QPID-2726: add custom PlainPasswordCallback to enable PLAIN auth against custom PrincipalDatabase's which cant actually return password data, and revert r961923 changes.

git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk/qpid@962870 13f79535-47bb-0310-9956-ffa450edef68

2 files changed, 88 insertions, 16 deletions

diff --git a/java/broker/src/main/java/org/apache/qpid/server/security/auth/sasl/plain/PlainPasswordCallback.java b/java/broker/src/main/java/org/apache/qpid/server/security/auth/sasl/plain/PlainPasswordCallback.java
new file mode 100644
index 0000000000..7230e8ee53
--- /dev/null
+++ b/java/broker/src/main/java/org/apache/qpid/server/security/auth/sasl/plain/PlainPasswordCallback.java
@@ -0,0 +1,81 @@
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ * 
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.qpid.server.security.auth.sasl.plain;
+
+import java.util.Arrays;
+
+import javax.security.auth.callback.PasswordCallback;
+
+/**
+ * Custom PasswordCallback for use during the PLAIN authentication process.
+ * 
+ * To be used in combination with PrincipalDatabase implementations that
+ * can either set a plain text value in the parent callback, or use the
+ * setAuthenticated(bool) method after observing the incoming plain text. 
+ * 
+ * isAuthenticated() should then be used to determine the final result.
+ *
+ */
+public class PlainPasswordCallback extends PasswordCallback
+{
+    private char[] _plainPassword;
+    private boolean _authenticated = false;
+
+    /**
+     * Constructs a new PlainPasswordCallback with the incoming plain text password.
+     * 
+     * @throws NullPointerException if the incoming plain text is null
+     */
+    public PlainPasswordCallback(String prompt, boolean echoOn, String plainPassword)
+    {
+        super(prompt, echoOn);
+        
+        if(plainPassword == null)
+        {
+            throw new NullPointerException("Incoming plain text cannot be null");
+        }
+
+        _plainPassword = plainPassword.toCharArray();
+    }
+
+    public String getPlainPassword()
+    {
+        return new String(_plainPassword);
+    }
+
+    public void setAuthenticated(boolean authenticated)
+    {
+        _authenticated = authenticated;
+    }
+
+    /**
+     * Method to determine if the incoming plain password is authenticated
+     * 
+     * @return true if the stored password matches the incoming text, or setAuthenticated(true) has been called
+     */
+    public boolean isAuthenticated()
+    {
+        char[] storedPassword = getPassword();
+
+        return Arrays.equals(_plainPassword, storedPassword) || _authenticated;
+    }
+}
+
diff --git a/java/broker/src/main/java/org/apache/qpid/server/security/auth/sasl/plain/PlainSaslServer.java b/java/broker/src/main/java/org/apache/qpid/server/security/auth/sasl/plain/PlainSaslServer.java
index 1187aac303..847a3a34ce 100644
--- a/java/broker/src/main/java/org/apache/qpid/server/security/auth/sasl/plain/PlainSaslServer.java
+++ b/java/broker/src/main/java/org/apache/qpid/server/security/auth/sasl/plain/PlainSaslServer.java
@@ -70,16 +70,19 @@ public class PlainSaslServer implements SaslServer
             // String authcid = new String(response, 0, authzidNullPosition, "utf8");
             String authzid = new String(response, authzidNullPosition + 1, authcidNullPosition - authzidNullPosition - 1, "utf8");
 
-            // we do not care about the prompt but it throws if null
-            NameCallback nameCb = new NameCallback("prompt", authzid);
-            PasswordCallback passwordCb = new PasswordCallback("prompt", false);
             // TODO: should not get pwd as a String but as a char array...
             int passwordLen = response.length - authcidNullPosition - 1;
             String pwd = new String(response, authcidNullPosition + 1, passwordLen, "utf8");
+            
+            // we do not care about the prompt but it throws if null
+            NameCallback nameCb = new NameCallback("prompt", authzid);
+            PlainPasswordCallback passwordCb = new PlainPasswordCallback("prompt", false, pwd);
             AuthorizeCallback authzCb = new AuthorizeCallback(authzid, authzid);
+
             Callback[] callbacks = new Callback[]{nameCb, passwordCb, authzCb};
             _cbh.handle(callbacks);
-            if (validatePassword(pwd, passwordCb))
+
+            if (passwordCb.isAuthenticated())
             {
                 _complete = true;
             }
@@ -103,19 +106,7 @@ public class PlainSaslServer implements SaslServer
         }
     }
 
-    /**
-     * Compares the incoming plain text password with that contained in the given PasswordCallback
-     *  
-     * @param incomingPwd The incoming plain text password
-     * @param storedPwdCb PasswordCallback containing the stored password
-     * @return Whether the incoming password authenticates against the stored password
-     */
-    protected boolean validatePassword(String incomingPwd, PasswordCallback storedPwdCb)
-    {
-        String storedPwd = new String(storedPwdCb.getPassword());
 
-        return incomingPwd.equals(storedPwd);
-    }
 
     private int findNullPosition(byte[] response, int startPosition)
     {