org.opencastproject.kernel.security.CustomPasswordEncoder Maven / Gradle / Ivy
/*
* Licensed to The Apereo Foundation under one or more contributor license
* agreements. See the NOTICE file distributed with this work for additional
* information regarding copyright ownership.
*
*
* The Apereo Foundation licenses this file to you under the Educational
* Community License, Version 2.0 (the "License"); you may not use this file
* except in compliance with the License. You may obtain a copy of the License
* at:
*
* http://opensource.org/licenses/ecl2.txt
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
* License for the specific language governing permissions and limitations under
* the License.
*
*/
package org.opencastproject.kernel.security;
import org.apache.commons.codec.digest.DigestUtils;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.authentication.encoding.PasswordEncoder;
import org.springframework.security.crypto.bcrypt.BCrypt;
/**
* Password encoder using bcrypt for password hashing while still supporting the verification of olf md5 based
* passwords.
*/
public class CustomPasswordEncoder implements PasswordEncoder {
private Logger logger = LoggerFactory.getLogger(CustomPasswordEncoder.class);
/**
* Encode the raw password for storage using bcrypt.
* @param rawPassword raw password to encrypt/hash
* @return hashed password
*/
public String encodePassword(final String rawPassword) {
return encodePassword(rawPassword, null);
}
/**
* Encode the raw password for storage using bcrypt.
* @param rawPassword raw password to encrypt/hash
* @param ignored This parameter will not be used. A random salt is generated by bcrypt.
* @return hashed password
*/
@Override
public String encodePassword(final String rawPassword, final Object ignored) {
return BCrypt.hashpw(rawPassword, BCrypt.gensalt());
}
/**
* Verify the encoded password obtained from storage matches the submitted raw
* password after it too is encoded. Returns true if the passwords match, false if
* they do not. The stored password itself is never decoded.
*
* @param rawPassword the raw password to encode and match
* @param encodedPassword the encoded password from storage to compare with
* @return true if the raw password, after encoding, matches the encoded password from storage
*/
@Override
public boolean isPasswordValid(String encodedPassword, String rawPassword, Object salt) {
// Test MD5 encoded hash
if (encodedPassword.length() == 32) {
final String hash = md5Encode(rawPassword, salt);
logger.debug("Checking md5 hashed password '{}' against encoded password '{}'", hash, encodedPassword);
return hash.equals(encodedPassword);
}
// Test BCrypt encoded hash
logger.debug("Verifying bcrypt hash {}", encodedPassword);
try {
return StringUtils.startsWith(encodedPassword, "$") && BCrypt.checkpw(rawPassword, encodedPassword);
} catch (IllegalArgumentException e) {
logger.debug("bcrypt hash verification failed", e);
}
return false;
}
/**
* Encode a clear text password using Opencast's legacy MD5 based hashing with salt.
* The username was used as salt for this.
*
* @param clearText
* the password
* @param salt
* the salt
* @return the hashed password
* @throws IllegalArgumentException
* if clearText or salt are null
*/
public static String md5Encode(String clearText, Object salt) throws IllegalArgumentException {
if (clearText == null || salt == null)
throw new IllegalArgumentException("clearText and salt must not be null");
return DigestUtils.md5Hex(clearText + "{" + salt.toString() + "}");
}
}
© 2015 - 2025 Weber Informatics LLC | Privacy Policy