Java tutorial
// Licensed to the Apache Software Foundation (ASF) under one // or more contributor license agreements. See the NOTICE file // distributed with this work for additional information // regarding copyright ownership. The ASF licenses this file // to you under the Apache License, Version 2.0 (the // "License"); you may not use this file except in compliance // with the License. You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, // software distributed under the License is distributed on an // "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY // KIND, either express or implied. See the License for the // specific language governing permissions and limitations // under the License. package com.cloud.server.auth; import java.io.UnsupportedEncodingException; import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; import java.security.SecureRandom; import java.util.Map; import javax.inject.Inject; import org.apache.commons.lang.StringUtils; import org.apache.log4j.Logger; import org.bouncycastle.util.encoders.Base64; import com.cloud.user.UserAccount; import com.cloud.user.dao.UserAccountDao; import com.cloud.utils.Pair; import com.cloud.utils.component.AdapterBase; import com.cloud.utils.exception.CloudRuntimeException; public class SHA256SaltedUserAuthenticator extends AdapterBase implements UserAuthenticator { public static final Logger s_logger = Logger.getLogger(SHA256SaltedUserAuthenticator.class); private static final String s_defaultPassword = "000000000000000000000000000="; private static final String s_defaultSalt = "0000000000000000000000000000000="; @Inject private UserAccountDao _userAccountDao; private static final int s_saltlen = 32; /* (non-Javadoc) * @see com.cloud.server.auth.UserAuthenticator#authenticate(java.lang.String, java.lang.String, java.lang.Long, java.util.Map) */ @Override public Pair<Boolean, ActionOnFailedAuthentication> authenticate(String username, String password, Long domainId, Map<String, Object[]> requestParameters) { if (s_logger.isDebugEnabled()) { s_logger.debug("Retrieving user: " + username); } if (StringUtils.isEmpty(username) || StringUtils.isEmpty(password)) { s_logger.debug("Username or Password cannot be empty"); return new Pair<Boolean, ActionOnFailedAuthentication>(false, null); } boolean realUser = true; UserAccount user = _userAccountDao.getUserAccount(username, domainId); if (user == null) { s_logger.debug("Unable to find user with " + username + " in domain " + domainId); realUser = false; } /* Fake Data */ String realPassword = new String(s_defaultPassword); byte[] salt = new String(s_defaultSalt).getBytes(); if (realUser) { String storedPassword[] = user.getPassword().split(":"); if (storedPassword.length != 2) { s_logger.warn("The stored password for " + username + " isn't in the right format for this authenticator"); realUser = false; } else { realPassword = storedPassword[1]; salt = Base64.decode(storedPassword[0]); } } try { String hashedPassword = encode(password, salt); /* constantTimeEquals comes first in boolean since we need to thwart timing attacks */ boolean result = constantTimeEquals(realPassword, hashedPassword) && realUser; ActionOnFailedAuthentication action = null; if (!result && realUser) { action = ActionOnFailedAuthentication.INCREMENT_INCORRECT_LOGIN_ATTEMPT_COUNT; } return new Pair<Boolean, ActionOnFailedAuthentication>(result, action); } catch (NoSuchAlgorithmException e) { throw new CloudRuntimeException("Unable to hash password", e); } catch (UnsupportedEncodingException e) { throw new CloudRuntimeException("Unable to hash password", e); } } /* (non-Javadoc) * @see com.cloud.server.auth.UserAuthenticator#encode(java.lang.String) */ @Override public String encode(String password) { // 1. Generate the salt SecureRandom randomGen; try { randomGen = SecureRandom.getInstance("SHA1PRNG"); byte salt[] = new byte[s_saltlen]; randomGen.nextBytes(salt); String saltString = new String(Base64.encode(salt)); String hashString = encode(password, salt); // 3. concatenate the two and return return saltString + ":" + hashString; } catch (NoSuchAlgorithmException e) { throw new CloudRuntimeException("Unable to hash password", e); } catch (UnsupportedEncodingException e) { throw new CloudRuntimeException("Unable to hash password", e); } } public String encode(String password, byte[] salt) throws UnsupportedEncodingException, NoSuchAlgorithmException { byte[] passwordBytes = password.getBytes("UTF-8"); byte[] hashSource = new byte[passwordBytes.length + salt.length]; System.arraycopy(passwordBytes, 0, hashSource, 0, passwordBytes.length); System.arraycopy(salt, 0, hashSource, passwordBytes.length, salt.length); // 2. Hash the password with the salt MessageDigest md = MessageDigest.getInstance("SHA-256"); md.update(hashSource); byte[] digest = md.digest(); return new String(Base64.encode(digest)); } private static boolean constantTimeEquals(String a, String b) { byte[] aBytes = a.getBytes(); byte[] bBytes = b.getBytes(); int result = aBytes.length ^ bBytes.length; for (int i = 0; i < aBytes.length && i < bBytes.length; i++) { result |= aBytes[i] ^ bBytes[i]; } return result == 0; } }