[jboss-cvs] jboss-seam/src/main/org/jboss/seam/security/management ...
Shane Bryzak
sbryzak at redhat.com
Wed Jan 9 21:49:06 EST 2008
User: sbryzak2
Date: 08/01/09 21:49:06
Modified: src/main/org/jboss/seam/security/management
JpaIdentityStore.java
Log:
fixed NPE, salted password hash
Revision Changes Path
1.9 +22 -8 jboss-seam/src/main/org/jboss/seam/security/management/JpaIdentityStore.java
(In the diff below, changes in quantity of whitespace are not shown.)
Index: JpaIdentityStore.java
===================================================================
RCS file: /cvsroot/jboss/jboss-seam/src/main/org/jboss/seam/security/management/JpaIdentityStore.java,v
retrieving revision 1.8
retrieving revision 1.9
diff -u -b -r1.8 -r1.9
--- JpaIdentityStore.java 9 Jan 2008 10:03:51 -0000 1.8
+++ JpaIdentityStore.java 10 Jan 2008 02:49:05 -0000 1.9
@@ -66,6 +66,11 @@
throw new IdentityManagementException("Could not create account, accountClass not set");
}
+ if (accountExists(username))
+ {
+ throw new IdentityManagementException("Could not create account, already exists");
+ }
+
UserAccount account = accountClass.newInstance();
account.setAccountType(UserAccount.AccountType.user);
account.setUsername(username);
@@ -216,7 +221,7 @@
try
{
account = validateUser(name);
- account.setPasswordHash(hashPassword(password));
+ account.setPasswordHash(hashPassword(password, name));
mergeAccount(account);
return true;
}
@@ -269,6 +274,8 @@
List<String> roles = new ArrayList<String>();
+ if (account.getMemberships() != null)
+ {
for (UserAccount membership : account.getMemberships())
{
if (membership.getAccountType().equals(UserAccount.AccountType.role))
@@ -276,6 +283,7 @@
roles.add(membership.getUsername());
}
}
+ }
return roles;
}
@@ -338,7 +346,7 @@
return false;
}
- boolean success = hashPassword(password).equals(account.getPasswordHash());
+ boolean success = hashPassword(password, username).equals(account.getPasswordHash());
if (success && Events.exists())
{
@@ -477,14 +485,20 @@
this.entityManagerName = name;
}
- protected String hashPassword(String password)
+ protected String hashPassword(String password, String saltPhrase)
{
try {
MessageDigest md = MessageDigest.getInstance(hashFunction);
+
+ md.update(saltPhrase.getBytes());
+ byte[] salt = md.digest();
+
+ md.reset();
md.update(password.getBytes(hashCharset));
+ md.update(salt);
+
byte[] raw = md.digest();
- // TODO - salt the hash, possibly using the user name?
return new String(Hex.encodeHex(raw));
}
catch (Exception e) {
More information about the jboss-cvs-commits
mailing list