1 // ========================================================================
2 // Copyright (c) 1998-2009 Mort Bay Consulting Pty. Ltd.
3 // ------------------------------------------------------------------------
4 // All rights reserved. This program and the accompanying materials
5 // are made available under the terms of the Eclipse Public License v1.0
6 // and Apache License v2.0 which accompanies this distribution.
7 // The Eclipse Public License is available at
8 // http://www.eclipse.org/legal/epl-v10.html
9 // The Apache License v2.0 is available at
10 // http://www.opensource.org/licenses/apache2.0.php
11 // You may elect to redistribute this code under either of these licenses.
12 // ========================================================================
13
14 package org.eclipse.jetty.http.security;
15
16 import java.io.Serializable;
17 import java.security.MessageDigest;
18
19 import org.eclipse.jetty.util.StringUtil;
20 import org.eclipse.jetty.util.TypeUtil;
21 import org.eclipse.jetty.util.log.Log;
22 import org.eclipse.jetty.util.log.Logger;
23
24 /* ------------------------------------------------------------ */
25 /**
26 * Credentials. The Credential class represents an abstract mechanism for
27 * checking authentication credentials. A credential instance either represents
28 * a secret, or some data that could only be derived from knowing the secret.
29 * <p>
30 * Often a Credential is related to a Password via a one way algorithm, so while
31 * a Password itself is a Credential, a UnixCrypt or MD5 digest of a a password
32 * is only a credential that can be checked against the password.
33 * <p>
34 * This class includes an implementation for unix Crypt an MD5 digest.
35 *
36 * @see Password
37 *
38 */
39 public abstract class Credential implements Serializable
40 {
41 private static final Logger LOG = Log.getLogger(Credential.class);
42
43 private static final long serialVersionUID = -7760551052768181572L;
44
45 /* ------------------------------------------------------------ */
46 /**
47 * Check a credential
48 *
49 * @param credentials The credential to check against. This may either be
50 * another Credential object, a Password object or a String
51 * which is interpreted by this credential.
52 * @return True if the credentials indicated that the shared secret is known
53 * to both this Credential and the passed credential.
54 */
55 public abstract boolean check(Object credentials);
56
57 /* ------------------------------------------------------------ */
58 /**
59 * Get a credential from a String. If the credential String starts with a
60 * known Credential type (eg "CRYPT:" or "MD5:" ) then a Credential of that
61 * type is returned. Else the credential is assumed to be a Password.
62 *
63 * @param credential String representation of the credential
64 * @return A Credential or Password instance.
65 */
66 public static Credential getCredential(String credential)
67 {
68 if (credential.startsWith(Crypt.__TYPE)) return new Crypt(credential);
69 if (credential.startsWith(MD5.__TYPE)) return new MD5(credential);
70
71 return new Password(credential);
72 }
73
74 /* ------------------------------------------------------------ */
75 /**
76 * Unix Crypt Credentials
77 */
78 public static class Crypt extends Credential
79 {
80 private static final long serialVersionUID = -2027792997664744210L;
81
82 public static final String __TYPE = "CRYPT:";
83
84 private final String _cooked;
85
86 Crypt(String cooked)
87 {
88 _cooked = cooked.startsWith(Crypt.__TYPE) ? cooked.substring(__TYPE.length()) : cooked;
89 }
90
91 @Override
92 public boolean check(Object credentials)
93 {
94 if (credentials instanceof char[])
95 credentials=new String((char[])credentials);
96 if (!(credentials instanceof String) && !(credentials instanceof Password))
97 LOG.warn("Can't check " + credentials.getClass() + " against CRYPT");
98
99 String passwd = credentials.toString();
100 return _cooked.equals(UnixCrypt.crypt(passwd, _cooked));
101 }
102
103 public static String crypt(String user, String pw)
104 {
105 return "CRYPT:" + UnixCrypt.crypt(pw, user);
106 }
107 }
108
109 /* ------------------------------------------------------------ */
110 /**
111 * MD5 Credentials
112 */
113 public static class MD5 extends Credential
114 {
115 private static final long serialVersionUID = 5533846540822684240L;
116
117 public static final String __TYPE = "MD5:";
118
119 public static final Object __md5Lock = new Object();
120
121 private static MessageDigest __md;
122
123 private final byte[] _digest;
124
125 /* ------------------------------------------------------------ */
126 MD5(String digest)
127 {
128 digest = digest.startsWith(__TYPE) ? digest.substring(__TYPE.length()) : digest;
129 _digest = TypeUtil.parseBytes(digest, 16);
130 }
131
132 /* ------------------------------------------------------------ */
133 public byte[] getDigest()
134 {
135 return _digest;
136 }
137
138 /* ------------------------------------------------------------ */
139 @Override
140 public boolean check(Object credentials)
141 {
142 try
143 {
144 byte[] digest = null;
145
146 if (credentials instanceof char[])
147 credentials=new String((char[])credentials);
148 if (credentials instanceof Password || credentials instanceof String)
149 {
150 synchronized (__md5Lock)
151 {
152 if (__md == null) __md = MessageDigest.getInstance("MD5");
153 __md.reset();
154 __md.update(credentials.toString().getBytes(StringUtil.__ISO_8859_1));
155 digest = __md.digest();
156 }
157 if (digest == null || digest.length != _digest.length) return false;
158 for (int i = 0; i < digest.length; i++)
159 if (digest[i] != _digest[i]) return false;
160 return true;
161 }
162 else if (credentials instanceof MD5)
163 {
164 MD5 md5 = (MD5) credentials;
165 if (_digest.length != md5._digest.length) return false;
166 for (int i = 0; i < _digest.length; i++)
167 if (_digest[i] != md5._digest[i]) return false;
168 return true;
169 }
170 else if (credentials instanceof Credential)
171 {
172 // Allow credential to attempt check - i.e. this'll work
173 // for DigestAuthModule$Digest credentials
174 return ((Credential) credentials).check(this);
175 }
176 else
177 {
178 LOG.warn("Can't check " + credentials.getClass() + " against MD5");
179 return false;
180 }
181 }
182 catch (Exception e)
183 {
184 LOG.warn(e);
185 return false;
186 }
187 }
188
189 /* ------------------------------------------------------------ */
190 public static String digest(String password)
191 {
192 try
193 {
194 byte[] digest;
195 synchronized (__md5Lock)
196 {
197 if (__md == null)
198 {
199 try
200 {
201 __md = MessageDigest.getInstance("MD5");
202 }
203 catch (Exception e)
204 {
205 LOG.warn(e);
206 return null;
207 }
208 }
209
210 __md.reset();
211 __md.update(password.getBytes(StringUtil.__ISO_8859_1));
212 digest = __md.digest();
213 }
214
215 return __TYPE + TypeUtil.toString(digest, 16);
216 }
217 catch (Exception e)
218 {
219 LOG.warn(e);
220 return null;
221 }
222 }
223 }
224 }