1 // ========================================================================
2 // Copyright (c) 1998-2009 Mort Bay Consulting Pty. Ltd.
3 // ------------------------------------------------------------------------
4 // All rights reserved. This program and the accompanying materials
5 // are made available under the terms of the Eclipse Public License v1.0
6 // and Apache License v2.0 which accompanies this distribution.
7 // The Eclipse Public License is available at
8 // http://www.eclipse.org/legal/epl-v10.html
9 // The Apache License v2.0 is available at
10 // http://www.opensource.org/licenses/apache2.0.php
11 // You may elect to redistribute this code under either of these licenses.
12 // ========================================================================
13
14 package org.eclipse.jetty.http.security;
15
16 import java.security.MessageDigest;
17
18 import org.eclipse.jetty.util.StringUtil;
19 import org.eclipse.jetty.util.TypeUtil;
20 import org.eclipse.jetty.util.log.Log;
21
22 /* ------------------------------------------------------------ */
23 /**
24 * Credentials. The Credential class represents an abstract mechanism for
25 * checking authentication credentials. A credential instance either represents
26 * a secret, or some data that could only be derived from knowing the secret.
27 * <p>
28 * Often a Credential is related to a Password via a one way algorithm, so while
29 * a Password itself is a Credential, a UnixCrypt or MD5 digest of a a password
30 * is only a credential that can be checked against the password.
31 * <p>
32 * This class includes an implementation for unix Crypt an MD5 digest.
33 *
34 * @see Password
35 *
36 */
37 public abstract class Credential
38 {
39 /* ------------------------------------------------------------ */
40 /**
41 * Check a credential
42 *
43 * @param credentials The credential to check against. This may either be
44 * another Credential object, a Password object or a String
45 * which is interpreted by this credential.
46 * @return True if the credentials indicated that the shared secret is known
47 * to both this Credential and the passed credential.
48 */
49 public abstract boolean check(Object credentials);
50
51 /* ------------------------------------------------------------ */
52 /**
53 * Get a credential from a String. If the credential String starts with a
54 * known Credential type (eg "CRYPT:" or "MD5:" ) then a Credential of that
55 * type is returned. Else the credential is assumed to be a Password.
56 *
57 * @param credential String representation of the credential
58 * @return A Credential or Password instance.
59 */
60 public static Credential getCredential(String credential)
61 {
62 if (credential.startsWith(Crypt.__TYPE)) return new Crypt(credential);
63 if (credential.startsWith(MD5.__TYPE)) return new MD5(credential);
64
65 return new Password(credential);
66 }
67
68 /* ------------------------------------------------------------ */
69 /**
70 * Unix Crypt Credentials
71 */
72 public static class Crypt extends Credential
73 {
74 public static final String __TYPE = "CRYPT:";
75
76 private final String _cooked;
77
78 Crypt(String cooked)
79 {
80 _cooked = cooked.startsWith(Crypt.__TYPE) ? cooked.substring(__TYPE.length()) : cooked;
81 }
82
83 @Override
84 public boolean check(Object credentials)
85 {
86 if (credentials instanceof char[])
87 credentials=new String((char[])credentials);
88 if (!(credentials instanceof String) && !(credentials instanceof Password))
89 Log.warn("Can't check " + credentials.getClass() + " against CRYPT");
90
91 String passwd = credentials.toString();
92 return _cooked.equals(UnixCrypt.crypt(passwd, _cooked));
93 }
94
95 public static String crypt(String user, String pw)
96 {
97 return "CRYPT:" + UnixCrypt.crypt(pw, user);
98 }
99 }
100
101 /* ------------------------------------------------------------ */
102 /**
103 * MD5 Credentials
104 */
105 public static class MD5 extends Credential
106 {
107 public static final String __TYPE = "MD5:";
108
109 public static final Object __md5Lock = new Object();
110
111 private static MessageDigest __md;
112
113 private final byte[] _digest;
114
115 /* ------------------------------------------------------------ */
116 MD5(String digest)
117 {
118 digest = digest.startsWith(__TYPE) ? digest.substring(__TYPE.length()) : digest;
119 _digest = TypeUtil.parseBytes(digest, 16);
120 }
121
122 /* ------------------------------------------------------------ */
123 public byte[] getDigest()
124 {
125 return _digest;
126 }
127
128 /* ------------------------------------------------------------ */
129 @Override
130 public boolean check(Object credentials)
131 {
132 try
133 {
134 byte[] digest = null;
135
136 if (credentials instanceof char[])
137 credentials=new String((char[])credentials);
138 if (credentials instanceof Password || credentials instanceof String)
139 {
140 synchronized (__md5Lock)
141 {
142 if (__md == null) __md = MessageDigest.getInstance("MD5");
143 __md.reset();
144 __md.update(credentials.toString().getBytes(StringUtil.__ISO_8859_1));
145 digest = __md.digest();
146 }
147 if (digest == null || digest.length != _digest.length) return false;
148 for (int i = 0; i < digest.length; i++)
149 if (digest[i] != _digest[i]) return false;
150 return true;
151 }
152 else if (credentials instanceof MD5)
153 {
154 MD5 md5 = (MD5) credentials;
155 if (_digest.length != md5._digest.length) return false;
156 for (int i = 0; i < _digest.length; i++)
157 if (_digest[i] != md5._digest[i]) return false;
158 return true;
159 }
160 else if (credentials instanceof Credential)
161 {
162 // Allow credential to attempt check - i.e. this'll work
163 // for DigestAuthModule$Digest credentials
164 return ((Credential) credentials).check(this);
165 }
166 else
167 {
168 Log.warn("Can't check " + credentials.getClass() + " against MD5");
169 return false;
170 }
171 }
172 catch (Exception e)
173 {
174 Log.warn(e);
175 return false;
176 }
177 }
178
179 /* ------------------------------------------------------------ */
180 public static String digest(String password)
181 {
182 try
183 {
184 byte[] digest;
185 synchronized (__md5Lock)
186 {
187 if (__md == null)
188 {
189 try
190 {
191 __md = MessageDigest.getInstance("MD5");
192 }
193 catch (Exception e)
194 {
195 Log.warn(e);
196 return null;
197 }
198 }
199
200 __md.reset();
201 __md.update(password.getBytes(StringUtil.__ISO_8859_1));
202 digest = __md.digest();
203 }
204
205 return __TYPE + TypeUtil.toString(digest, 16);
206 }
207 catch (Exception e)
208 {
209 Log.warn(e);
210 return null;
211 }
212 }
213 }
214 }