Search in sources :

Example 6 with UserDescriptor

use of org.apache.derby.iapi.sql.dictionary.UserDescriptor in project derby by apache.

the class SYSUSERSRowFactory method makeRow.

// ///////////////////////////////////////////////////////////////////////////
// 
// METHODS
// 
// ///////////////////////////////////////////////////////////////////////////
/**
 * Make a SYSUSERS row. The password in the UserDescriptor will be zeroed by
 * this method.
 *
 * @return	Row suitable for inserting into SYSUSERS
 *
 * @exception   StandardException thrown on failure
 */
public ExecRow makeRow(TupleDescriptor td, TupleDescriptor parent) throws StandardException {
    String userName = null;
    String hashingScheme = null;
    char[] password = null;
    Timestamp lastModified = null;
    ExecRow row;
    try {
        if (td != null) {
            UserDescriptor descriptor = (UserDescriptor) td;
            userName = descriptor.getUserName();
            hashingScheme = descriptor.getHashingScheme();
            password = descriptor.getAndZeroPassword();
            lastModified = descriptor.getLastModified();
        }
        /* Build the row to insert  */
        row = getExecutionFactory().getValueRow(SYSUSERS_COLUMN_COUNT);
        /* 1st column is USERNAME (varchar(128)) */
        row.setColumn(USERNAME_COL_NUM, new SQLVarchar(userName));
        /* 2nd column is HASHINGSCHEME (varchar(32672)) */
        row.setColumn(HASHINGSCHEME_COL_NUM, new SQLVarchar(hashingScheme));
        /* 3rd column is PASSWORD (varchar(32672)) */
        row.setColumn(PASSWORD_COL_NUM, new SQLVarchar(password));
        /* 4th column is LASTMODIFIED (timestamp) */
        row.setColumn(LASTMODIFIED_COL_NUM, new SQLTimestamp(lastModified));
    } finally {
        // zero out the password to prevent it from being memory-sniffed
        if (password != null) {
            Arrays.fill(password, (char) 0);
        }
    }
    return row;
}
Also used : SQLTimestamp(org.apache.derby.iapi.types.SQLTimestamp) ExecRow(org.apache.derby.iapi.sql.execute.ExecRow) SQLVarchar(org.apache.derby.iapi.types.SQLVarchar) SQLTimestamp(org.apache.derby.iapi.types.SQLTimestamp) Timestamp(java.sql.Timestamp) UserDescriptor(org.apache.derby.iapi.sql.dictionary.UserDescriptor)

Example 7 with UserDescriptor

use of org.apache.derby.iapi.sql.dictionary.UserDescriptor in project derby by apache.

the class NativeAuthenticationServiceImpl method authenticateLocally.

// /////////////////////////////////////////////////////////////////////////////////
// 
// AUTHENTICATE LOCALLY
// 
// /////////////////////////////////////////////////////////////////////////////////
/**
 * Authenticate the passed-in credentials against the local database.
 *
 * @param userName		The user's name used to connect to JBMS system
 * @param userPassword	The user's password used to connect to JBMS system
 * @param databaseName	The database which the user wants to connect to.
 */
private boolean authenticateLocally(String userName, String userPassword, String databaseName) throws StandardException, SQLException {
    userName = IdUtil.getUserAuthorizationId(userName);
    // 
    if (_creatingCredentialsDB) {
        _creatingCredentialsDB = false;
        TransactionController tc = getTransaction();
        SystemProcedures.addUser(userName, userPassword, tc);
        tc.commit();
        return true;
    }
    // 
    // we expect to find a data dictionary
    // 
    DataDictionary dd = (DataDictionary) AuthenticationServiceBase.getServiceModule(this, DataDictionary.MODULE);
    UserDescriptor userDescriptor = dd.getUser(userName);
    if (userDescriptor == null) {
        // 
        // Before returning, we pretend to evaluate the password.
        // This helps prevent blackhats from discovering legal usernames
        // by measuring how long password evaluation takes. For more context,
        // see the 2012-02-22 comment on DERBY-5539.
        // 
        PasswordHasher hasher = dd.makePasswordHasher(getDatabaseProperties());
        hasher.hashPasswordIntoString(userName, userPassword).toCharArray();
        return false;
    }
    PasswordHasher hasher = new PasswordHasher(userDescriptor.getHashingScheme());
    char[] candidatePassword = hasher.hashPasswordIntoString(userName, userPassword).toCharArray();
    char[] actualPassword = userDescriptor.getAndZeroPassword();
    try {
        if ((candidatePassword == null) || (actualPassword == null)) {
            return false;
        }
        if (candidatePassword.length != actualPassword.length) {
            return false;
        }
        for (int i = 0; i < candidatePassword.length; i++) {
            if (candidatePassword[i] != actualPassword[i]) {
                return false;
            }
        }
    } finally {
        if (candidatePassword != null) {
            Arrays.fill(candidatePassword, (char) 0);
        }
        if (actualPassword != null) {
            Arrays.fill(actualPassword, (char) 0);
        }
    }
    // 
    if (_passwordLifetimeMillis > 0) {
        long passwordAge = System.currentTimeMillis() - userDescriptor.getLastModified().getTime();
        long remainingLifetime = _passwordLifetimeMillis - passwordAge;
        // 
        if (remainingLifetime <= 0L) {
            // The DBO's password never expires.
            if (!dd.getAuthorizationDatabaseOwner().equals(userName)) {
                return false;
            } else {
                remainingLifetime = 0L;
            }
        }
        long expirationThreshold = (long) (_passwordLifetimeMillis * _passwordExpirationThreshold);
        if (remainingLifetime <= expirationThreshold) {
            if (dd.getAuthorizationDatabaseOwner().equals(userName)) {
                throw SQLWarningFactory.newSQLWarning(SQLState.DBO_PASSWORD_EXPIRES_SOON, databaseName);
            }
            long daysRemaining = remainingLifetime / Property.MILLISECONDS_IN_DAY;
            throw SQLWarningFactory.newSQLWarning(SQLState.PASSWORD_EXPIRES_SOON, Long.toString(daysRemaining), databaseName);
        }
    }
    return true;
}
Also used : PasswordHasher(org.apache.derby.iapi.sql.dictionary.PasswordHasher) TransactionController(org.apache.derby.iapi.store.access.TransactionController) DataDictionary(org.apache.derby.iapi.sql.dictionary.DataDictionary) UserDescriptor(org.apache.derby.iapi.sql.dictionary.UserDescriptor)

Aggregations

UserDescriptor (org.apache.derby.iapi.sql.dictionary.UserDescriptor)7 DataDictionary (org.apache.derby.iapi.sql.dictionary.DataDictionary)4 Timestamp (java.sql.Timestamp)3 LanguageConnectionContext (org.apache.derby.iapi.sql.conn.LanguageConnectionContext)2 DataDescriptorGenerator (org.apache.derby.iapi.sql.dictionary.DataDescriptorGenerator)2 PasswordHasher (org.apache.derby.iapi.sql.dictionary.PasswordHasher)2 TransactionController (org.apache.derby.iapi.store.access.TransactionController)2 SQLTimestamp (org.apache.derby.iapi.types.SQLTimestamp)2 SQLVarchar (org.apache.derby.iapi.types.SQLVarchar)2 StandardException (org.apache.derby.shared.common.error.StandardException)2 ExecRow (org.apache.derby.iapi.sql.execute.ExecRow)1 DataValueDescriptor (org.apache.derby.iapi.types.DataValueDescriptor)1