From 40fd8d7aa752ee2bf19e8859f8c19a58257171d1 Mon Sep 17 00:00:00 2001 From: Rob Winch Date: Sun, 22 Oct 2017 10:26:09 -0500 Subject: [PATCH] Remove ShaPasswordEncoder from core Issue: gh-4674 --- .../authentication/PasswordEncoderParser.java | 9 --- .../security/config/spring-security-5.0.rnc | 2 +- .../security/config/spring-security-5.0.xsd | 6 -- ...tionProviderBeanDefinitionParserTests.java | 17 ---- .../encoding/ShaPasswordEncoder.java | 63 --------------- .../dao/DaoAuthenticationProviderTests.java | 43 +++------- .../encoding/ShaPasswordEncoderTests.java | 79 ------------------- 7 files changed, 14 insertions(+), 205 deletions(-) delete mode 100644 core/src/main/java/org/springframework/security/authentication/encoding/ShaPasswordEncoder.java delete mode 100644 core/src/test/java/org/springframework/security/authentication/encoding/ShaPasswordEncoderTests.java diff --git a/config/src/main/java/org/springframework/security/config/authentication/PasswordEncoderParser.java b/config/src/main/java/org/springframework/security/config/authentication/PasswordEncoderParser.java index da63914cfc..77ad780dbe 100644 --- a/config/src/main/java/org/springframework/security/config/authentication/PasswordEncoderParser.java +++ b/config/src/main/java/org/springframework/security/config/authentication/PasswordEncoderParser.java @@ -30,7 +30,6 @@ import org.springframework.security.authentication.encoding.BaseDigestPasswordEn import org.springframework.security.authentication.encoding.LdapShaPasswordEncoder; import org.springframework.security.authentication.encoding.Md4PasswordEncoder; import org.springframework.security.authentication.encoding.PlaintextPasswordEncoder; -import org.springframework.security.authentication.encoding.ShaPasswordEncoder; import org.springframework.security.config.Elements; import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; import org.springframework.util.StringUtils; @@ -50,8 +49,6 @@ public class PasswordEncoderParser { static final String ATT_BASE_64 = "base64"; static final String OPT_HASH_BCRYPT = "bcrypt"; static final String OPT_HASH_PLAINTEXT = "plaintext"; - static final String OPT_HASH_SHA = "sha"; - static final String OPT_HASH_SHA256 = "sha-256"; static final String OPT_HASH_MD4 = "md4"; static final String OPT_HASH_LDAP_SHA = "{sha}"; static final String OPT_HASH_LDAP_SSHA = "{ssha}"; @@ -62,8 +59,6 @@ public class PasswordEncoderParser { ENCODER_CLASSES = new HashMap>(); ENCODER_CLASSES.put(OPT_HASH_PLAINTEXT, PlaintextPasswordEncoder.class); ENCODER_CLASSES.put(OPT_HASH_BCRYPT, BCryptPasswordEncoder.class); - ENCODER_CLASSES.put(OPT_HASH_SHA, ShaPasswordEncoder.class); - ENCODER_CLASSES.put(OPT_HASH_SHA256, ShaPasswordEncoder.class); ENCODER_CLASSES.put(OPT_HASH_MD4, Md4PasswordEncoder.class); ENCODER_CLASSES.put(OPT_HASH_LDAP_SHA, LdapShaPasswordEncoder.class); ENCODER_CLASSES.put(OPT_HASH_LDAP_SSHA, LdapShaPasswordEncoder.class); @@ -119,10 +114,6 @@ public class PasswordEncoderParser { BeanDefinitionBuilder beanBldr = BeanDefinitionBuilder .rootBeanDefinition(beanClass); - if (OPT_HASH_SHA256.equals(hash)) { - beanBldr.addConstructorArgValue(Integer.valueOf(256)); - } - if (useBase64) { if (BaseDigestPasswordEncoder.class.isAssignableFrom(beanClass)) { beanBldr.addPropertyValue("encodeHashAsBase64", "true"); diff --git a/config/src/main/resources/org/springframework/security/config/spring-security-5.0.rnc b/config/src/main/resources/org/springframework/security/config/spring-security-5.0.rnc index 5a31059303..c0c3f67d04 100644 --- a/config/src/main/resources/org/springframework/security/config/spring-security-5.0.rnc +++ b/config/src/main/resources/org/springframework/security/config/spring-security-5.0.rnc @@ -7,7 +7,7 @@ start = http | ldap-server | authentication-provider | ldap-authentication-provi hash = ## Defines the hashing algorithm used on user passwords. Bcrypt is recommended. - attribute hash {"bcrypt" | "plaintext" | "sha" | "sha-256" | "md4" | "{sha}" | "{ssha}"} + attribute hash {"bcrypt" | "plaintext" | "md4" | "{sha}" | "{ssha}"} base64 = ## Whether a string should be base64 encoded attribute base64 {xsd:boolean} diff --git a/config/src/main/resources/org/springframework/security/config/spring-security-5.0.xsd b/config/src/main/resources/org/springframework/security/config/spring-security-5.0.xsd index 4419de3aa6..d14438da4f 100644 --- a/config/src/main/resources/org/springframework/security/config/spring-security-5.0.xsd +++ b/config/src/main/resources/org/springframework/security/config/spring-security-5.0.xsd @@ -13,8 +13,6 @@ - - @@ -147,8 +145,6 @@ - - @@ -529,8 +525,6 @@ - - diff --git a/config/src/test/java/org/springframework/security/config/authentication/AuthenticationProviderBeanDefinitionParserTests.java b/config/src/test/java/org/springframework/security/config/authentication/AuthenticationProviderBeanDefinitionParserTests.java index 2a86f6dd6b..4af8ea3eaa 100644 --- a/config/src/test/java/org/springframework/security/config/authentication/AuthenticationProviderBeanDefinitionParserTests.java +++ b/config/src/test/java/org/springframework/security/config/authentication/AuthenticationProviderBeanDefinitionParserTests.java @@ -15,17 +15,13 @@ */ package org.springframework.security.config.authentication; -import static org.assertj.core.api.Assertions.*; - import org.springframework.security.authentication.AuthenticationProvider; import org.springframework.security.authentication.ProviderManager; import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; import org.springframework.security.authentication.dao.ReflectionSaltSource; -import org.springframework.security.authentication.encoding.ShaPasswordEncoder; import org.springframework.security.config.BeanIds; import org.springframework.security.config.util.InMemoryXmlApplicationContext; import org.springframework.security.crypto.password.MessageDigestPasswordEncoder; -import org.springframework.security.util.FieldUtils; import org.springframework.beans.factory.parsing.BeanDefinitionParsingException; import org.springframework.context.support.AbstractXmlApplicationContext; @@ -132,19 +128,6 @@ public class AuthenticationProviderBeanDefinitionParserTests { getProvider().authenticate(bob); } - @Test - public void providerWithSha256PasswordEncoderIsSupported() throws Exception { - setContext(" " - + " " - + " " - + " " - + " " + " "); - - ShaPasswordEncoder encoder = (ShaPasswordEncoder) FieldUtils.getFieldValue( - getProvider(), "passwordEncoder"); - assertThat(encoder.getAlgorithm()).isEqualTo("SHA-256"); - } - @Test public void passwordIsBase64EncodedWhenBase64IsEnabled() throws Exception { appContext = new InMemoryXmlApplicationContext( diff --git a/core/src/main/java/org/springframework/security/authentication/encoding/ShaPasswordEncoder.java b/core/src/main/java/org/springframework/security/authentication/encoding/ShaPasswordEncoder.java deleted file mode 100644 index c4ddf73acc..0000000000 --- a/core/src/main/java/org/springframework/security/authentication/encoding/ShaPasswordEncoder.java +++ /dev/null @@ -1,63 +0,0 @@ -/* - * Copyright 2004, 2005, 2006 Acegi Technology Pty Limited - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.springframework.security.authentication.encoding; - -/** - *

- * SHA implementation of PasswordEncoder. - *

- *

- * If a null password is presented, it will be treated as an empty - * String ("") password. - *

- *

- * As SHA is a one-way hash, the salt can contain any characters. The default strength for - * the SHA encoding is SHA-1. If you wish to use higher strengths use the parametrised - * constructor. {@link #ShaPasswordEncoder(int strength)} - *

- *

- * The applicationContext example... - * - *

- * <bean id="passwordEncoder" class="org.springframework.security.authentication.encoding.ShaPasswordEncoder">
- *     <constructor-arg value="256"/>
- * </bean>
- * 
- * - * @author Ray Krueger - * @author colin sampaleanu - * @author Ben Alex - */ -public class ShaPasswordEncoder extends MessageDigestPasswordEncoder { - - /** - * Initializes the ShaPasswordEncoder for SHA-1 strength - */ - public ShaPasswordEncoder() { - this(1); - } - - /** - * Initialize the ShaPasswordEncoder with a given SHA stength as supported by the JVM - * EX: ShaPasswordEncoder encoder = new ShaPasswordEncoder(256); - * initializes with SHA-256 - * - * @param strength EX: 1, 256, 384, 512 - */ - public ShaPasswordEncoder(int strength) { - super("SHA-" + strength); - } -} diff --git a/core/src/test/java/org/springframework/security/authentication/dao/DaoAuthenticationProviderTests.java b/core/src/test/java/org/springframework/security/authentication/dao/DaoAuthenticationProviderTests.java index fa878a7cab..6a8ff85880 100644 --- a/core/src/test/java/org/springframework/security/authentication/dao/DaoAuthenticationProviderTests.java +++ b/core/src/test/java/org/springframework/security/authentication/dao/DaoAuthenticationProviderTests.java @@ -40,7 +40,6 @@ import org.springframework.security.authentication.InternalAuthenticationService import org.springframework.security.authentication.LockedException; import org.springframework.security.authentication.TestingAuthenticationToken; import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; -import org.springframework.security.authentication.encoding.ShaPasswordEncoder; import org.springframework.security.core.Authentication; import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.authority.AuthorityUtils; @@ -348,33 +347,6 @@ public class DaoAuthenticationProviderTests { assertThat(result2.getCredentials()).isEqualTo(result.getCredentials()); } - @Test - public void testAuthenticatesWhenASaltIsUsed() { - UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken( - "rod", "koala"); - - SystemWideSaltSource salt = new SystemWideSaltSource(); - salt.setSystemWideSalt("SYSTEM_SALT_VALUE"); - - DaoAuthenticationProvider provider = new DaoAuthenticationProvider(); - provider.setUserDetailsService(new MockAuthenticationDaoUserrodWithSalt()); - provider.setSaltSource(salt); - provider.setUserCache(new MockUserCache()); - - Authentication result = provider.authenticate(token); - - if (!(result instanceof UsernamePasswordAuthenticationToken)) { - fail("Should have returned instance of UsernamePasswordAuthenticationToken"); - } - - assertThat(result.getPrincipal().getClass()).isEqualTo(User.class); - - // We expect original credentials user submitted to be returned - assertThat(result.getCredentials()).isEqualTo("koala"); - assertThat(AuthorityUtils.authorityListToSet(result.getAuthorities())).contains( - "ROLE_ONE", "ROLE_TWO"); - } - @Test public void testAuthenticatesWithForcePrincipalAsString() { UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken( @@ -418,9 +390,9 @@ public class DaoAuthenticationProviderTests { @Test public void testGettersSetters() { DaoAuthenticationProvider provider = new DaoAuthenticationProvider(); - provider.setPasswordEncoder(new ShaPasswordEncoder()); + provider.setPasswordEncoder(new PWE()); assertThat(provider.getPasswordEncoder().getClass()).isEqualTo( - ShaPasswordEncoder.class); + PWE.class); provider.setSaltSource(new SystemWideSaltSource()); assertThat(provider.getSaltSource().getClass()).isEqualTo( @@ -435,6 +407,17 @@ public class DaoAuthenticationProviderTests { assertThat(provider.isForcePrincipalAsString()).isTrue(); } + static class PWE implements org.springframework.security.authentication.encoding.PasswordEncoder { + @Override public String encodePassword(String rawPass, Object salt) { + return null; + } + + @Override public boolean isPasswordValid(String encPass, String rawPass, + Object salt) { + return false; + } + } + @Test public void testGoesBackToAuthenticationDaoToObtainLatestPasswordIfCachedPasswordSeemsIncorrect() { UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken( diff --git a/core/src/test/java/org/springframework/security/authentication/encoding/ShaPasswordEncoderTests.java b/core/src/test/java/org/springframework/security/authentication/encoding/ShaPasswordEncoderTests.java deleted file mode 100644 index 6e5d329695..0000000000 --- a/core/src/test/java/org/springframework/security/authentication/encoding/ShaPasswordEncoderTests.java +++ /dev/null @@ -1,79 +0,0 @@ -/* - * Copyright 2004, 2005, 2006 Acegi Technology Pty Limited - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.springframework.security.authentication.encoding; - -import static org.assertj.core.api.Assertions.*; - -import org.junit.Test; -import org.springframework.security.authentication.encoding.ShaPasswordEncoder; - -/** - *

- * TestCase for ShaPasswordEncoder. - *

- * - * @author colin sampaleanu - * @author Ben Alex - * @author Ray Krueger - */ -public class ShaPasswordEncoderTests { - // ~ Methods - // ======================================================================================================== - - @Test - public void testBasicFunctionality() { - ShaPasswordEncoder pe = new ShaPasswordEncoder(); - String raw = "abc123"; - String badRaw = "abc321"; - String salt = "THIS_IS_A_SALT"; - String encoded = pe.encodePassword(raw, salt); - assertThat(pe.isPasswordValid(encoded, raw, salt)).isTrue(); - assertThat(pe.isPasswordValid(encoded, badRaw, salt)).isFalse(); - assertThat(encoded).isEqualTo("b2f50ffcbd3407fe9415c062d55f54731f340d32"); - - } - @Test - public void testBase64() throws Exception { - ShaPasswordEncoder pe = new ShaPasswordEncoder(); - pe.setEncodeHashAsBase64(true); - String raw = "abc123"; - String badRaw = "abc321"; - String salt = "THIS_IS_A_SALT"; - String encoded = pe.encodePassword(raw, salt); - assertThat(pe.isPasswordValid(encoded, raw, salt)).isTrue(); - assertThat(pe.isPasswordValid(encoded, badRaw, salt)).isFalse(); - assertThat(encoded.length() != 40).isTrue(); - } - @Test - public void test256() throws Exception { - ShaPasswordEncoder pe = new ShaPasswordEncoder(256); - String encoded = pe.encodePassword("abc123", null); - assertThat(encoded).isEqualTo("6ca13d52ca70c883e0f0bb101e425a89e8624de51db2d2392593af6a84118090"); - String encodedWithSalt = pe.encodePassword("abc123", "THIS_IS_A_SALT"); - assertThat(encodedWithSalt).isEqualTo("4b79b7de23eb23b78cc5ede227d532b8a51f89b2ec166f808af76b0dbedc47d7"); - } - @Test - public void testInvalidStrength() throws Exception { - try { - new ShaPasswordEncoder(666); - fail("IllegalArgumentException expected"); - } - catch (IllegalArgumentException e) { - // expected - } - } -}