Java tutorial
/** * The software subject to this notice and license includes both human readable * source code form and machine readable, binary, object code form. The nci-commons * Software was developed in conjunction with the National Cancer Institute * (NCI) by NCI employees and 5AM Solutions, Inc. (5AM). To the extent * government employees are authors, any rights in such works shall be subject * to Title 17 of the United States Code, section 105. * * This nci-commons Software License (the License) is between NCI and You. You (or * Your) shall mean a person or an entity, and all other entities that control, * are controlled by, or are under common control with the entity. Control for * purposes of this definition means (i) the direct or indirect power to cause * the direction or management of such entity, whether by contract or otherwise, * or (ii) ownership of fifty percent (50%) or more of the outstanding shares, * or (iii) beneficial ownership of such entity. * * This License is granted provided that You agree to the conditions described * below. NCI grants You a non-exclusive, worldwide, perpetual, fully-paid-up, * no-charge, irrevocable, transferable and royalty-free right and license in * its rights in the nci-commons Software to (i) use, install, access, operate, * execute, copy, modify, translate, market, publicly display, publicly perform, * and prepare derivative works of the nci-commons Software; (ii) distribute and * have distributed to and by third parties the nci-commons Software and any * modifications and derivative works thereof; and (iii) sublicense the * foregoing rights set out in (i) and (ii) to third parties, including the * right to license such rights to further third parties. For sake of clarity, * and not by way of limitation, NCI shall have no right of accounting or right * of payment from You or Your sub-licensees for the rights granted under this * License. This License is granted at no charge to You. * * Your redistributions of the source code for the Software must retain the * above copyright notice, this list of conditions and the disclaimer and * limitation of liability of Article 6, below. Your redistributions in object * code form must reproduce the above copyright notice, this list of conditions * and the disclaimer of Article 6 in the documentation and/or other materials * provided with the distribution, if any. * * Your end-user documentation included with the redistribution, if any, must * include the following acknowledgment: This product includes software * developed by 5AM and the National Cancer Institute. If You do not include * such end-user documentation, You shall include this acknowledgment in the * Software itself, wherever such third-party acknowledgments normally appear. * * You may not use the names "The National Cancer Institute", "NCI", or "5AM" * to endorse or promote products derived from this Software. This License does * not authorize You to use any trademarks, service marks, trade names, logos or * product names of either NCI or 5AM, except as required to comply with the * terms of this License. * * For sake of clarity, and not by way of limitation, You may incorporate this * Software into Your proprietary programs and into any third party proprietary * programs. However, if You incorporate the Software into third party * proprietary programs, You agree that You are solely responsible for obtaining * any permission from such third parties required to incorporate the Software * into such third party proprietary programs and for informing Your * sub-licensees, including without limitation Your end-users, of their * obligation to secure any required permissions from such third parties before * incorporating the Software into such third party proprietary software * programs. In the event that You fail to obtain such permissions, You agree * to indemnify NCI for any claims against NCI by such third parties, except to * the extent prohibited by law, resulting from Your failure to obtain such * permissions. * * For sake of clarity, and not by way of limitation, You may add Your own * copyright statement to Your modifications and to the derivative works, and * You may provide additional or different license terms and conditions in Your * sublicenses of modifications of the Software, or any derivative works of the * Software as a whole, provided Your use, reproduction, and distribution of the * Work otherwise complies with the conditions stated in this License. * * THIS SOFTWARE IS PROVIDED "AS IS," AND ANY EXPRESSED OR IMPLIED WARRANTIES, * (INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, * NON-INFRINGEMENT AND FITNESS FOR A PARTICULAR PURPOSE) ARE DISCLAIMED. IN NO * EVENT SHALL THE NATIONAL CANCER INSTITUTE, 5AM SOLUTIONS, INC. OR THEIR * AFFILIATES BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ package com.fiveamsolutions.nci.commons.util; import java.io.UnsupportedEncodingException; import java.util.Random; import org.apache.commons.codec.digest.DigestUtils; import org.apache.commons.lang.StringUtils; import org.apache.log4j.Logger; import com.fiveamsolutions.nci.commons.data.security.Password; import com.fiveamsolutions.nci.commons.data.security.PasswordType; /** * Low level utils for security classes. Note that the password operations here allow blank, empty, * or null passwords. All such passwords are treated identically. Also, all passwords are * trimmed before comparison. */ @SuppressWarnings("PMD.CyclomaticComplexity") public final class SecurityUtils { private static final int MIN_PASSWORD_LENGTH = 6; private static final Random RAN = new Random(); private static final int THIRTY_SIX = 36; // correct size for salt private static final Logger LOG = Logger.getLogger(SecurityUtils.class); private SecurityUtils() { // prevent instantiation } /** * @param unencryptedPassword password to hash. Blank, empty, or null passwords are acceptable passwords, * and result in identical Password objects. * @return Password object */ public static Password create(String unencryptedPassword) { Password p = new Password(); p.setType(PasswordType.SHA_SALTED); p.setSalt(Long.toString(Math.abs(RAN.nextLong()), THIRTY_SIX)); // random 13 digit number p.setValue(shaHex(p.getSalt(), unencryptedPassword)); return p; } /** * Determines whether the provided string matches the given password. * * @param p password object * @param fromUser password string provided by user. may be blank, empty, or null. * @return whether the password matches */ public static boolean matches(Password p, String fromUser) { if (PasswordType.SHA_SALTED.equals(p.getType())) { return p.getValue().equals(shaHex(p.getSalt(), fromUser)); } else if (PasswordType.PLAINTEXT.equals(p.getType())) { LOG.warn("A plaintext password was 'decrypted'."); return p.getValue().equals(StringUtils.trimToEmpty(fromUser)); } else { throw new UnsupportedOperationException("Unknown encoding type: " + p.getType()); } } @SuppressWarnings("PMD.AvoidThrowingRawExceptionTypes") private static String shaHex(String salt, String pass) { try { return DigestUtils.shaHex((salt + StringUtils.trimToEmpty(pass)).getBytes("US-ASCII")); } catch (UnsupportedEncodingException e) { // Cannot happen - java spec guarantees US-ASCII is available (see Charset) throw new RuntimeException(e); } } /** * Checks a candidate password against business rules. Rules are: * <ul> * <li>Cannot have leading or trailing whitespace * <li>Must be at least 6 characters in length * <li>Must contain at least one ascii uppercase letter * <li>Must contain at least one ascii lowercase letter * <li>Must contain at least one number or special character * </ul> * * @param candidate a candidate password to test * @return whether the candidate passes all checks */ @SuppressWarnings("PMD.CyclomaticComplexity") public static boolean isAcceptablePassword(String candidate) { // Change to return String[] of violations (which could be keys to resource file) // if we want to move to configurable rules if (!StringUtils.trimToEmpty(candidate).equals(candidate)) { return false; } if (candidate.length() < MIN_PASSWORD_LENGTH) { return false; } if (!candidate.matches(".*[a-z]+.*")) { return false; } if (!candidate.matches(".*[A-Z]+.*")) { return false; } if (!candidate.matches(".*\\p{Punct}+.*") && !candidate.matches(".*\\p{Digit}+.*")) { return false; } return true; } }