Re: [xwiki-dev] Re: [xwiki-commits] r2957 - in xwiki/trunk/core/src/main/java/com/xpn/xwiki: objects/classes objects/meta plugin/packaging user/impl/xwiki

Author: sdumitriu Date: 2007-04-23 22:23:53 +0200 (Mon, 23 Apr 2007) New Revision: 2957 Modified: xwiki/trunk/core/src/main/java/com/xpn/xwiki/objects/classes/ PasswordClass.java xwiki/trunk/core/src/main/java/com/xpn/xwiki/objects/meta/ PasswordMetaClass.java xwiki/trunk/core/src/main/java/com/xpn/xwiki/plugin/packaging/ Package.java xwiki/trunk/core/src/main/java/com/xpn/xwiki/user/impl/xwiki/ XWikiAuthServiceImpl.java Log: XWIKI-70: password can be searched XWIKI-580: Implement HASH password mechanism Added support for hashing passwords. There's some code related to encrypting passwords, but the actual encrypt/decrypt mechanism is not written yet. Modified: xwiki/trunk/core/src/main/java/com/xpn/xwiki/objects/ classes/PasswordClass.java =================================================================== --- xwiki/trunk/core/src/main/java/com/xpn/xwiki/objects/classes/ PasswordClass.java 2007-04-23 20:16:46 UTC (rev 2956) +++ xwiki/trunk/core/src/main/java/com/xpn/xwiki/objects/classes/ PasswordClass.java 2007-04-23 20:23:53 UTC (rev 2957) @@ -1,70 +1,239 @@ -/* - * Copyright 2006, XpertNet SARL, and individual contributors as indicated - * by the contributors.txt. - * - * This is free software; you can redistribute it and/or modify it - * under the terms of the GNU Lesser General Public License as - * published by the Free Software Foundation; either version 2.1 of - * the License, or (at your option) any later version. - * - * This software is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - * Lesser General Public License for more details. - * - * You should have received a copy of the GNU Lesser General Public - * License along with this software; if not, write to the Free - * Software Foundation, Inc., 51 Franklin St, Fifth Floor,

- * 02110-1301 USA, or see the FSF site: http://www.fsf.org. - * - * @author sdumitriu - */ - -package com.xpn.xwiki.objects.classes; - -import com.xpn.xwiki.XWikiContext; -import com.xpn.xwiki.objects.BaseCollection ; -import com.xpn.xwiki.objects.BaseProperty; -import com.xpn.xwiki.objects.ElementInterface; -import com.xpn.xwiki.objects.meta.PropertyMetaClass; -import org.apache.ecs.xhtml.input; - -public class PasswordClass extends StringClass { - public PasswordClass(PropertyMetaClass wclass) { - super("password", "Password", wclass); - setxWikiClass(wclass); - } - - public PasswordClass() { - this(null); - } - - public BaseProperty fromString(String value) { - if (value.equals("********")) - return null; - else - return super.fromString(value); - } - - public void displayHidden(StringBuffer buffer, String name, String prefix, BaseCollection object, XWikiContext context) { - // Passwords cannot go through the preview interface of we don't do something here.. - } - - public void displayView(StringBuffer buffer, String name, String prefix, BaseCollection object, XWikiContext context) { - ElementInterface prop = object.safeget(name); - if (prop!=null) - buffer.append("********"); - } - - public void displayEdit(StringBuffer buffer, String name, String prefix, BaseCollection object, XWikiContext context) { - input input = new input(); - ElementInterface prop = object.safeget(name); - if (prop!=null) input.setValue ("********"); - - input.setType("password"); - input.setName(prefix + name); - input.setID(prefix + name); - input.setSize(getSize()); - buffer.append(input.toString()); - } -} \ No newline at end of file +/* + * Copyright 2006, XpertNet SARL, and individual contributors as indicated + * by the contributors.txt. + * + * This is free software; you can redistribute it and/or modify it + * under the terms of the GNU Lesser General Public License as + * published by the Free Software Foundation; either version 2.1 of + * the License, or (at your option) any later version. + * + * This software is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this software; if not, write to the Free + * Software Foundation, Inc., 51 Franklin St, Fifth Floor,

+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org. + * + * @author sdumitriu + */ + +package com.xpn.xwiki.objects.classes; + +import java.security.MessageDigest; +import java.security.NoSuchAlgorithmException ; + +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; +import org.apache.ecs.xhtml.input; + +import com.xpn.xwiki.XWikiContext; +import com.xpn.xwiki.objects.BaseCollection; +import com.xpn.xwiki.objects.BaseProperty; +import com.xpn.xwiki.objects.ElementInterface; +import com.xpn.xwiki.objects.meta.PasswordMetaClass; +import com.xpn.xwiki.objects.meta.PropertyMetaClass; + +public class PasswordClass extends StringClass +{ + protected static Log log = LogFactory.getFactory().getInstance (PasswordClass.class ); + + protected static final String DEFAULT_STORAGE = PasswordMetaClass.HASH; + + protected static final String DEFAULT_HASH_ALGORITHM =

+ + protected static final String DEFAULT_CRYPT_ALGORITHM = "AES"; + + protected static final String HASH_IDENTIFIER = "hash"; + + protected static final String CRYPT_IDENTIFIER = "crypt"; + + protected static final String SEPARATOR = ":"; + + protected static final String FORM_PASSWORD_PLACEHODLER = "********"; + + public PasswordClass(PropertyMetaClass wclass) + { + super("password", "Password", wclass); + setxWikiClass(wclass); + } + + public PasswordClass() + { + this(null); + } + + public BaseProperty fromString(String value) + { + if (value.equals(FORM_PASSWORD_PLACEHODLER)) { + return null; + } + BaseProperty property = newProperty(); + property.setValue (getProcessedPassword(value)); + return property; + } + + public void displayHidden(StringBuffer buffer, String name, String prefix, + BaseCollection object, XWikiContext context) + { + // Passwords cannot go through the preview interface, so we don't do something here.. + } + + public void displayView(StringBuffer buffer, String name, String prefix, + BaseCollection object, XWikiContext context) + { + ElementInterface prop = object.safeget(name); + if (prop != null) { + buffer.append(FORM_PASSWORD_PLACEHODLER); + } + } + + public void displayEdit(StringBuffer buffer, String name, String prefix, + BaseCollection object, XWikiContext context) + { + input input = new input(); + ElementInterface prop = object.safeget(name); + if (prop != null) { + input.setValue(FORM_PASSWORD_PLACEHODLER); + } + + input.setType("password"); + input.setName(prefix + name); + input.setSize(getSize()); + buffer.append(input.toString()); + } + + /** + * + * @return One of 'Clear', 'Hash' or 'Encrypt'. + */ + public String getStorageType() + { + BaseProperty st = (BaseProperty) this.getField ("storageType"); + if (st != null) { + String type = st.getValue().toString().trim(); + if (!type.equals("")) { + return type; + } + } + return DEFAULT_STORAGE; + } + + /** + * + * @return The hash algorithm configured for this XProperty. + */ + public String getHashAlgorithm() + { + BaseProperty alg = (BaseProperty) this.getField (PasswordMetaClass.ALGORITHM_KEY); + if (alg != null && alg.getValue() != null && !alg.getValue ().toString().trim().equals("")) { + return alg.getValue().toString(); + } + return DEFAULT_HASH_ALGORITHM; + } + + /** + * + * @return The encryption algorithm configured for this XProperty. + */ + public String getCryptAlgorithm() + { + BaseProperty alg = (BaseProperty) this.getField (PasswordMetaClass.ALGORITHM_KEY); + if (alg != null && alg.getValue() != null && !alg.getValue ().toString().trim().equals("")) { + return alg.getValue().toString(); + } + return DEFAULT_CRYPT_ALGORITHM; + } + + /** + * + * @param password + * @return The algorithm used for the given password. + */ + public String getAlgorithmFromPassword(String password) + { + int beginIndex = password.indexOf(SEPARATOR) + 1; + if (beginIndex >= 0) { + int endIndex = password.indexOf(SEPARATOR, beginIndex); + if (endIndex >= 0) { + return password.substring(beginIndex, endIndex); + } + } + return DEFAULT_HASH_ALGORITHM; + } + + /** + * Transforms a plain text password so that it has the same encryption as a password stored in + * the database. The current configuration for this password XProperty cannot be used, as the + * user might have a different encryption mechanism (for example, if the user was imported, or + * the password was not yet upgraded). + * + * @param storedPassword The stored password, which gives the storage type and algorithm. + * @param plainPassword The plain text password to be

+ * @return The input password, encrypted with the same mechanism as the stored password. + */ + public String getEquivalentPassword(String storedPassword, String plainPassword) + { + String result = plainPassword; + if (storedPassword.startsWith(HASH_IDENTIFIER +

+ result = getPasswordHash(result, getAlgorithmFromPassword(storedPassword)); + } else if (storedPassword.startsWith (CRYPT_IDENTIFIER + SEPARATOR)) { + result = getPasswordCrypt(result, getAlgorithmFromPassword(storedPassword)); + } + return result; + } + + public String getProcessedPassword(String password) + { + String storageType = getStorageType(); + String result = password; + if (storageType.equals(PasswordMetaClass.HASH )) { + result = getPasswordHash(result); + } else if (storageType.equals

+ result = getPasswordCrypt(result); + } + return result; + } + + public String getPasswordCrypt(String password) + { + return getPasswordCrypt(password, getCryptAlgorithm()); + } + + public String getPasswordCrypt(String password, String algorithmName) + { + // TODO Write me! + return password; + } + + public String getPasswordHash(String password) + { + return getPasswordHash(password, getHashAlgorithm()); + } + + public String getPasswordHash(String password, String algorithmName) + { + try { + MessageDigest hashAlgorithm = MessageDigest.getInstance (algorithmName); + hashAlgorithm.update(password.getBytes()); + byte[] digest = hashAlgorithm.digest(); + StringBuffer sb = + new StringBuffer(HASH_IDENTIFIER + SEPARATOR + algorithmName + SEPARATOR); + for (int j = 0; j < digest.length; ++j) { + int b = digest[j] & 0xFF; + if (b < 0x10) + sb.append('0'); + sb.append(Integer.toHexString(b)); + } + return sb.toString(); + } catch (NoSuchAlgorithmException ex) { + log.error("Wrong hash algorithm '" + algorithmName + "' in '" + this.className + "'", + ex); + } catch (NullPointerException ex) { + log.error("Error hashing password", ex); + } + return password; + } +} Modified: xwiki/trunk/core/src/main/java/com/xpn/xwiki/objects/meta/ PasswordMetaClass.java =================================================================== --- xwiki/trunk/core/src/main/java/com/xpn/xwiki/objects/meta/ PasswordMetaClass.java 2007-04-23 20:16:46 UTC (rev 2956) +++ xwiki/trunk/core/src/main/java/com/xpn/xwiki/objects/meta/ PasswordMetaClass.java 2007-04-23 20:23:53 UTC (rev 2957) @@ -1,5 +1,5 @@ /* - * Copyright 2006, XpertNet SARL, and individual contributors as indicated + * Copyright 2006-2007, XpertNet SARL, and individual contributors as indicated * by the contributors.txt. * * This is free software; you can redistribute it and/or modify it @@ -17,7 +17,6 @@ * Software Foundation, Inc., 51 Franklin St, Fifth Floor,

* 02110-1301 USA, or see the FSF site: http://www.fsf.org. * - * @author ludovic */ package com.xpn.xwiki.objects.meta; @@ -25,17 +24,46 @@ import com.xpn.xwiki.XWikiContext; import com.xpn.xwiki.objects.BaseCollection; import com.xpn.xwiki.objects.classes.PasswordClass; +import com.xpn.xwiki.objects.classes.StaticListClass; +import com.xpn.xwiki.objects.classes.StringClass; -public class PasswordMetaClass extends StringMetaClass { +public class PasswordMetaClass extends StringMetaClass +{ + public static final String CLEAR = "Clear"; - public PasswordMetaClass() { + public static final String ENCRYPTED = "Encrypted"; + + public static final String HASH = "Hash"; + + public static final String SEPARATOR = "|"; + + public static final String ALGORITHM_KEY = "algorithm"; + + public PasswordMetaClass() + { super(); - // setType("passwordmetaclass"); setPrettyName("Password Class"); setName( PasswordClass.class.getName()); + + StaticListClass storageType_class = new StaticListClass (this); + storageType_class.setName("storageType"); + storageType_class.setPrettyName("Storage type"); + storageType_class.setValues(CLEAR + SEPARATOR + HASH);// + SEPARATOR + ENCRYPTED + storageType_class.setRelationalStorage(false); + storageType_class.setDisplayType("select"); + storageType_class.setMultiSelect(false); + storageType_class.setSize(1); + safeput("storageType", storageType_class); + + StringClass encryptAlgorithm_class = new StringClass(this); + encryptAlgorithm_class.setName(ALGORITHM_KEY); + encryptAlgorithm_class.setPrettyName("Encryption/hash algorithm"); + encryptAlgorithm_class.setSize(20); + safeput("encryptAlgorithm", encryptAlgorithm_class); } - public BaseCollection newObject(XWikiContext context) { + public BaseCollection newObject(XWikiContext context) + { return new PasswordClass(); } } Modified: xwiki/trunk/core/src/main/java/com/xpn/xwiki/plugin/ packaging/Package.java =================================================================== --- xwiki/trunk/core/src/main/java/com/xpn/xwiki/plugin/packaging/ Package.java 2007-04-23 20:16:46 UTC (rev 2956) +++ xwiki/trunk/core/src/main/java/com/xpn/xwiki/plugin/packaging/ Package.java 2007-04-23 20:23:53 UTC (rev 2957) @@ -755,6 +755,12 @@ ZipEntry zipentry = new ZipEntry(zipname); zos.putNextEntry(zipentry); String docXml = doc.toXML (true, false, true, withVersions, context); + if (!context.getWiki().getRightService().hasAdminRights (context)) { + docXml = + context.getUtil ().substitute( + "s/<password>.*?<\\/password>/ <password>********<\\/password>/goi", + docXml); + } zos.write(docXml.getBytes(context.getWiki().getEncoding ())); zos.closeEntry(); } catch (Exception e) { @@ -786,6 +792,12 @@ } File file = new File(spacedir, filename); String xml = doc.toXML(true, false, true, withVersions, context); + if (!context.getWiki().getRightService().hasAdminRights (context)) { + xml = + context.getUtil().substitute( + "s/<password>.*?<\\/password>/ <password>********<\\/password>/goi", + xml); + } FileOutputStream fos = new FileOutputStream(file); fos.write(xml.getBytes(context.getWiki().getEncoding

fos.flush(); Modified: xwiki/trunk/core/src/main/java/com/xpn/xwiki/user/impl/ xwiki/XWikiAuthServiceImpl.java =================================================================== --- xwiki/trunk/core/src/main/java/com/xpn/xwiki/user/impl/xwiki/ XWikiAuthServiceImpl.java 2007-04-23 20:16:46 UTC (rev 2956) +++ xwiki/trunk/core/src/main/java/com/xpn/xwiki/user/impl/xwiki/ XWikiAuthServiceImpl.java 2007-04-23 20:23:53 UTC (rev 2957) @@ -22,27 +22,30 @@ package com.xpn.xwiki.user.impl.xwiki; +import java.io.IOException; +import java.security.Principal; +import java.util.List; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import org.apache.commons.lang.StringUtils; +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; +import org.securityfilter.config.SecurityConfig; +import org.securityfilter.filter.SecurityRequestWrapper; +import org.securityfilter.realm.SimplePrincipal; + import com.xpn.xwiki.XWiki; import com.xpn.xwiki.XWikiContext; import com.xpn.xwiki.XWikiException; +import com.xpn.xwiki.doc.XWikiDocument; +import com.xpn.xwiki.objects.classes.PasswordClass ; import com.xpn.xwiki.plugin.ldap.LDAPPlugin; -import com.xpn.xwiki.doc.XWikiDocument; import com.xpn.xwiki.user.api.XWikiAuthService; import com.xpn.xwiki.user.api.XWikiUser; import com.xpn.xwiki.web.Utils; -import org.apache.commons.lang.StringUtils; -import org.apache.commons.logging.Log; -import org.apache.commons.logging.LogFactory; -import org.securityfilter.config.SecurityConfig ; -import org.securityfilter.filter.SecurityRequestWrapper; -import org.securityfilter.realm.SimplePrincipal; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse ; -import java.io.IOException; -import java.security.Principal; -import java.util.List; - public class XWikiAuthServiceImpl implements XWikiAuthService { private static final Log log = LogFactory.getLog (XWikiAuthServiceImpl.class); @@ -390,6 +393,10 @@ // We only allow empty password from users having a XWikiUsers object. if (doc.getObject ("XWiki.XWikiUsers") != null) { String passwd = doc.getStringValue ("XWiki.XWikiUsers", "password"); + password = + ((PasswordClass) context.getWiki().getClass ("XWiki.XWikiUsers", context) + .getField ("password")).getEquivalentPassword(passwd, password); + result = ( password.equals(passwd)); } -- You receive this message as a subscriber of the xwiki- commits(a)objectweb.org mailing list. To unsubscribe: mailto:xwiki-commits-unsubscribe@objectweb.org For general help: mailto: sympa(a)objectweb.org?subject=help ObjectWeb mailing lists service home page: http://www.objectweb.org/ wws