Merged 5.1-MC1 (5.1.0) to HEAD (5.1)

119065 adavis: Merged 5.1.N (5.1.1) to 5.1-MC1 (5.1.0) 117348 adavis: Merged 5.0.2-CLOUD42 (Cloud ) to 5.1.N (5.1.1) 117255 adavis: Merged 5.0.2-CLOUD (Cloud ) to 5.0.2-CLOUD42 (Cloud ) 114526 adavis: Merged BCRYPT to 5.0.2-CLOUD 114254 gjames: Making sure md4 doesn't use a salt MNT-14892 git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@119904 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
2025-10-08 14:51:49 +00:00 · 2015-12-10 10:00:52 +00:00
parent 7e58e926d0
commit cb6e5c77c0
2 changed files with 16 additions and 3 deletions
--- a/source/java/org/alfresco/repo/security/authentication/CompositePasswordEncoder.java
+++ b/source/java/org/alfresco/repo/security/authentication/CompositePasswordEncoder.java
@@ -42,8 +42,9 @@ public class CompositePasswordEncoder
    private Map<String,Object> encoders;
    private String preferredEncoding;
    public static final String MD4_KEY = "md4";
    public static final List<String> SHA256 = Arrays.asList("sha256");
-    public static final List<String> MD4 = Arrays.asList("md4");
+    public static final List<String> MD4 = Arrays.asList(MD4_KEY);
    public String getPreferredEncoding()
    {
@@ -131,6 +132,11 @@ public class CompositePasswordEncoder
       if (encoder instanceof net.sf.acegisecurity.providers.encoding.PasswordEncoder)
       {
           net.sf.acegisecurity.providers.encoding.PasswordEncoder pEncoder = (net.sf.acegisecurity.providers.encoding.PasswordEncoder) encoder;
           if (MD4_KEY.equals(encoderKey))
           {
               //In the past MD4 password encoding didn't use a SALT
               salt = null;
           }
           if (logger.isDebugEnabled()) {
               logger.debug("Encoding using acegis PasswordEncoder: "+encoderKey);
           }
@@ -193,6 +199,11 @@ public class CompositePasswordEncoder
        if (encoder instanceof net.sf.acegisecurity.providers.encoding.PasswordEncoder)
        {
            net.sf.acegisecurity.providers.encoding.PasswordEncoder pEncoder = (net.sf.acegisecurity.providers.encoding.PasswordEncoder) encoder;
            if (MD4_KEY.equals(encoderKey))
            {
                //In the past MD4 password encoding didn't use a SALT
                salt = null;
            }
            if (logger.isDebugEnabled()) {
                logger.debug("Matching using acegis PasswordEncoder: "+encoderKey);
            }
--- a/source/test-java/org/alfresco/repo/security/authentication/CompositePasswordEncoderTest.java
+++ b/source/test-java/org/alfresco/repo/security/authentication/CompositePasswordEncoderTest.java
@@ -170,10 +170,12 @@ public class CompositePasswordEncoderTest
        String sourceEncodedSaltFree = md4.encodePassword(SOURCE_PASSWORD, null);
        String encoded = encoder.encode("md4", SOURCE_PASSWORD, salt);
-        assertEquals(sourceEncoded, encoded);
+        //The salt is ignored for MD4 so the passwords will match
        assertTrue(encoder.matches("md4", SOURCE_PASSWORD, encoded, salt));
        assertTrue(encoder.matchesPassword(SOURCE_PASSWORD, encoded, salt, Arrays.asList("md4")));
-        assertEquals(sourceEncoded, encoder.encodePassword(SOURCE_PASSWORD, salt, Arrays.asList("md4")));
+
        assertNotEquals("The salt must be ignored for MD4", sourceEncoded, encoded);
        assertNotEquals("The salt must be ignored for MD4", sourceEncoded, encoder.encodePassword(SOURCE_PASSWORD, salt, Arrays.asList("md4")));
        encoded = encoder.encode("md4", SOURCE_PASSWORD, null);
        assertEquals(sourceEncodedSaltFree, encoded);