#398 update password handling logic

kfchu · kfchu · commit 1e21f1ef6983 · 2018-05-18T19:35:17.000+08:00
diff --git a/saturn-console-api/src/main/java/com/vip/saturn/job/console/controller/gui/AuthenticationController.java b/saturn-console-api/src/main/java/com/vip/saturn/job/console/controller/gui/AuthenticationController.java
@@ -32,7 +32,8 @@ public SuccessResponseEntity login(@RequestParam String username, @RequestParam
 
 		User user = authenticationService.authenticate(username, password);
 		if (user == null) {
-			throw new SaturnJobConsoleException("Invalid username or password");
+			throw new SaturnJobConsoleException(SaturnJobConsoleException.ERROR_CODE_AUTHN_FAIL,
+					"Invalid username or password");
 		}
 
 		request.getSession().setAttribute(SessionAttributeKeys.LOGIN_USER_NAME, user.getUserName());
diff --git a/saturn-console-api/src/main/java/com/vip/saturn/job/console/exception/SaturnJobConsoleException.java b/saturn-console-api/src/main/java/com/vip/saturn/job/console/exception/SaturnJobConsoleException.java
@@ -14,6 +14,8 @@ public class SaturnJobConsoleException extends Exception {
 
 	public static final int ERROR_CODE_INTERNAL_ERROR = 0;
 
+	public static final int ERROR_CODE_AUTHN_FAIL = 4;
+
 	private int errorCode = ERROR_CODE_INTERNAL_ERROR;
 
 	public SaturnJobConsoleException() {
diff --git a/saturn-console-api/src/main/java/com/vip/saturn/job/console/service/impl/AuthenticationServiceImpl.java b/saturn-console-api/src/main/java/com/vip/saturn/job/console/service/impl/AuthenticationServiceImpl.java
@@ -1,6 +1,5 @@
 package com.vip.saturn.job.console.service.impl;
 
-import com.vip.saturn.job.console.exception.SaturnJobConsoleException;
 import com.vip.saturn.job.console.mybatis.entity.User;
 import com.vip.saturn.job.console.mybatis.repository.UserRepository;
 import com.vip.saturn.job.console.service.AuthenticationService;
@@ -18,7 +17,7 @@ public class AuthenticationServiceImpl implements AuthenticationService {
 	private String hashMethod;
 
 	@Override
-	public User authenticate(String username, String password) throws SaturnJobConsoleException {
+	public User authenticate(String username, String password) {
 		if (StringUtils.isEmpty(password)) {
 			return null;
 		}
@@ -28,11 +27,7 @@ public User authenticate(String username, String password) throws SaturnJobConso
 			return null;
 		}
 
-		try {
-			return PasswordUtils.validate(password, user.getPassword(), hashMethod) ? user : null;
-		} catch (Exception e) {
-			throw new SaturnJobConsoleException(e);
-		}
+		return PasswordUtils.validate(password, user.getPassword(), hashMethod) ? user : null;
 	}
 
 	public void setHashMethod(String hashMethod) {
diff --git a/saturn-console-api/src/main/java/com/vip/saturn/job/console/utils/PasswordUtils.java b/saturn-console-api/src/main/java/com/vip/saturn/job/console/utils/PasswordUtils.java
@@ -1,6 +1,9 @@
 package com.vip.saturn.job.console.utils;
 
-import org.apache.commons.codec.binary.Base64;
+import org.apache.commons.codec.DecoderException;
+import org.apache.commons.codec.binary.Hex;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 import javax.crypto.SecretKey;
 import javax.crypto.SecretKeyFactory;
@@ -15,6 +18,8 @@ public class PasswordUtils {
 
 	public static final String HASH_METHOD_PBKDF2 = "PBKDF2WithHmacSHA1";
 
+	private static final Logger log = LoggerFactory.getLogger(PasswordUtils.class);
+
 	private static final int ITERATIONS = 10 * 1000;
 
 	private static final int SALT_LEN = 8;
@@ -31,7 +36,7 @@ public static String genPassword(String password, String hashMethod) throws Exce
 	}
 
 	public static String genPassword(String password, byte[] salt, String hashMethod) throws Exception {
-		return hash(password, salt, hashMethod) + "$" + Base64.encodeBase64String(salt);
+		return hash(password, salt, hashMethod) + "$" + Hex.encodeHexString(salt);
 	}
 
 	public static String hash(String password, byte[] salt, String hashMethod) throws NoSuchAlgorithmException, InvalidKeySpecException {
@@ -43,21 +48,31 @@ public static String hash(String password, byte[] salt, String hashMethod) throw
 		}
 
 		SecretKey key = secretKeyFactory.generateSecret(new PBEKeySpec(password.toCharArray(), salt, ITERATIONS, KEY_LEN));
-		return Base64.encodeBase64String(key.getEncoded());
+		return Hex.encodeHexString(key.getEncoded());
 	}
 
-	public static boolean validate(String password, String passwordInDB, String hashMethod) throws Exception {
+	public static boolean validate(String password, String passwordInDB, String hashMethod) {
 		if (PasswordUtils.HASH_METHOD_PLANTEXT.equals(hashMethod)) {
 			return password.equals(passwordInDB);
 		}
 
 		String[] saltAndPassword = passwordInDB.split("\\$");
 		if (saltAndPassword.length != 2) {
-			throw new IllegalArgumentException("Invalid password stored in DB");
+			log.debug("malformed password in db");
+			return false;
 		}
 
-		String hashOfRequestPassword = hash(password, Base64.decodeBase64(saltAndPassword[1]), hashMethod);
+		String hashOfRequestPassword = null;
+		try {
+			hashOfRequestPassword = hash(password, getSalt(saltAndPassword[1]), hashMethod);
+		} catch (Exception e) {
+			return false;
+		}
 		return hashOfRequestPassword.equals(new String(saltAndPassword[0]));
 	}
 
+	private static byte[] getSalt(String s) throws DecoderException {
+		return Hex.decodeHex(s.toCharArray());
+	}
+
 }
diff --git a/saturn-console-api/src/test/java/com/vip/saturn/job/console/utils/PasswordUtilsTest.java b/saturn-console-api/src/test/java/com/vip/saturn/job/console/utils/PasswordUtilsTest.java
@@ -12,27 +12,22 @@ public class PasswordUtilsTest {
 	@Test
 	public void testGenSaltedPassword() throws Exception {
 		String password = PasswordUtils.genPassword("password", "salt".getBytes(), "PBKDF2WithHmacSHA1");
-		assertEquals("osJkYYaChHS3VFkaVHwY8TLYjXRMFSZVpHAWGhoFITU=$c2FsdA==", password);
+		assertEquals("a2c2646186828474b754591a547c18f132d88d744c152655a470161a1a052135$73616c74", password);
 	}
 
 	@Test
 	public void testValidate() throws Exception {
-		assertTrue(PasswordUtils.validate("password", "osJkYYaChHS3VFkaVHwY8TLYjXRMFSZVpHAWGhoFITU=$c2FsdA==", "PBKDF2WithHmacSHA1"));
-		assertFalse(PasswordUtils.validate("password1", "osJkYYaChHS3VFkaVHwY8TLYjXRMFSZVpHAWGhoFITU=$c2FsdA==", "PBKDF2WithHmacSHA1"));
+		String passwordInDB = "a2c2646186828474b754591a547c18f132d88d744c152655a470161a1a052135$73616c74";
+
+		assertTrue(PasswordUtils.validate("password", passwordInDB, "PBKDF2WithHmacSHA1"));
+		assertFalse(PasswordUtils.validate("password1", passwordInDB, "PBKDF2WithHmacSHA1"));
 		assertTrue(PasswordUtils.validate("password", "password", "plaintext"));
 		assertFalse(PasswordUtils.validate("password1", "password", "plaintext"));
 	}
 
 	@Test
-	public void testValidateWherePasswordInDBisMalfomred() {
+	public void testValidateWherePasswordInDBisMalfomred() throws Exception {
 		int count = 0;
-		try {
-			PasswordUtils.validate("password", "password", "PBKDF2WithHmacSHA1");
-		} catch (Exception e) {
-			count++;
-			assertEquals("Invalid password stored in DB", e.getMessage());
-		}
-
-		assertEquals(1, count);
+		assertFalse(PasswordUtils.validate("password", "password", "PBKDF2WithHmacSHA1"));
 	}
 }

Original file line number	Diff line number	Diff line change
`@@ -32,7 +32,8 @@ public SuccessResponseEntity login(@RequestParam String username, @RequestParam`
`32`	`32`
`33`	`33`	`User user = authenticationService.authenticate(username, password);`
`34`	`34`	`if (user == null) {`
`35`		`- throw new SaturnJobConsoleException("Invalid username or password");`
	`35`	`+ throw new SaturnJobConsoleException(SaturnJobConsoleException.ERROR_CODE_AUTHN_FAIL,`
	`36`	`+ "Invalid username or password");`
`36`	`37`	`}`
`37`	`38`
`38`	`39`	`request.getSession().setAttribute(SessionAttributeKeys.LOGIN_USER_NAME, user.getUserName());`