2 // ========================================================================
3 // Copyright (c) 1995-2014 Mort Bay Consulting Pty. Ltd.
4 // ------------------------------------------------------------------------
5 // All rights reserved. This program and the accompanying materials
6 // are made available under the terms of the Eclipse Public License v1.0
7 // and Apache License v2.0 which accompanies this distribution.
9 // The Eclipse Public License is available at
10 // http://www.eclipse.org/legal/epl-v10.html
12 // The Apache License v2.0 is available at
13 // http://www.opensource.org/licenses/apache2.0.php
15 // You may elect to redistribute this code under either of these licenses.
16 // ========================================================================
19 package org.eclipse.jetty.util.security;
21 import java.io.Serializable;
22 import java.nio.charset.StandardCharsets;
23 import java.security.MessageDigest;
25 import org.eclipse.jetty.util.TypeUtil;
26 import org.eclipse.jetty.util.log.Log;
27 import org.eclipse.jetty.util.log.Logger;
29 /* ------------------------------------------------------------ */
31 * Credentials. The Credential class represents an abstract mechanism for
32 * checking authentication credentials. A credential instance either represents
33 * a secret, or some data that could only be derived from knowing the secret.
35 * Often a Credential is related to a Password via a one way algorithm, so while
36 * a Password itself is a Credential, a UnixCrypt or MD5 digest of a a password
37 * is only a credential that can be checked against the password.
39 * This class includes an implementation for unix Crypt an MD5 digest.
44 public abstract class Credential implements Serializable
46 private static final Logger LOG = Log.getLogger(Credential.class);
48 private static final long serialVersionUID = -7760551052768181572L;
50 /* ------------------------------------------------------------ */
54 * @param credentials The credential to check against. This may either be
55 * another Credential object, a Password object or a String
56 * which is interpreted by this credential.
57 * @return True if the credentials indicated that the shared secret is known
58 * to both this Credential and the passed credential.
60 public abstract boolean check(Object credentials);
62 /* ------------------------------------------------------------ */
64 * Get a credential from a String. If the credential String starts with a
65 * known Credential type (eg "CRYPT:" or "MD5:" ) then a Credential of that
66 * type is returned. Else the credential is assumed to be a Password.
68 * @param credential String representation of the credential
69 * @return A Credential or Password instance.
71 public static Credential getCredential(String credential)
73 if (credential.startsWith(Crypt.__TYPE)) return new Crypt(credential);
74 if (credential.startsWith(MD5.__TYPE)) return new MD5(credential);
76 return new Password(credential);
79 /* ------------------------------------------------------------ */
81 * Unix Crypt Credentials
83 public static class Crypt extends Credential
85 private static final long serialVersionUID = -2027792997664744210L;
87 public static final String __TYPE = "CRYPT:";
89 private final String _cooked;
93 _cooked = cooked.startsWith(Crypt.__TYPE) ? cooked.substring(__TYPE.length()) : cooked;
97 public boolean check(Object credentials)
99 if (credentials instanceof char[])
100 credentials=new String((char[])credentials);
101 if (!(credentials instanceof String) && !(credentials instanceof Password))
102 LOG.warn("Can't check " + credentials.getClass() + " against CRYPT");
104 String passwd = credentials.toString();
105 return _cooked.equals(UnixCrypt.crypt(passwd, _cooked));
108 public static String crypt(String user, String pw)
110 return "CRYPT:" + UnixCrypt.crypt(pw, user);
114 /* ------------------------------------------------------------ */
118 public static class MD5 extends Credential
120 private static final long serialVersionUID = 5533846540822684240L;
122 public static final String __TYPE = "MD5:";
124 public static final Object __md5Lock = new Object();
126 private static MessageDigest __md;
128 private final byte[] _digest;
130 /* ------------------------------------------------------------ */
133 digest = digest.startsWith(__TYPE) ? digest.substring(__TYPE.length()) : digest;
134 _digest = TypeUtil.parseBytes(digest, 16);
137 /* ------------------------------------------------------------ */
138 public byte[] getDigest()
143 /* ------------------------------------------------------------ */
145 public boolean check(Object credentials)
149 byte[] digest = null;
151 if (credentials instanceof char[])
152 credentials=new String((char[])credentials);
153 if (credentials instanceof Password || credentials instanceof String)
155 synchronized (__md5Lock)
157 if (__md == null) __md = MessageDigest.getInstance("MD5");
159 __md.update(credentials.toString().getBytes(StandardCharsets.ISO_8859_1));
160 digest = __md.digest();
162 if (digest == null || digest.length != _digest.length) return false;
163 for (int i = 0; i < digest.length; i++)
164 if (digest[i] != _digest[i]) return false;
167 else if (credentials instanceof MD5)
169 MD5 md5 = (MD5) credentials;
170 if (_digest.length != md5._digest.length) return false;
171 for (int i = 0; i < _digest.length; i++)
172 if (_digest[i] != md5._digest[i]) return false;
175 else if (credentials instanceof Credential)
177 // Allow credential to attempt check - i.e. this'll work
178 // for DigestAuthModule$Digest credentials
179 return ((Credential) credentials).check(this);
183 LOG.warn("Can't check " + credentials.getClass() + " against MD5");
194 /* ------------------------------------------------------------ */
195 public static String digest(String password)
200 synchronized (__md5Lock)
206 __md = MessageDigest.getInstance("MD5");
216 __md.update(password.getBytes(StandardCharsets.ISO_8859_1));
217 digest = __md.digest();
220 return __TYPE + TypeUtil.toString(digest, 16);