diff --git a/scm-plugins/scm-legacy-plugin/src/main/java/sonia/scm/legacy/LegacyRealm.java b/scm-plugins/scm-legacy-plugin/src/main/java/sonia/scm/legacy/LegacyRealm.java index 3fb3dc4e03..1130b8feea 100644 --- a/scm-plugins/scm-legacy-plugin/src/main/java/sonia/scm/legacy/LegacyRealm.java +++ b/scm-plugins/scm-legacy-plugin/src/main/java/sonia/scm/legacy/LegacyRealm.java @@ -34,6 +34,7 @@ package sonia.scm.legacy; //~--- non-JDK imports -------------------------------------------------------- import com.google.common.annotations.VisibleForTesting; +import com.google.common.base.CharMatcher; import com.google.common.base.Preconditions; import org.apache.shiro.authc.AuthenticationException; @@ -44,6 +45,9 @@ import org.apache.shiro.authc.credential.HashedCredentialsMatcher; import org.apache.shiro.crypto.hash.Sha1Hash; import org.apache.shiro.realm.AuthenticatingRealm; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + import sonia.scm.group.GroupDAO; import sonia.scm.plugin.Extension; import sonia.scm.security.DAORealmHelper; @@ -69,6 +73,19 @@ public class LegacyRealm extends AuthenticatingRealm @VisibleForTesting static final String REALM = "LegacyRealm"; + /** Field description */ + //J- + private static final CharMatcher HEX_MATCHER = CharMatcher.inRange('0', '9') + .or(CharMatcher.inRange('a', 'f')) + .or(CharMatcher.inRange('A', 'F')); + //J+ + + /** + * the logger for LegacyRealm + */ + private static final Logger logger = + LoggerFactory.getLogger(LegacyRealm.class); + //~--- constructors --------------------------------------------------------- /** @@ -112,15 +129,37 @@ public class LegacyRealm extends AuthenticatingRealm Preconditions.checkArgument(token instanceof UsernamePasswordToken, "unsupported token"); - AuthenticationInfo info = null; - char[] password = ((UsernamePasswordToken) token).getPassword(); + return returnOnHexCredentials(helper.getAuthenticationInfo(token)); + } - if ((password != null) && (password[0] != '$')) + private AuthenticationInfo returnOnHexCredentials(AuthenticationInfo info) + { + AuthenticationInfo result = null; + + if (info != null) { - info = helper.getAuthenticationInfo(token); + Object credentials = info.getCredentials(); + + if (credentials instanceof String) + { + String password = (String) credentials; + + if (HEX_MATCHER.matchesAllOf(password)) + { + result = info; + } + else + { + logger.debug("hash contains non hex chars"); + } + } + else + { + logger.debug("non string crendentials found"); + } } - return info; + return result; } //~--- fields --------------------------------------------------------------- diff --git a/scm-plugins/scm-legacy-plugin/src/test/java/sonia/scm/legacy/LegacyRealmTest.java b/scm-plugins/scm-legacy-plugin/src/test/java/sonia/scm/legacy/LegacyRealmTest.java index 08ed92e3e0..fd967dcad5 100644 --- a/scm-plugins/scm-legacy-plugin/src/test/java/sonia/scm/legacy/LegacyRealmTest.java +++ b/scm-plugins/scm-legacy-plugin/src/test/java/sonia/scm/legacy/LegacyRealmTest.java @@ -100,11 +100,28 @@ public class LegacyRealmTest @Test public void testDoGetAuthenticationInfoWithNewPasswords() { + User user = UserTestData.createTrillian(); + user.setPassword(NEW_PASSWORD); + when(userDAO.get("tricia")).thenReturn(user); + AuthenticationToken token = new UsernamePasswordToken("tricia", NEW_PASSWORD); assertNull(realm.doGetAuthenticationInfo(token)); } + +/** + * Method description + * + */ + @Test + public void testDoGetAuthenticationInfoWithNullPassword() + { + when(userDAO.get("tricia")).thenReturn(UserTestData.createTrillian()); + AuthenticationToken token = new UsernamePasswordToken("tricia", "secret"); + + assertNull(realm.doGetAuthenticationInfo(token)); + } /** * Method description