From 5f5a5fd1b2d5b1e123ca3a95b68303ce078c4825 Mon Sep 17 00:00:00 2001 From: Robert Gemmell Date: Sat, 10 Jul 2010 16:14:25 +0000 Subject: QPID-2726: add custom PlainPasswordCallback to enable PLAIN auth against custom PrincipalDatabase's which cant actually return password data, and revert r961923 changes. git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk/qpid@962870 13f79535-47bb-0310-9956-ffa450edef68 --- .../auth/sasl/plain/PlainPasswordCallback.java | 81 ++++++++++++++++++++++ .../security/auth/sasl/plain/PlainSaslServer.java | 23 ++---- 2 files changed, 88 insertions(+), 16 deletions(-) create mode 100644 java/broker/src/main/java/org/apache/qpid/server/security/auth/sasl/plain/PlainPasswordCallback.java (limited to 'java') diff --git a/java/broker/src/main/java/org/apache/qpid/server/security/auth/sasl/plain/PlainPasswordCallback.java b/java/broker/src/main/java/org/apache/qpid/server/security/auth/sasl/plain/PlainPasswordCallback.java new file mode 100644 index 0000000000..7230e8ee53 --- /dev/null +++ b/java/broker/src/main/java/org/apache/qpid/server/security/auth/sasl/plain/PlainPasswordCallback.java @@ -0,0 +1,81 @@ +/* + * + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + * + */ +package org.apache.qpid.server.security.auth.sasl.plain; + +import java.util.Arrays; + +import javax.security.auth.callback.PasswordCallback; + +/** + * Custom PasswordCallback for use during the PLAIN authentication process. + * + * To be used in combination with PrincipalDatabase implementations that + * can either set a plain text value in the parent callback, or use the + * setAuthenticated(bool) method after observing the incoming plain text. + * + * isAuthenticated() should then be used to determine the final result. + * + */ +public class PlainPasswordCallback extends PasswordCallback +{ + private char[] _plainPassword; + private boolean _authenticated = false; + + /** + * Constructs a new PlainPasswordCallback with the incoming plain text password. + * + * @throws NullPointerException if the incoming plain text is null + */ + public PlainPasswordCallback(String prompt, boolean echoOn, String plainPassword) + { + super(prompt, echoOn); + + if(plainPassword == null) + { + throw new NullPointerException("Incoming plain text cannot be null"); + } + + _plainPassword = plainPassword.toCharArray(); + } + + public String getPlainPassword() + { + return new String(_plainPassword); + } + + public void setAuthenticated(boolean authenticated) + { + _authenticated = authenticated; + } + + /** + * Method to determine if the incoming plain password is authenticated + * + * @return true if the stored password matches the incoming text, or setAuthenticated(true) has been called + */ + public boolean isAuthenticated() + { + char[] storedPassword = getPassword(); + + return Arrays.equals(_plainPassword, storedPassword) || _authenticated; + } +} + diff --git a/java/broker/src/main/java/org/apache/qpid/server/security/auth/sasl/plain/PlainSaslServer.java b/java/broker/src/main/java/org/apache/qpid/server/security/auth/sasl/plain/PlainSaslServer.java index 1187aac303..847a3a34ce 100644 --- a/java/broker/src/main/java/org/apache/qpid/server/security/auth/sasl/plain/PlainSaslServer.java +++ b/java/broker/src/main/java/org/apache/qpid/server/security/auth/sasl/plain/PlainSaslServer.java @@ -70,16 +70,19 @@ public class PlainSaslServer implements SaslServer // String authcid = new String(response, 0, authzidNullPosition, "utf8"); String authzid = new String(response, authzidNullPosition + 1, authcidNullPosition - authzidNullPosition - 1, "utf8"); - // we do not care about the prompt but it throws if null - NameCallback nameCb = new NameCallback("prompt", authzid); - PasswordCallback passwordCb = new PasswordCallback("prompt", false); // TODO: should not get pwd as a String but as a char array... int passwordLen = response.length - authcidNullPosition - 1; String pwd = new String(response, authcidNullPosition + 1, passwordLen, "utf8"); + + // we do not care about the prompt but it throws if null + NameCallback nameCb = new NameCallback("prompt", authzid); + PlainPasswordCallback passwordCb = new PlainPasswordCallback("prompt", false, pwd); AuthorizeCallback authzCb = new AuthorizeCallback(authzid, authzid); + Callback[] callbacks = new Callback[]{nameCb, passwordCb, authzCb}; _cbh.handle(callbacks); - if (validatePassword(pwd, passwordCb)) + + if (passwordCb.isAuthenticated()) { _complete = true; } @@ -103,19 +106,7 @@ public class PlainSaslServer implements SaslServer } } - /** - * Compares the incoming plain text password with that contained in the given PasswordCallback - * - * @param incomingPwd The incoming plain text password - * @param storedPwdCb PasswordCallback containing the stored password - * @return Whether the incoming password authenticates against the stored password - */ - protected boolean validatePassword(String incomingPwd, PasswordCallback storedPwdCb) - { - String storedPwd = new String(storedPwdCb.getPassword()); - return incomingPwd.equals(storedPwd); - } private int findNullPosition(byte[] response, int startPosition) { -- cgit v1.2.1