org.apereo.cas.adaptors.jdbc

Class QueryAndEncodeDatabaseAuthenticationHandler

java.lang.Object

org.apereo.cas.authentication.AbstractAuthenticationHandler

org.apereo.cas.authentication.handler.support.AbstractPreAndPostProcessingAuthenticationHandler

org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler

org.apereo.cas.adaptors.jdbc.AbstractJdbcUsernamePasswordAuthenticationHandler

org.apereo.cas.adaptors.jdbc.QueryAndEncodeDatabaseAuthenticationHandler

All Implemented Interfaces:

AuthenticationHandler, PrePostAuthenticationHandler, org.springframework.core.Ordered

public class QueryAndEncodeDatabaseAuthenticationHandler
extends AbstractJdbcUsernamePasswordAuthenticationHandler

A JDBC querying handler that will pull back the password and the private salt value for a user and validate the encoded password using the public salt value. Assumes everything is inside the same database table. Supports settings for number of iterations as well as private salt.

This handler uses the hashing method defined by Apache Shiro's DefaultHashService. Refer to the Javadocs to learn more about the behavior. If the hashing behavior and/or configuration of private and public salts does nto meet your needs, a extension can be developed to specify alternative methods of encoding and digestion of the encoded password.

Since:

4.1.0

Field Summary

Fields

Modifier and Type	Field and Description
protected java.lang.String	algorithmName The Algorithm name.
protected java.lang.String	disabledFieldName The Expired field name.
protected java.lang.String	expiredFieldName The Expired field name.
protected long	numberOfIterations The number of iterations.
protected java.lang.String	numberOfIterationsFieldName The Number of iterations field name.
protected java.lang.String	passwordFieldName The Password field name.
protected java.lang.String	saltFieldName The Salt field name.
protected java.lang.String	sql The Sql statement to execute.
protected java.lang.String	staticSalt Static/private salt to be combined with the dynamic salt retrieved from the database.

Fields inherited from class org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler

passwordPolicyHandlingStrategy

Fields inherited from class org.apereo.cas.authentication.AbstractAuthenticationHandler

credentialSelectionPredicate, principalFactory, servicesManager

Fields inherited from interface org.apereo.cas.authentication.AuthenticationHandler

SUCCESSFUL_AUTHENTICATION_HANDLERS

Fields inherited from interface org.springframework.core.Ordered

HIGHEST_PRECEDENCE, LOWEST_PRECEDENCE

Constructor Summary

Constructors

Constructor and Description

QueryAndEncodeDatabaseAuthenticationHandler(java.lang.String name, ServicesManager servicesManager, PrincipalFactory principalFactory, java.lang.Integer order, javax.sql.DataSource dataSource, java.lang.String algorithmName, java.lang.String sql, java.lang.String passwordFieldName, java.lang.String saltFieldName, java.lang.String expiredFieldName, java.lang.String disabledFieldName, java.lang.String numberOfIterationsFieldName, long numberOfIterations, java.lang.String staticSalt)

Method Summary

Modifier and Type	Method and Description
protected AuthenticationHandlerExecutionResult	authenticateUsernamePasswordInternal(UsernamePasswordCredential transformedCredential, java.lang.String originalPassword) Authenticates a username/password credential by an arbitrary strategy with extra parameter original credential password before encoding password.
protected java.lang.String	digestEncodedPassword(java.lang.String encodedPassword, java.util.Map<java.lang.String,java.lang.Object> values) Digest encoded password.

Methods inherited from class org.apereo.cas.adaptors.jdbc.AbstractJdbcUsernamePasswordAuthenticationHandler

getDataSource, getJdbcTemplate, getNamedJdbcTemplate

Methods inherited from class org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler

doAuthentication, matches, supports

Methods inherited from class org.apereo.cas.authentication.handler.support.AbstractPreAndPostProcessingAuthenticationHandler

authenticate, createHandlerResult, createHandlerResult

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.apereo.cas.authentication.PrePostAuthenticationHandler

postAuthenticate, preAuthenticate

Methods inherited from interface org.apereo.cas.authentication.AuthenticationHandler

getName, getOrder

Field Detail

algorithmName

protected java.lang.String algorithmName

The Algorithm name.

sql

protected java.lang.String sql

The Sql statement to execute.

passwordFieldName

protected java.lang.String passwordFieldName

The Password field name.

saltFieldName

protected java.lang.String saltFieldName

The Salt field name.

expiredFieldName

protected java.lang.String expiredFieldName

The Expired field name.

disabledFieldName

protected java.lang.String disabledFieldName

The Expired field name.

numberOfIterationsFieldName

protected java.lang.String numberOfIterationsFieldName

The Number of iterations field name.

numberOfIterations

protected long numberOfIterations

The number of iterations. Defaults to 0.

staticSalt

protected java.lang.String staticSalt

Static/private salt to be combined with the dynamic salt retrieved from the database. Optional.

If using this implementation as part of a password hashing strategy, it might be desirable to configure a private salt. A hash and the salt used to compute it are often stored together. If an attacker is ever able to access the hash (e.g. during password cracking) and it has the full salt value, the attacker has all of the input necessary to try to brute-force crack the hash (source + complete salt).

However, if part of the salt is not available to the attacker (because it is not stored with the hash), it is much harder to crack the hash value since the attacker does not have the complete inputs necessary. The privateSalt property exists to satisfy this private-and-not-shared part of the salt.

If you configure this attribute, you can obtain this additional very important safety feature.

Constructor Detail

QueryAndEncodeDatabaseAuthenticationHandler

public QueryAndEncodeDatabaseAuthenticationHandler(java.lang.String name,
                                                   ServicesManager servicesManager,
                                                   PrincipalFactory principalFactory,
                                                   java.lang.Integer order,
                                                   javax.sql.DataSource dataSource,
                                                   java.lang.String algorithmName,
                                                   java.lang.String sql,
                                                   java.lang.String passwordFieldName,
                                                   java.lang.String saltFieldName,
                                                   java.lang.String expiredFieldName,
                                                   java.lang.String disabledFieldName,
                                                   java.lang.String numberOfIterationsFieldName,
                                                   long numberOfIterations,
                                                   java.lang.String staticSalt)

Method Detail

authenticateUsernamePasswordInternal

protected AuthenticationHandlerExecutionResult authenticateUsernamePasswordInternal(UsernamePasswordCredential transformedCredential,
                                                                                    java.lang.String originalPassword)
                                                                             throws java.security.GeneralSecurityException,
                                                                                    PreventedException

Description copied from class: AbstractUsernamePasswordAuthenticationHandler

Authenticates a username/password credential by an arbitrary strategy with extra parameter original credential password before encoding password. Override it if implementation need to use original password for authentication.

Specified by:

authenticateUsernamePasswordInternal in class AbstractUsernamePasswordAuthenticationHandler

Parameters:

transformedCredential - the credential object bearing the transformed username and password.

originalPassword - original password from credential before password encoding

Returns:

AuthenticationHandlerExecutionResult resolved from credential on authentication success or null if no principal could be resolved from the credential.

Throws:

java.security.GeneralSecurityException - On authentication failure.

PreventedException - On the indeterminate case when authentication is prevented.

digestEncodedPassword

protected java.lang.String digestEncodedPassword(java.lang.String encodedPassword,
                                                 java.util.Map<java.lang.String,java.lang.Object> values)

Digest encoded password.

Parameters:

encodedPassword - the encoded password

values - the values retrieved from database

Returns:

the digested password