diff options
| author | Martin Spielmann <martin.spielmann@pingunaut.com> | 2017-01-07 13:47:42 +0100 |
|---|---|---|
| committer | Martin Spielmann <martin.spielmann@pingunaut.com> | 2017-01-07 13:47:42 +0100 |
| commit | 4ab81b3465f086f9fbeadc93d6bce326208e85ac (patch) | |
| tree | 600614bc28b8e2a121cb4200a9ad80fb3b51729f /src/main/java/com/gitblit/manager/AuthenticationManager.java | |
| parent | 15782f62ba134006a2f92f65d10f0713e8ad85a0 (diff) | |
| download | gitblit-4ab81b3465f086f9fbeadc93d6bce326208e85ac.tar.gz gitblit-4ab81b3465f086f9fbeadc93d6bce326208e85ac.zip | |
Update AuthenticationManager to update weakly stored passwords on login
Diffstat (limited to 'src/main/java/com/gitblit/manager/AuthenticationManager.java')
| -rw-r--r-- | src/main/java/com/gitblit/manager/AuthenticationManager.java | 41 |
1 files changed, 35 insertions, 6 deletions
diff --git a/src/main/java/com/gitblit/manager/AuthenticationManager.java b/src/main/java/com/gitblit/manager/AuthenticationManager.java index 7a1fd9f2..46be2ef2 100644 --- a/src/main/java/com/gitblit/manager/AuthenticationManager.java +++ b/src/main/java/com/gitblit/manager/AuthenticationManager.java @@ -519,7 +519,8 @@ public class AuthenticationManager implements IAuthenticationManager { */ protected UserModel authenticateLocal(UserModel user, char [] password) { UserModel returnedUser = null; - //weak password hash + boolean strongHashUsed = false; + if (user.password.startsWith(StringUtils.MD5_TYPE)) { // password digest String md5 = StringUtils.MD5_TYPE + StringUtils.getMD5(new String(password)); @@ -533,19 +534,47 @@ public class AuthenticationManager implements IAuthenticationManager { if (user.password.equalsIgnoreCase(md5)) { returnedUser = user; } - } else if (user.password.equals(new String(password))) { - // plain-text password - returnedUser = user; } else if (user.password.startsWith(SecurePasswordHashUtils.PBKDF2WITHHMACSHA256_TYPE)){ - //strong hash + // strong hash SecurePasswordHashUtils hashUtils = SecurePasswordHashUtils.get(); boolean isPasswordValid = hashUtils.isPasswordCorrect(password, user.password); if(isPasswordValid){ returnedUser = user; + strongHashUsed = true; } + } else if (user.password.equals(new String(password))) { + // plain-text password + returnedUser = user; + } + + // validate user + returnedUser = validateAuthentication(returnedUser, AuthenticationType.CREDENTIALS); + + // if no strong hash was used to store the password, try to update it based on the settings + if(!strongHashUsed){ + updateStoredPassword(returnedUser, password); } - return validateAuthentication(returnedUser, AuthenticationType.CREDENTIALS); + return returnedUser; + } + + /** + * Update stored password to a strong hash if configured. + * + * @param user the user to be updated + * @param password the password + */ + protected void updateStoredPassword(UserModel user, char[] password) { + // check if user has successfully authenticated i.e. is not null + if(user != null){ + // check if strong hash algorithm is configured + String algorithm = settings.getString(Keys.realm.passwordStorage, SecurePasswordHashUtils.PBKDF2WITHHMACSHA256); + if(algorithm.equals(SecurePasswordHashUtils.PBKDF2WITHHMACSHA256)){ + // rehash the provided correct password and + user.password = SecurePasswordHashUtils.get().createStoredPasswordFromPassword(password); + userManager.updateUserModel(user); + } + } } /** |