[jboss-cvs] JBossAS SVN: r85135 - in projects/security/security-jboss-sx/trunk/jbosssx/src: test/java/org/jboss/test/authentication/jaas and 1 other directories.
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Mon Mar 2 20:24:31 EST 2009
Author: sguilhen at redhat.com
Date: 2009-03-02 20:24:31 -0500 (Mon, 02 Mar 2009)
New Revision: 85135
Added:
projects/security/security-jboss-sx/trunk/jbosssx/src/main/java/org/jboss/security/auth/spi/InputValidationException.java
projects/security/security-jboss-sx/trunk/jbosssx/src/main/java/org/jboss/security/auth/spi/InputValidator.java
projects/security/security-jboss-sx/trunk/jbosssx/src/test/java/org/jboss/test/authentication/jaas/helpers/TestInputValidator.java
Modified:
projects/security/security-jboss-sx/trunk/jbosssx/src/main/java/org/jboss/security/auth/spi/SecurityActions.java
projects/security/security-jboss-sx/trunk/jbosssx/src/main/java/org/jboss/security/auth/spi/UsernamePasswordLoginModule.java
projects/security/security-jboss-sx/trunk/jbosssx/src/test/java/org/jboss/test/authentication/jaas/LoginModulesUnitTestCase.java
Log:
SECURITY-338: added InputValidator interface to UsernamePasswordLoginModule; added a new test to LoginModulesUnitTestCase to test the usage of the InputValidator.
Added: projects/security/security-jboss-sx/trunk/jbosssx/src/main/java/org/jboss/security/auth/spi/InputValidationException.java
===================================================================
--- projects/security/security-jboss-sx/trunk/jbosssx/src/main/java/org/jboss/security/auth/spi/InputValidationException.java (rev 0)
+++ projects/security/security-jboss-sx/trunk/jbosssx/src/main/java/org/jboss/security/auth/spi/InputValidationException.java 2009-03-03 01:24:31 UTC (rev 85135)
@@ -0,0 +1,70 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2009, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.security.auth.spi;
+
+/**
+ * <p>
+ * The {@code InputValidationException} is thrown by the {@code InputValidator}s to indicate that information supplied
+ * by clients (e.g. username and password) is not valid (has unexpected tokens, doens't adhere to a pre-defined pattern,
+ * etc).
+ * </p>
+ *
+ * @author <a href="mailto:sguilhen at redhat.com">Stefan Guilhen</a>
+ */
+public class InputValidationException extends Exception
+{
+
+ /**
+ * <p>
+ * Creates an instance of {@code InputValidationException}.
+ * </p>
+ */
+ public InputValidationException()
+ {
+ super();
+ }
+
+ /**
+ * <p>
+ * Creates an instance of {@code InputValidationException} with the specified error message.
+ * </p>
+ *
+ * @param message a {@code String} representing the exception's message.
+ */
+ public InputValidationException(String message)
+ {
+ super(message);
+ }
+
+ /**
+ * <p>
+ * Creates an instance of {@code InputValidationException} with the specified message and cause.
+ * </p>
+ *
+ * @param message a {@code String} representing the exception's message.
+ * @param cause a {@code Throwable} representing the cause of the exception, if available.
+ */
+ public InputValidationException(String message, Throwable cause)
+ {
+ super(message, cause);
+ }
+}
Added: projects/security/security-jboss-sx/trunk/jbosssx/src/main/java/org/jboss/security/auth/spi/InputValidator.java
===================================================================
--- projects/security/security-jboss-sx/trunk/jbosssx/src/main/java/org/jboss/security/auth/spi/InputValidator.java (rev 0)
+++ projects/security/security-jboss-sx/trunk/jbosssx/src/main/java/org/jboss/security/auth/spi/InputValidator.java 2009-03-03 01:24:31 UTC (rev 85135)
@@ -0,0 +1,44 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2009, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.security.auth.spi;
+
+/**
+ * <p>
+ * Interface that must be implemented by login module input validators.
+ * </p>
+ *
+ * @author <a href="mailto:sguilhen at redhat.com">Stefan Guilhen</a>
+ */
+public interface InputValidator
+{
+
+ /**
+ * <p>
+ * Validates the specified username and password.
+ * </p>
+ *
+ * @param username the username to be validated.
+ * @param password the password to be validated.
+ * @throws InputValidationException if the validation process considers the username and/or the password invalid.
+ */
+ public void validateUsernameAndPassword(String username, String password) throws InputValidationException;
+}
Modified: projects/security/security-jboss-sx/trunk/jbosssx/src/main/java/org/jboss/security/auth/spi/SecurityActions.java
===================================================================
--- projects/security/security-jboss-sx/trunk/jbosssx/src/main/java/org/jboss/security/auth/spi/SecurityActions.java 2009-03-03 01:24:10 UTC (rev 85134)
+++ projects/security/security-jboss-sx/trunk/jbosssx/src/main/java/org/jboss/security/auth/spi/SecurityActions.java 2009-03-03 01:24:31 UTC (rev 85135)
@@ -71,4 +71,22 @@
}
});
}
+
+ static Class<?> loadClass(final String name) throws PrivilegedActionException
+ {
+ return AccessController.doPrivileged(new PrivilegedExceptionAction<Class<?>>()
+ {
+ public Class<?> run() throws PrivilegedActionException
+ {
+ try
+ {
+ return getContextClassLoader().loadClass(name);
+ }
+ catch ( Exception e)
+ {
+ throw new PrivilegedActionException(e);
+ }
+ }
+ });
+ }
}
\ No newline at end of file
Modified: projects/security/security-jboss-sx/trunk/jbosssx/src/main/java/org/jboss/security/auth/spi/UsernamePasswordLoginModule.java
===================================================================
--- projects/security/security-jboss-sx/trunk/jbosssx/src/main/java/org/jboss/security/auth/spi/UsernamePasswordLoginModule.java 2009-03-03 01:24:10 UTC (rev 85134)
+++ projects/security/security-jboss-sx/trunk/jbosssx/src/main/java/org/jboss/security/auth/spi/UsernamePasswordLoginModule.java 2009-03-03 01:24:31 UTC (rev 85135)
@@ -86,6 +86,9 @@
/** A {@code Throwable} representing the validation error */
private Throwable validateError;
+ /** The input validator instance used to validate the username and password supplied by the client. */
+ private InputValidator inputValidator = null;
+
/** Override the superclass method to look for the following options after
first invoking the super version.
@param options :
@@ -146,6 +149,20 @@
flag = (String) options.get("throwValidateError");
if(flag != null)
this.throwValidateError = Boolean.valueOf(flag).booleanValue();
+ // instantiate the input validator class.
+ flag = (String) options.get("inputValidator");
+ if(flag != null)
+ {
+ try
+ {
+ Class<?> validatorClass = SecurityActions.loadClass(flag);
+ this.inputValidator = (InputValidator) validatorClass.newInstance();
+ }
+ catch(Exception e)
+ {
+ this.log.debug("Unable to instantiate input validator class: " + flag);
+ }
+ }
}
/** Perform the authentication of the username and password.
@@ -189,6 +206,20 @@
String[] info = getUsernameAndPassword();
String username = info[0];
String password = info[1];
+
+ // validate the retrieved username and password.
+ if(this.inputValidator != null)
+ {
+ try
+ {
+ this.inputValidator.validateUsernameAndPassword(username, password);
+ }
+ catch(InputValidationException ive)
+ {
+ throw new FailedLoginException(ive.getMessage());
+ }
+ }
+
if( username == null && password == null )
{
identity = unauthenticatedIdentity;
Modified: projects/security/security-jboss-sx/trunk/jbosssx/src/test/java/org/jboss/test/authentication/jaas/LoginModulesUnitTestCase.java
===================================================================
--- projects/security/security-jboss-sx/trunk/jbosssx/src/test/java/org/jboss/test/authentication/jaas/LoginModulesUnitTestCase.java 2009-03-03 01:24:10 UTC (rev 85134)
+++ projects/security/security-jboss-sx/trunk/jbosssx/src/test/java/org/jboss/test/authentication/jaas/LoginModulesUnitTestCase.java 2009-03-03 01:24:31 UTC (rev 85135)
@@ -205,6 +205,23 @@
return new AppConfigurationEntry[]{entry};
}
+ /**
+ * <p>
+ * Obtains a configuration that uses a module in conjunction with an {@code InputValidator} to check if the
+ * supplied username and password are valid.
+ * </p>
+ *
+ * @return the test {@code AppConfigurationEntry}.
+ */
+ AppConfigurationEntry[] testInputValidator()
+ {
+ HashMap options = new HashMap();
+ options.put("inputValidator", "org.jboss.test.authentication.jaas.helpers.TestInputValidator");
+ AppConfigurationEntry entry = new AppConfigurationEntry(TestLoginModule.class.getName(),
+ AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, options);
+ return new AppConfigurationEntry[]{entry};
+ }
+
AppConfigurationEntry[] other()
{
AppConfigurationEntry ace = new AppConfigurationEntry(TestLoginModule.class.getName(),
@@ -486,4 +503,58 @@
}
}
+
+ /**
+ * <p>
+ * Tests the usage of an {@code InputValidator} to verify that the client-supplied username and password
+ * adhere to the expected rules.
+ * </p>
+ *
+ * @throws Exception if an error occurs while running the test.
+ */
+ public void testInputValidator() throws Exception
+ {
+ // let's start with a valid username/password pair.
+ LoginContext context = new LoginContext("testInputValidator", new UsernamePasswordHandler("user", "secret"));
+ context.login();
+ assertNotNull(context.getSubject());
+ context.logout();
+
+ // now let's try a username that doesn't conform to the [A-Za-z0-9]* pattern.
+ context = new LoginContext("testInputValidator", new UsernamePasswordHandler("$user$", "secret"));
+ try
+ {
+ context.login();
+ fail("Login should have failed as the supplied username does not adhere to the expected pattern");
+ }
+ catch(LoginException le)
+ {
+ assertEquals("Username or password does not adhere to the acceptable pattern", le.getMessage());
+ }
+
+ // now let's try a password that doesn't conform to the pattern by including a space in the middle of the password).
+ context = new LoginContext("testInputValidator", new UsernamePasswordHandler("user", "sec ret"));
+ try
+ {
+ context.login();
+ fail("Login should have failed as the supplied username does not adhere to the expected pattern");
+ }
+ catch(LoginException le)
+ {
+ assertEquals("Username or password does not adhere to the acceptable pattern", le.getMessage());
+ }
+
+ // finally, let's try a username that has one of the blacklisted tokens.
+ context = new LoginContext("testInputValidator", new UsernamePasswordHandler("javaINSERTduke", "secret"));
+ try
+ {
+ context.login();
+ fail("Login should have failed as the supplied username does not adhere to the expected pattern");
+ }
+ catch(LoginException le)
+ {
+ assertEquals("Username or password contains invalid tokens", le.getMessage());
+ }
+
+ }
}
\ No newline at end of file
Added: projects/security/security-jboss-sx/trunk/jbosssx/src/test/java/org/jboss/test/authentication/jaas/helpers/TestInputValidator.java
===================================================================
--- projects/security/security-jboss-sx/trunk/jbosssx/src/test/java/org/jboss/test/authentication/jaas/helpers/TestInputValidator.java (rev 0)
+++ projects/security/security-jboss-sx/trunk/jbosssx/src/test/java/org/jboss/test/authentication/jaas/helpers/TestInputValidator.java 2009-03-03 01:24:31 UTC (rev 85135)
@@ -0,0 +1,93 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2009, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.test.authentication.jaas.helpers;
+
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+import org.jboss.security.auth.spi.InputValidationException;
+import org.jboss.security.auth.spi.InputValidator;
+
+/**
+ * <p>
+ * A sample {@code InputValidator} that uses both pattern and blacklist checks to verify if the supplied username and
+ * password are valid.
+ * </p>
+ *
+ * @author <a href="mailto:sguilhen at redhat.com">Stefan Guilhen</a>
+ */
+public class TestInputValidator implements InputValidator
+{
+
+ // the list of invalid tokens.
+ private final String[] blackList =
+ {"INSERT", "INTO", "SELECT", "FROM", "WHERE", "DROP", "DATABASE", "VALUES"};
+
+ // a username can be any word (that is, a sequence of [a-zA-Z_0-9]).
+ private final Pattern usernamePattern = Pattern.compile("[\\w]*");
+
+ // a password can be any sequence of word and punctuation characters (that is
+ // [a-zA-Z_0-9!"#$%&'()*+,-./:;<=>?@[\]^_`{|}~])
+ private final Pattern passwordPattern = Pattern.compile("[\\w\\p{Punct}]*");
+
+ /*
+ * (non-Javadoc)
+ *
+ * @see org.jboss.security.auth.spi.InputValidator#validateUsernameAndPassword(java.lang.String, java.lang.String)
+ */
+ public void validateUsernameAndPassword(String username, String password) throws InputValidationException
+ {
+ if (username == null)
+ username = "";
+ if (password == null)
+ password = "";
+
+ // we start with a validation using patterns.
+ Matcher usernameMatcher = this.usernamePattern.matcher(username);
+ Matcher passwordMatcher = this.passwordPattern.matcher(password);
+ if (!usernameMatcher.matches() || !passwordMatcher.matches())
+ throw new InputValidationException("Username or password does not adhere to the acceptable pattern");
+
+ // now we proceed with a blacklist validation.
+ if (matchesBlackList(username) || matchesBlackList(password))
+ throw new InputValidationException("Username or password contains invalid tokens");
+ }
+
+ /**
+ * <p>
+ * Example of validation that uses a blacklist to prevent invalid tokens in usernames and passwords.
+ * </p>
+ *
+ * @param expression the username or password being validated.
+ * @return {@code true} if the expression contains one of the blacklisted tokens; {@code false} otherwise.
+ */
+ public boolean matchesBlackList(String expression)
+ {
+ String exprUpperCase = expression.toUpperCase();
+ for (String token : this.blackList)
+ {
+ if (exprUpperCase.indexOf(token) != -1)
+ return true;
+ }
+ return false;
+ }
+}
More information about the jboss-cvs-commits
mailing list