Merged 5.0.2-CLOUD42 (Cloud ) to 5.1.N (5.1.1)

117241 adavis: Merged 5.0.2-CLOUD (Cloud ) to 5.0.2-CLOUD42 (Cloud ) 114510 adavis: Merged BCRYPT to 5.0.2-CLOUD 113765 gcornwell: MNT-14892: Users password now gets re-hashed when they login if it is not using the preferred encoding (removes old MD4 and SHA encoded passwords) git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/BRANCHES/DEV/5.1.N/root@117333 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
2025-10-08 14:51:49 +00:00 · 2015-11-11 17:50:09 +00:00
parent e53f2ad430
commit dbc4c03da7
4 changed files with 251 additions and 3 deletions
--- a/source/java/org/alfresco/repo/security/authentication/AuthenticationComponentImpl.java
+++ b/source/java/org/alfresco/repo/security/authentication/AuthenticationComponentImpl.java
@@ -21,6 +21,7 @@ package org.alfresco.repo.security.authentication;
 import java.io.PrintWriter;
 import java.io.StringWriter;
 import java.util.Collections;
+import java.util.List;
 import java.util.Set;

 import net.sf.acegisecurity.Authentication;
@@ -31,18 +32,24 @@ import net.sf.acegisecurity.providers.UsernamePasswordAuthenticationToken;

 import org.alfresco.error.AlfrescoRuntimeException;
 import org.alfresco.repo.security.authentication.ntlm.NLTMAuthenticator;
+import org.alfresco.repo.tenant.TenantContextHolder;
 import org.alfresco.repo.tenant.TenantDisabledException;
 import org.alfresco.repo.tenant.TenantUtil;
 import org.alfresco.repo.tenant.TenantUtil.TenantRunAsWork;
-import org.alfresco.repo.tenant.TenantContextHolder;
+import org.alfresco.repo.transaction.AlfrescoTransactionSupport;
 import org.alfresco.repo.transaction.RetryingTransactionHelper.RetryingTransactionCallback;
 import org.alfresco.util.Pair;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;

 public class AuthenticationComponentImpl extends AbstractAuthenticationComponent implements NLTMAuthenticator
 {
+    private static Log logger = LogFactory.getLog(AuthenticationComponentImpl.class);
+    
    private MutableAuthenticationDao authenticationDao;
-
+    
    AuthenticationManager authenticationManager;
+    CompositePasswordEncoder passwordEncoder;

    public AuthenticationComponentImpl()
    {
@@ -68,6 +75,11 @@ public class AuthenticationComponentImpl extends AbstractAuthenticationComponent
    {
        this.authenticationDao = authenticationDao;
    }
+    
+    public void setCompositePasswordEncoder(CompositePasswordEncoder passwordEncoder)
+    {
+        this.passwordEncoder = passwordEncoder;
+    }

    /**
     * Authenticate
@@ -94,6 +106,36 @@ public class AuthenticationComponentImpl extends AbstractAuthenticationComponent
                                    UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken(
                                            normalized == null ? userName : normalized, new String(password));
                                    authenticationManager.authenticate(authentication);
+                                    
+                                    // check whether the user's password requires re-hashing
+                                    UserDetails userDetails = authenticationDao.loadUserByUsername(userName);
+                                    if (userDetails instanceof RepositoryAuthenticatedUser)
+                                    {
+                                        List<String> hashIndicator = ((RepositoryAuthenticatedUser)userDetails).getHashIndicator();
+                                        String preferredEncoding = passwordEncoder.getPreferredEncoding();
+                                        
+                                        if (hashIndicator != null && !hashIndicator.isEmpty())
+                                        {
+                                            // get the last encoding in the chain
+                                            String currentEncoding = hashIndicator.get(hashIndicator.size()-1);
+                                            
+                                            // if the encoding chain is longer than 1 (double hashed) or the 
+                                            // current encoding is not the preferred encoding then re-generate
+                                            if (hashIndicator.size() > 1 || !currentEncoding.equals(preferredEncoding))
+                                            {
+                                                // add transaction listener to re-hash the users password
+                                                HashPasswordTransactionListener txListener = new HashPasswordTransactionListener(userName, password);
+                                                txListener.setTransactionService(getTransactionService());
+                                                txListener.setAuthenticationDao(authenticationDao);
+                                                AlfrescoTransactionSupport.bindListener(txListener);
+                                                if (logger.isDebugEnabled())
+                                                {
+                                                    logger.debug("New hashed password for user '" + userName + "' has been requested");
+                                                }
+                                            }
+                                        }
+                                    }
+                                    
                                    return normalized;
                                }
                            }, tenantDomain);