From cb6e5c77c0b51d844a514c69a01d6b1c14b72845 Mon Sep 17 00:00:00 2001 From: Jean-Pierre Huynh Date: Thu, 10 Dec 2015 10:00:52 +0000 Subject: [PATCH] Merged 5.1-MC1 (5.1.0) to HEAD (5.1) 119065 adavis: Merged 5.1.N (5.1.1) to 5.1-MC1 (5.1.0) 117348 adavis: Merged 5.0.2-CLOUD42 (Cloud ) to 5.1.N (5.1.1) 117255 adavis: Merged 5.0.2-CLOUD (Cloud ) to 5.0.2-CLOUD42 (Cloud ) 114526 adavis: Merged BCRYPT to 5.0.2-CLOUD 114254 gjames: Making sure md4 doesn't use a salt MNT-14892 git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@119904 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261 --- .../authentication/CompositePasswordEncoder.java | 13 ++++++++++++- .../CompositePasswordEncoderTest.java | 6 ++++-- 2 files changed, 16 insertions(+), 3 deletions(-) diff --git a/source/java/org/alfresco/repo/security/authentication/CompositePasswordEncoder.java b/source/java/org/alfresco/repo/security/authentication/CompositePasswordEncoder.java index 5df9c35e5b..3031f10637 100644 --- a/source/java/org/alfresco/repo/security/authentication/CompositePasswordEncoder.java +++ b/source/java/org/alfresco/repo/security/authentication/CompositePasswordEncoder.java @@ -42,8 +42,9 @@ public class CompositePasswordEncoder private Map encoders; private String preferredEncoding; + public static final String MD4_KEY = "md4"; public static final List SHA256 = Arrays.asList("sha256"); - public static final List MD4 = Arrays.asList("md4"); + public static final List MD4 = Arrays.asList(MD4_KEY); public String getPreferredEncoding() { @@ -131,6 +132,11 @@ public class CompositePasswordEncoder if (encoder instanceof net.sf.acegisecurity.providers.encoding.PasswordEncoder) { net.sf.acegisecurity.providers.encoding.PasswordEncoder pEncoder = (net.sf.acegisecurity.providers.encoding.PasswordEncoder) encoder; + if (MD4_KEY.equals(encoderKey)) + { + //In the past MD4 password encoding didn't use a SALT + salt = null; + } if (logger.isDebugEnabled()) { logger.debug("Encoding using acegis PasswordEncoder: "+encoderKey); } @@ -193,6 +199,11 @@ public class CompositePasswordEncoder if (encoder instanceof net.sf.acegisecurity.providers.encoding.PasswordEncoder) { net.sf.acegisecurity.providers.encoding.PasswordEncoder pEncoder = (net.sf.acegisecurity.providers.encoding.PasswordEncoder) encoder; + if (MD4_KEY.equals(encoderKey)) + { + //In the past MD4 password encoding didn't use a SALT + salt = null; + } if (logger.isDebugEnabled()) { logger.debug("Matching using acegis PasswordEncoder: "+encoderKey); } diff --git a/source/test-java/org/alfresco/repo/security/authentication/CompositePasswordEncoderTest.java b/source/test-java/org/alfresco/repo/security/authentication/CompositePasswordEncoderTest.java index 2237741c64..003d7d1846 100644 --- a/source/test-java/org/alfresco/repo/security/authentication/CompositePasswordEncoderTest.java +++ b/source/test-java/org/alfresco/repo/security/authentication/CompositePasswordEncoderTest.java @@ -170,10 +170,12 @@ public class CompositePasswordEncoderTest String sourceEncodedSaltFree = md4.encodePassword(SOURCE_PASSWORD, null); String encoded = encoder.encode("md4", SOURCE_PASSWORD, salt); - assertEquals(sourceEncoded, encoded); + //The salt is ignored for MD4 so the passwords will match assertTrue(encoder.matches("md4", SOURCE_PASSWORD, encoded, salt)); assertTrue(encoder.matchesPassword(SOURCE_PASSWORD, encoded, salt, Arrays.asList("md4"))); - assertEquals(sourceEncoded, encoder.encodePassword(SOURCE_PASSWORD, salt, Arrays.asList("md4"))); + + assertNotEquals("The salt must be ignored for MD4", sourceEncoded, encoded); + assertNotEquals("The salt must be ignored for MD4", sourceEncoded, encoder.encodePassword(SOURCE_PASSWORD, salt, Arrays.asList("md4"))); encoded = encoder.encode("md4", SOURCE_PASSWORD, null); assertEquals(sourceEncodedSaltFree, encoded);