org.apereo.cas.adaptors.jdbc

Class QueryAndEncodeDatabaseAuthenticationHandler

java.lang.Object

org.apereo.cas.authentication.AbstractAuthenticationHandler

org.apereo.cas.authentication.handler.support.AbstractPreAndPostProcessingAuthenticationHandler

org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler

org.apereo.cas.adaptors.jdbc.AbstractJdbcUsernamePasswordAuthenticationHandler

org.apereo.cas.adaptors.jdbc.QueryAndEncodeDatabaseAuthenticationHandler

All Implemented Interfaces:

org.apereo.cas.authentication.AuthenticationHandler, org.apereo.cas.authentication.PrePostAuthenticationHandler, org.springframework.core.Ordered

public class QueryAndEncodeDatabaseAuthenticationHandler
extends AbstractJdbcUsernamePasswordAuthenticationHandler

A JDBC querying handler that will pull back the password and the private salt value for a user and validate the encoded password using the public salt value. Assumes everything is inside the same database table. Supports settings for number of iterations as well as private salt.

This handler uses the hashing method defined by Apache Shiro's DefaultHashService. Refer to the Javadocs to learn more about the behavior. If the hashing behavior and/or configuration of private and public salts does nto meet your needs, a extension can be developed to specify alternative methods of encoding and digestion of the encoded password.

Since:

4.1.0

Field Summary

Fields

Modifier and Type	Field and Description
protected java.lang.String	algorithmName The Algorithm name.
protected java.lang.String	disabledFieldName The Expired field name.
protected java.lang.String	expiredFieldName The Expired field name.
protected long	numberOfIterations The number of iterations.
protected java.lang.String	numberOfIterationsFieldName The Number of iterations field name.
protected java.lang.String	passwordFieldName The Password field name.
protected java.lang.String	saltFieldName The Salt field name.
protected java.lang.String	sql The Sql statement to execute.
protected java.lang.String	staticSalt Static/private salt to be combined with the dynamic salt retrieved from the database.

Fields inherited from class org.apereo.cas.authentication.AbstractAuthenticationHandler

credentialSelectionPredicate, principalFactory, servicesManager

Fields inherited from interface org.apereo.cas.authentication.AuthenticationHandler

SUCCESSFUL_AUTHENTICATION_HANDLERS

Fields inherited from interface org.springframework.core.Ordered

HIGHEST_PRECEDENCE, LOWEST_PRECEDENCE

Constructor Summary

Constructors

Constructor and Description

QueryAndEncodeDatabaseAuthenticationHandler(java.lang.String name, org.apereo.cas.services.ServicesManager servicesManager, org.apereo.cas.authentication.principal.PrincipalFactory principalFactory, java.lang.Integer order, javax.sql.DataSource dataSource, java.lang.String algorithmName, java.lang.String sql, java.lang.String passwordFieldName, java.lang.String saltFieldName, java.lang.String expiredFieldName, java.lang.String disabledFieldName, java.lang.String numberOfIterationsFieldName, long numberOfIterations, java.lang.String staticSalt)

Method Summary

Modifier and Type	Method and Description
protected org.apereo.cas.authentication.HandlerResult	authenticateUsernamePasswordInternal(org.apereo.cas.authentication.UsernamePasswordCredential transformedCredential, java.lang.String originalPassword)
protected java.lang.String	digestEncodedPassword(java.lang.String encodedPassword, java.util.Map<java.lang.String,java.lang.Object> values) Digest encoded password.

Methods inherited from class org.apereo.cas.adaptors.jdbc.AbstractJdbcUsernamePasswordAuthenticationHandler

getDataSource, getJdbcTemplate

Methods inherited from class org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler

doAuthentication, getPasswordPolicyConfiguration, matches, setPasswordEncoder, setPasswordPolicyConfiguration, setPrincipalNameTransformer, supports

Methods inherited from class org.apereo.cas.authentication.handler.support.AbstractPreAndPostProcessingAuthenticationHandler

authenticate, createHandlerResult

Methods inherited from class org.apereo.cas.authentication.AbstractAuthenticationHandler

getName, getOrder, setCredentialSelectionPredicate

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.apereo.cas.authentication.PrePostAuthenticationHandler

postAuthenticate, preAuthenticate

Methods inherited from interface org.apereo.cas.authentication.AuthenticationHandler

getName

Methods inherited from interface org.springframework.core.Ordered

getOrder

Field Detail

algorithmName

protected java.lang.String algorithmName

The Algorithm name.

sql

protected java.lang.String sql

The Sql statement to execute.

passwordFieldName

protected java.lang.String passwordFieldName

The Password field name.

saltFieldName

protected java.lang.String saltFieldName

The Salt field name.

expiredFieldName

protected java.lang.String expiredFieldName

The Expired field name.

disabledFieldName

protected java.lang.String disabledFieldName

The Expired field name.

numberOfIterationsFieldName

protected java.lang.String numberOfIterationsFieldName

The Number of iterations field name.

numberOfIterations

protected long numberOfIterations

The number of iterations. Defaults to 0.

staticSalt

protected java.lang.String staticSalt

Static/private salt to be combined with the dynamic salt retrieved from the database. Optional.

If using this implementation as part of a password hashing strategy, it might be desirable to configure a private salt. A hash and the salt used to compute it are often stored together. If an attacker is ever able to access the hash (e.g. during password cracking) and it has the full salt value, the attacker has all of the input necessary to try to brute-force crack the hash (source + complete salt).

However, if part of the salt is not available to the attacker (because it is not stored with the hash), it is much harder to crack the hash value since the attacker does not have the complete inputs necessary. The privateSalt property exists to satisfy this private-and-not-shared part of the salt.

If you configure this attribute, you can obtain this additional very important safety feature.

Constructor Detail

QueryAndEncodeDatabaseAuthenticationHandler

public QueryAndEncodeDatabaseAuthenticationHandler(java.lang.String name,
                                                   org.apereo.cas.services.ServicesManager servicesManager,
                                                   org.apereo.cas.authentication.principal.PrincipalFactory principalFactory,
                                                   java.lang.Integer order,
                                                   javax.sql.DataSource dataSource,
                                                   java.lang.String algorithmName,
                                                   java.lang.String sql,
                                                   java.lang.String passwordFieldName,
                                                   java.lang.String saltFieldName,
                                                   java.lang.String expiredFieldName,
                                                   java.lang.String disabledFieldName,
                                                   java.lang.String numberOfIterationsFieldName,
                                                   long numberOfIterations,
                                                   java.lang.String staticSalt)

Method Detail

authenticateUsernamePasswordInternal

protected org.apereo.cas.authentication.HandlerResult authenticateUsernamePasswordInternal(org.apereo.cas.authentication.UsernamePasswordCredential transformedCredential,
                                                                                           java.lang.String originalPassword)
                                                                                    throws java.security.GeneralSecurityException,
                                                                                           org.apereo.cas.authentication.PreventedException

Specified by:

authenticateUsernamePasswordInternal in class org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler

Throws:

java.security.GeneralSecurityException

org.apereo.cas.authentication.PreventedException

digestEncodedPassword

protected java.lang.String digestEncodedPassword(java.lang.String encodedPassword,
                                                 java.util.Map<java.lang.String,java.lang.Object> values)

Digest encoded password.

Parameters:

encodedPassword - the encoded password

values - the values retrieved from database

Returns:

the digested password