org.apereo.cas.adaptors.jdbc

Class QueryAndEncodeDatabaseAuthenticationHandler

java.lang.Object

org.apereo.cas.authentication.AbstractAuthenticationHandler

org.apereo.cas.authentication.handler.support.AbstractPreAndPostProcessingAuthenticationHandler

org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler

org.apereo.cas.adaptors.jdbc.AbstractJdbcUsernamePasswordAuthenticationHandler

org.apereo.cas.adaptors.jdbc.QueryAndEncodeDatabaseAuthenticationHandler

All Implemented Interfaces:

AuthenticationHandler

public class QueryAndEncodeDatabaseAuthenticationHandler
extends AbstractJdbcUsernamePasswordAuthenticationHandler

A JDBC querying handler that will pull back the password and the private salt value for a user and validate the encoded password using the public salt value. Assumes everything is inside the same database table. Supports settings for number of iterations as well as private salt.

This handler uses the hashing method defined by Apache Shiro's DefaultHashService. Refer to the Javadocs to learn more about the behavior. If the hashing behavior and/or configuration of private and public salts does nto meet your needs, a extension can be developed to specify alternative methods of encoding and digestion of the encoded password.

Since:

4.1.0

Field Summary

Fields

Modifier and Type	Field and Description
protected java.lang.String	algorithmName The Algorithm name.
protected long	numberOfIterations The number of iterations.
protected java.lang.String	numberOfIterationsFieldName The Number of iterations field name.
protected java.lang.String	passwordFieldName The Password field name.
protected java.lang.String	saltFieldName The Salt field name.
protected java.lang.String	sql The Sql statement to execute.
protected java.lang.String	staticSalt The static/private salt.

Fields inherited from class org.apereo.cas.authentication.AbstractAuthenticationHandler

logger, principalFactory, servicesManager

Fields inherited from interface org.apereo.cas.authentication.AuthenticationHandler

SUCCESSFUL_AUTHENTICATION_HANDLERS

Constructor Summary

Constructors

Constructor and Description
QueryAndEncodeDatabaseAuthenticationHandler()

Method Summary

Modifier and Type	Method and Description
protected HandlerResult	authenticateUsernamePasswordInternal(UsernamePasswordCredential transformedCredential) Authenticates a username/password credential by an arbitrary strategy.
protected java.lang.String	digestEncodedPassword(java.lang.String encodedPassword, java.util.Map<java.lang.String,java.lang.Object> values) Digest encoded password.
void	setAlgorithmName(java.lang.String algorithmName)
void	setNumberOfIterations(long numberOfIterations)
void	setNumberOfIterationsFieldName(java.lang.String numberOfIterationsFieldName)
void	setPasswordFieldName(java.lang.String passwordFieldName)
void	setSaltFieldName(java.lang.String saltFieldName)
void	setSql(java.lang.String sql)
void	setStaticSalt(java.lang.String staticSalt) Sets static/private salt to be combined with the dynamic salt retrieved from the database.

Methods inherited from class org.apereo.cas.adaptors.jdbc.AbstractJdbcUsernamePasswordAuthenticationHandler

getDataSource, getJdbcTemplate, setDataSource

Methods inherited from class org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler

doAuthentication, getPasswordPolicyConfiguration, setCredentialSelectionPredicate, setPasswordEncoder, setPasswordPolicyConfiguration, setPrincipalNameTransformer, supports

Methods inherited from class org.apereo.cas.authentication.handler.support.AbstractPreAndPostProcessingAuthenticationHandler

authenticate, createHandlerResult, postAuthenticate, preAuthenticate

Methods inherited from class org.apereo.cas.authentication.AbstractAuthenticationHandler

getName, setName, setPrincipalFactory, setServicesManager

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

algorithmName

protected java.lang.String algorithmName

The Algorithm name.

sql

protected java.lang.String sql

The Sql statement to execute.

passwordFieldName

protected java.lang.String passwordFieldName

The Password field name.

saltFieldName

protected java.lang.String saltFieldName

The Salt field name.

numberOfIterationsFieldName

protected java.lang.String numberOfIterationsFieldName

The Number of iterations field name.

numberOfIterations

protected long numberOfIterations

The number of iterations. Defaults to 0.

staticSalt

protected java.lang.String staticSalt

The static/private salt.

Constructor Detail

QueryAndEncodeDatabaseAuthenticationHandler

public QueryAndEncodeDatabaseAuthenticationHandler()

Method Detail

authenticateUsernamePasswordInternal

protected HandlerResult authenticateUsernamePasswordInternal(UsernamePasswordCredential transformedCredential)
                                                      throws java.security.GeneralSecurityException,
                                                             PreventedException

Description copied from class: AbstractUsernamePasswordAuthenticationHandler

Authenticates a username/password credential by an arbitrary strategy.

Specified by:

authenticateUsernamePasswordInternal in class AbstractUsernamePasswordAuthenticationHandler

Parameters:

transformedCredential - the credential object bearing the transformed username and password.

Returns:

HandlerResult resolved from credential on authentication success or null if no principal could be resolved from the credential.

Throws:

java.security.GeneralSecurityException - On authentication failure.

PreventedException - On the indeterminate case when authentication is prevented.

digestEncodedPassword

protected java.lang.String digestEncodedPassword(java.lang.String encodedPassword,
                                                 java.util.Map<java.lang.String,java.lang.Object> values)

Digest encoded password.

Parameters:

encodedPassword - the encoded password

values - the values retrieved from database

Returns:

the digested password

setAlgorithmName

public void setAlgorithmName(java.lang.String algorithmName)

setSql

public void setSql(java.lang.String sql)

setStaticSalt

public void setStaticSalt(java.lang.String staticSalt)

Sets static/private salt to be combined with the dynamic salt retrieved from the database. Optional.

If using this implementation as part of a password hashing strategy, it might be desirable to configure a private salt. A hash and the salt used to compute it are often stored together. If an attacker is ever able to access the hash (e.g. during password cracking) and it has the full salt value, the attacker has all of the input necessary to try to brute-force crack the hash (source + complete salt).

However, if part of the salt is not available to the attacker (because it is not stored with the hash), it is much harder to crack the hash value since the attacker does not have the complete inputs necessary. The privateSalt property exists to satisfy this private-and-not-shared part of the salt.

If you configure this attribute, you can obtain this additional very important safety feature.

Parameters:

staticSalt - the static salt

setPasswordFieldName

public void setPasswordFieldName(java.lang.String passwordFieldName)

setSaltFieldName

public void setSaltFieldName(java.lang.String saltFieldName)

setNumberOfIterationsFieldName

public void setNumberOfIterationsFieldName(java.lang.String numberOfIterationsFieldName)

setNumberOfIterations

public void setNumberOfIterations(long numberOfIterations)