DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=32938>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=32938 Summary: SSHA passwords in JNDIRealm Product: Tomcat 5 Version: 5.5.4 Platform: All OS/Version: All Status: NEW Keywords: PatchAvailable Severity: enhancement Priority: P2 Component: Catalina AssignedTo: tomcat-dev@jakarta.apache.org ReportedBy: [EMAIL PROTECTED] Current implementation of JNDIRealm does not support "Salted" SHA passwords. So, if the password was set by iPlaned Admin server - it can't be verified by JNDIRealm. Here is the patch to make it work. *** orig/catalina/src/share/org/apache/catalina/realm/JNDIRealm.java Tue Jan 4 11:34:07 2005 --- jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm/JNDIRealm.java Tue Jan 4 11:16:54 2005 *************** import javax.naming.directory.SearchCont *** 43,48 **** --- 43,50 ---- import javax.naming.directory.SearchResult; import org.apache.catalina.LifecycleException; import org.apache.catalina.util.Base64; + import org.apache.tomcat.util.buf.ByteChunk; + import org.apache.tomcat.util.buf.CharChunk; /** *************** public class JNDIRealm extends RealmBase *** 1191,1196 **** --- 1193,1231 ---- new String(Base64.encode(md.digest())); validated = password.equals(digestedPassword); } + } else if (password.startsWith("{SSHA}")) { + /* sync since super.digest() does this same thing */ + synchronized (this) { + password = password.substring(6); + + md.reset(); + md.update(credentials.getBytes()); + //Decode stored password. + ByteChunk pwbc = new ByteChunk(password.length()); + try { + pwbc.append(password.getBytes(), 0, password.length()); + } catch (java.io.IOException e) { + e.printStackTrace(); //Hopefully will never happen. + } + CharChunk decoded = new CharChunk(); + Base64.decode(pwbc, decoded); + char[] pwarray = decoded.getBuffer(); + // Split decoded password into hash and salt. + final int saltpos = 20; + byte[] hash = new byte[saltpos]; + for (int i=0; i< hash.length; i++) + hash[i] = (byte)pwarray[i]; + + byte[] salt = new byte[pwarray.length - saltpos]; + for (int i=0; i< salt.length; i++) + salt[i] = (byte)pwarray[i+saltpos]; + + md.update(salt); + + byte[] dp = md.digest(); + + validated = java.util.Arrays.equals(dp, hash); + } } else { // Hex hashes should be compared case-insensitive validated = (digest(credentials).equalsIgnoreCase(password)); *************** public class JNDIRealm extends RealmBase *** 1202,1208 **** } - /** * Check credentials by binding to the directory as the user * --- 1237,1242 ---- -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]