toString(digest, 16);
            }
            catch (Exception e)
            {
                LOG.warn("",e);
                return null;
            }
        }
    }
}