[roller] 01/10: RememberMeService should use a better hash function.

Sun, 12 Sep 2021 19:12:14 -0700 

This is an automated email from the ASF dual-hosted git repository.

mbien pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/roller.git

commit 2d5bc971cab183df5ee0d1b1ffecc3946a1e9f2c
Author: Michael Bien <[email protected]>
AuthorDate: Sun Aug 22 03:44:19 2021 +0200

    RememberMeService should use a better hash function.
---
 .../weblogger/ui/core/security/RollerRememberMeServices.java      | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git 
a/app/src/main/java/org/apache/roller/weblogger/ui/core/security/RollerRememberMeServices.java
 
b/app/src/main/java/org/apache/roller/weblogger/ui/core/security/RollerRememberMeServices.java
index af1afc2..2566a43 100644
--- 
a/app/src/main/java/org/apache/roller/weblogger/ui/core/security/RollerRememberMeServices.java
+++ 
b/app/src/main/java/org/apache/roller/weblogger/ui/core/security/RollerRememberMeServices.java
@@ -31,8 +31,8 @@ import java.security.NoSuchAlgorithmException;
 
 
 public class RollerRememberMeServices extends TokenBasedRememberMeServices {
-    private static final Log log = 
LogFactory.getLog(RollerRememberMeServices.class);
 
+    private static final Log log = 
LogFactory.getLog(RollerRememberMeServices.class);
 
     public RollerRememberMeServices(UserDetailsService userDetailsService) {
         
@@ -51,7 +51,7 @@ public class RollerRememberMeServices extends 
TokenBasedRememberMeServices {
 
     /**
      * Calculates the digital signature to be put in the cookie. Default value 
is
-     * MD5 ("username:tokenExpiryTime:password:key")
+     * SHA-512 ("username:tokenExpiryTime:password:key")
      *
      * If LDAP is enabled then a configurable dummy password is used in the 
calculation.
      */
@@ -70,9 +70,9 @@ public class RollerRememberMeServices extends 
TokenBasedRememberMeServices {
         String data = username + ":" + tokenExpiryTime + ":" + password + ":" 
+ getKey();
         MessageDigest digest;
         try {
-            digest = MessageDigest.getInstance("MD5");
+            digest = MessageDigest.getInstance("SHA-512");
         } catch (NoSuchAlgorithmException e) {
-            throw new IllegalStateException("No MD5 algorithm available!");
+            throw new IllegalStateException("Required by Spec.", e);
         }
 
         return new String(Hex.encode(digest.digest(data.getBytes())));

Reply via email to