public class FileBasedAuthenticator extends AbstractAuthenticator
account id | account name | hashed password | roles | lockout | status | old password hashes | last hostname | last change | last login | last failed | expiration | failed --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 1203123710837 | mitch | 44k/NAzQUlrCq9musTGGkcMNmdzEGJ8w8qZTLzpxLuQ= | admin,user | unlocked | enabled | u10dW4vTo3ZkoM5xP+blayWCz7KdPKyKUojOn9GJobg= | 192.168.1.255 | 1187201000926 | 1187200991568 | 1187200605330 | 2187200605330 | 1
Authenticator
USER
Modifier and Type | Method and Description |
---|---|
void |
changePassword(User user,
String currentPassword,
String newPassword,
String newPassword2)
Changes the password for the specified user.
|
User |
createUser(String accountName,
String password1,
String password2)
Creates a new User with the information provided.
|
String |
generateStrongPassword()
Generate a strong password.
|
String |
generateStrongPassword(User user,
String oldPassword)
Generate strong password that takes into account the user's information and old password.
|
static Authenticator |
getInstance() |
User |
getUser(long accountId)
Returns the User matching the provided accountId.
|
User |
getUser(String accountName)
Returns the User matching the provided accountName.
|
Set |
getUserNames()
Gets a collection containing all the existing user names.
|
String |
hashPassword(String password,
String accountName)
Returns a string representation of the hashed password, using the
accountName as the salt.
|
protected void |
loadUsersIfNecessary()
Load users if they haven't been loaded in a while.
|
protected void |
loadUsersImmediately() |
static void |
main(String[] args)
Fail safe main program to add or update an account in an emergency.
|
void |
removeUser(String accountName)
Removes the account of the specified accountName.
|
void |
saveUsers()
Saves the user database to the file system.
|
protected void |
saveUsers(PrintWriter writer)
Save users.
|
void |
verifyAccountNameStrength(String newAccountName)
Ensures that the account name passes site-specific complexity requirements, like minimum length.
|
boolean |
verifyPassword(User user,
String password)
Verify that the supplied password matches the password for this user.
|
void |
verifyPasswordStrength(String oldPassword,
String newPassword,
User user)
Ensures that the password meets site-specific complexity requirements, like length or number
of character sets.
|
clearCurrent, exists, getCurrentUser, getUserFromRememberToken, getUserFromSession, login, login, logout, setCurrentUser
public static Authenticator getInstance()
public static void main(String[] args) throws Exception
java -Dorg.owasp.esapi.resources="/path/resources" -classpath esapi.jar org.owasp.esapi.Authenticator alice password admin
args
- the arguments (username, password, role)Exception
- the exceptionpublic User createUser(String accountName, String password1, String password2) throws AuthenticationException
accountName
- the account name of the new userpassword1
- the password of the new userpassword2
- the password of the new user. This field is to encourage user interface designers to include two password fields in their forms.AuthenticationException
- if user creation fails due to any of the qualifications listed in this method's descriptionpublic String generateStrongPassword()
public void changePassword(User user, String currentPassword, String newPassword, String newPassword2) throws AuthenticationException
user
- the user to change the password forcurrentPassword
- the current password for the specified usernewPassword
- the new password to usenewPassword2
- a verification copy of the new passwordAuthenticationException
- if any errors occurpublic boolean verifyPassword(User user, String password)
user
- the user who requires verificationpassword
- the hashed user-supplied passwordpublic String generateStrongPassword(User user, String oldPassword)
user
- the user whose information to use when generating passwordoldPassword
- the old password to use when verifying strength of new password. The new password may be checked for fragments of oldPassword.public User getUser(long accountId)
accountId
- the account idpublic User getUser(String accountName)
accountName
- the account namepublic Set getUserNames()
public String hashPassword(String password, String accountName) throws EncryptionException
password
- the password to hashaccountName
- the account name to use as the saltEncryptionException
protected void loadUsersIfNecessary()
protected void loadUsersImmediately()
public void removeUser(String accountName) throws AuthenticationException
accountName
- the account name to removeAuthenticationException
- the authentication exception if user does not existpublic void saveUsers() throws AuthenticationException
AuthenticationException
- if the user file could not be writtenprotected void saveUsers(PrintWriter writer) throws AuthenticationCredentialsException
writer
- the print writer to use for savingAuthenticationCredentialsException
public void verifyAccountNameStrength(String newAccountName) throws AuthenticationException
newAccountName
- AuthenticationException
- if account name does not meet complexity requirementspublic void verifyPasswordStrength(String oldPassword, String newPassword, User user) throws AuthenticationException
oldPassword
- the old passwordnewPassword
- the new passworduser
- the userAuthenticationException
- if newPassword is too similar to oldPassword or if newPassword does not meet complexity requirementsCopyright © 2016 The Open Web Application Security Project (OWASP). All rights reserved.