Examples with PasswordHasher org.apache.derby.iapi.sql.dictionary.PasswordHasher used on opensource projects

Example 1 with PasswordHasher

use of org.apache.derby.iapi.sql.dictionary.PasswordHasher in project derby by apache.

the class SystemProcedures method makeUserDescriptor.

private static UserDescriptor makeUserDescriptor(DataDictionary dd, TransactionController tc, String userName, String password) throws StandardException {
    DataDescriptorGenerator ddg = dd.getDataDescriptorGenerator();
    PasswordHasher hasher = dd.makePasswordHasher(tc.getProperties());
    if (hasher == null) {
        throw StandardException.newException(SQLState.WEAK_AUTHENTICATION);
    }
    String hashingScheme = hasher.encodeHashingScheme();
    String hashedPassword = hasher.hashPasswordIntoString(userName, password);
    Timestamp currentTimestamp = new Timestamp((new java.util.Date()).getTime());
    UserDescriptor userDescriptor = ddg.newUserDescriptor(userName, hashingScheme, hashedPassword.toCharArray(), currentTimestamp);
    return userDescriptor;
}

Example 2 with PasswordHasher

use of org.apache.derby.iapi.sql.dictionary.PasswordHasher in project derby by apache.

the class DataFileVTI method vetNative.

/**
 * If NATIVE authentication is on, then the user's credentials must be stored in SYSUSERS.
 * Returns false if NATIVE authentication is not on. Raises an exception if NATIVE
 * authentication is on and the credentials don't match.
 */
private boolean vetNative(String databaseDirectoryName, String encryptionProperties, String user, String password) throws Exception {
    String authorizationID = StringUtil.normalizeSQLIdentifier(user);
    DataFileVTI systables = new DataFileVTI(databaseDirectoryName, SYSTABLES_CONGLOMERATE_NAME, SYSTABLES_SIGNATURE, encryptionProperties);
    boolean sysusersExists = false;
    while (systables.next()) {
        if (SYS_SCHEMA_ID.equals(systables.getString(4))) {
            if ("SYSUSERS".equals(systables.getString(2))) {
                sysusersExists = true;
                break;
            }
        }
    }
    systables.close();
    // nothing more to check if the database doesn't even have a SYSUSERS catalog
    if (!sysusersExists) {
        return false;
    }
    // 
    // See whether the user's credentials should be and are in SYSUSERS.
    // 
    DataFileVTI sysusers = new DataFileVTI(databaseDirectoryName, SYSUSERS_CONGLOMERATE_NAME, SYSUSERS_SIGNATURE, encryptionProperties);
    boolean credentialsShouldBePresent = false;
    boolean credentialsMatch = false;
    while (sysusers.next()) {
        credentialsShouldBePresent = true;
        if (sysusers.getString(1).equals(authorizationID)) {
            String hashingScheme = sysusers.getString(2);
            String actualPassword = sysusers.getString(3);
            PasswordHasher hasher = new PasswordHasher(hashingScheme);
            String candidatePassword = hasher.hashPasswordIntoString(authorizationID, password);
            credentialsMatch = actualPassword.equals(candidatePassword);
            break;
        }
    }
    sysusers.close();
    if (!credentialsShouldBePresent) {
        return false;
    }
    if (credentialsMatch) {
        return true;
    } else {
        throw new Exception("Bad NATIVE credentials.");
    }
}

Example 3 with PasswordHasher

use of org.apache.derby.iapi.sql.dictionary.PasswordHasher in project derby by apache.

the class DataFileVTI method vetBuiltin.

/**
 * Match credentials against the BUILTIN credentials stored in the properties
 * conglomerate of the raw database. All of those properties have been read
 * into the props object already.
 */
private boolean vetBuiltin(Properties props, String user, String password) throws Exception {
    String passwordProperty = Property.USER_PROPERTY_PREFIX.concat(user);
    String realPassword = props.getProperty(passwordProperty);
    if (realPassword != null) {
        PasswordHasher hasher = new PasswordHasher(realPassword);
        password = hasher.hashAndEncode(user, password);
    } else {
        realPassword = getSystemProperty(passwordProperty);
    }
    return ((realPassword != null) && realPassword.equals(password));
}

Example 4 with PasswordHasher

use of org.apache.derby.iapi.sql.dictionary.PasswordHasher in project derby by apache.

the class DataDictionaryImpl method makePasswordHasher.

// returns null if database is at rev level 10.5 or earlier
public PasswordHasher makePasswordHasher(Dictionary<?, ?> props) throws StandardException {
    // Support for configurable hash algorithm was added in Derby 10.6, so
    // we don't want to store a hash using the new scheme if the database
    // is running in soft upgrade and may be used with an older version
    // later.
    boolean supportConfigurableHash = checkVersion(DataDictionary.DD_VERSION_DERBY_10_6, null);
    // Support for key stretching was added in Derby 10.9, so don't use it
    // if the database may still be used with an older version.
    boolean supportKeyStretching = checkVersion(DataDictionary.DD_VERSION_DERBY_10_9, null);
    if (!supportConfigurableHash) {
        return null;
    } else {
        String algorithm = (String) PropertyUtil.getPropertyFromSet(props, Property.AUTHENTICATION_BUILTIN_ALGORITHM);
        if (algorithm == null) {
            return null;
        }
        byte[] salt = null;
        int iterations = 1;
        if (algorithm.length() > 0) {
            if (supportKeyStretching) {
                salt = generateRandomSalt(props);
                iterations = getIntProperty(props, Property.AUTHENTICATION_BUILTIN_ITERATIONS, Property.AUTHENTICATION_BUILTIN_ITERATIONS_DEFAULT, 1, Integer.MAX_VALUE);
            }
        }
        return new PasswordHasher(algorithm, salt, iterations);
    }
}

Example 5 with PasswordHasher

use of org.apache.derby.iapi.sql.dictionary.PasswordHasher in project derby by apache.

the class NativeAuthenticationServiceImpl method authenticateLocally.

// /////////////////////////////////////////////////////////////////////////////////
// 
// AUTHENTICATE LOCALLY
// 
// /////////////////////////////////////////////////////////////////////////////////
/**
 * Authenticate the passed-in credentials against the local database.
 *
 * @param userName		The user's name used to connect to JBMS system
 * @param userPassword	The user's password used to connect to JBMS system
 * @param databaseName	The database which the user wants to connect to.
 */
private boolean authenticateLocally(String userName, String userPassword, String databaseName) throws StandardException, SQLException {
    userName = IdUtil.getUserAuthorizationId(userName);
    // 
    if (_creatingCredentialsDB) {
        _creatingCredentialsDB = false;
        TransactionController tc = getTransaction();
        SystemProcedures.addUser(userName, userPassword, tc);
        tc.commit();
        return true;
    }
    // 
    // we expect to find a data dictionary
    // 
    DataDictionary dd = (DataDictionary) AuthenticationServiceBase.getServiceModule(this, DataDictionary.MODULE);
    UserDescriptor userDescriptor = dd.getUser(userName);
    if (userDescriptor == null) {
        // 
        // Before returning, we pretend to evaluate the password.
        // This helps prevent blackhats from discovering legal usernames
        // by measuring how long password evaluation takes. For more context,
        // see the 2012-02-22 comment on DERBY-5539.
        // 
        PasswordHasher hasher = dd.makePasswordHasher(getDatabaseProperties());
        hasher.hashPasswordIntoString(userName, userPassword).toCharArray();
        return false;
    }
    PasswordHasher hasher = new PasswordHasher(userDescriptor.getHashingScheme());
    char[] candidatePassword = hasher.hashPasswordIntoString(userName, userPassword).toCharArray();
    char[] actualPassword = userDescriptor.getAndZeroPassword();
    try {
        if ((candidatePassword == null) || (actualPassword == null)) {
            return false;
        }
        if (candidatePassword.length != actualPassword.length) {
            return false;
        }
        for (int i = 0; i < candidatePassword.length; i++) {
            if (candidatePassword[i] != actualPassword[i]) {
                return false;
            }
        }
    } finally {
        if (candidatePassword != null) {
            Arrays.fill(candidatePassword, (char) 0);
        }
        if (actualPassword != null) {
            Arrays.fill(actualPassword, (char) 0);
        }
    }
    // 
    if (_passwordLifetimeMillis > 0) {
        long passwordAge = System.currentTimeMillis() - userDescriptor.getLastModified().getTime();
        long remainingLifetime = _passwordLifetimeMillis - passwordAge;
        // 
        if (remainingLifetime <= 0L) {
            // The DBO's password never expires.
            if (!dd.getAuthorizationDatabaseOwner().equals(userName)) {
                return false;
            } else {
                remainingLifetime = 0L;
            }
        }
        long expirationThreshold = (long) (_passwordLifetimeMillis * _passwordExpirationThreshold);
        if (remainingLifetime <= expirationThreshold) {
            if (dd.getAuthorizationDatabaseOwner().equals(userName)) {
                throw SQLWarningFactory.newSQLWarning(SQLState.DBO_PASSWORD_EXPIRES_SOON, databaseName);
            }
            long daysRemaining = remainingLifetime / Property.MILLISECONDS_IN_DAY;
            throw SQLWarningFactory.newSQLWarning(SQLState.PASSWORD_EXPIRES_SOON, Long.toString(daysRemaining), databaseName);
        }
    }
    return true;
}