knox-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From su...@apache.org
Subject knox git commit: KNOX-524 set default credential matcher and caching
Date Mon, 30 Mar 2015 14:58:04 GMT
Repository: knox
Updated Branches:
  refs/heads/master bc716d92a -> 5ee7942fb


KNOX-524 set default credential matcher and caching


Project: http://git-wip-us.apache.org/repos/asf/knox/repo
Commit: http://git-wip-us.apache.org/repos/asf/knox/commit/5ee7942f
Tree: http://git-wip-us.apache.org/repos/asf/knox/tree/5ee7942f
Diff: http://git-wip-us.apache.org/repos/asf/knox/diff/5ee7942f

Branch: refs/heads/master
Commit: 5ee7942fb9629bb948eed69a0e9105eb25dbed58
Parents: bc716d9
Author: Sumit Gupta <sumit@apache.org>
Authored: Mon Mar 30 10:57:29 2015 -0400
Committer: Sumit Gupta <sumit@apache.org>
Committed: Mon Mar 30 10:57:29 2015 -0400

----------------------------------------------------------------------
 .../gateway/shirorealm/KnoxLdapRealm.java       | 35 ++++++++++++--------
 1 file changed, 21 insertions(+), 14 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/knox/blob/5ee7942f/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/shirorealm/KnoxLdapRealm.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/shirorealm/KnoxLdapRealm.java
b/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/shirorealm/KnoxLdapRealm.java
index 96f7752..c484bd3 100644
--- a/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/shirorealm/KnoxLdapRealm.java
+++ b/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/shirorealm/KnoxLdapRealm.java
@@ -42,11 +42,15 @@ import javax.naming.ldap.LdapName;
 import org.apache.hadoop.gateway.GatewayMessages;
 import org.apache.hadoop.gateway.i18n.messages.MessagesFactory;
 import org.apache.shiro.SecurityUtils;
+import org.apache.shiro.authc.AuthenticationInfo;
 import org.apache.shiro.authc.AuthenticationToken;
-import org.apache.shiro.authc.UsernamePasswordToken;
+import org.apache.shiro.authc.SimpleAuthenticationInfo;
+import org.apache.shiro.authc.credential.HashedCredentialsMatcher;
 import org.apache.shiro.authz.AuthorizationInfo;
 import org.apache.shiro.authz.SimpleAuthorizationInfo;
+import org.apache.shiro.cache.MemoryConstrainedCacheManager;
 import org.apache.shiro.crypto.hash.DefaultHashService;
+import org.apache.shiro.crypto.hash.Hash;
 import org.apache.shiro.crypto.hash.HashRequest;
 import org.apache.shiro.crypto.hash.HashService;
 import org.apache.shiro.realm.ldap.JndiLdapRealm;
@@ -116,11 +120,13 @@ public class KnoxLdapRealm extends JndiLdapRealm {
     private final static String  SUBJECT_USER_GROUPS = "subject.userGroups";
 
     private final static String  MEMBER_URL = "memberUrl";
-   
+
+    private static final String HASHING_ALGORITHM = "MD5";
+
     static {
-        SUBTREE_SCOPE.setSearchScope(SearchControls.SUBTREE_SCOPE);
-        ONELEVEL_SCOPE.setSearchScope(SearchControls.ONELEVEL_SCOPE);
-    }
+          SUBTREE_SCOPE.setSearchScope(SearchControls.SUBTREE_SCOPE);
+          ONELEVEL_SCOPE.setSearchScope(SearchControls.ONELEVEL_SCOPE);
+      }
 
  
     private String searchBase;
@@ -148,6 +154,12 @@ public class KnoxLdapRealm extends JndiLdapRealm {
     private HashService hashService = new DefaultHashService();
 
     public KnoxLdapRealm() {
+      HashedCredentialsMatcher credentialsMatcher = new HashedCredentialsMatcher(HASHING_ALGORITHM);
+      setCredentialsMatcher(credentialsMatcher);
+      setCacheManager(new MemoryConstrainedCacheManager());
+      setCachingEnabled(true);
+      setAuthenticationCachingEnabled(true);
+      setAuthorizationCachingEnabled(true);
     }
 
     /**
@@ -560,14 +572,9 @@ public class KnoxLdapRealm extends JndiLdapRealm {
     }
 
     @Override
-    protected Object getAuthenticationCacheKey(AuthenticationToken token) {
-      if (token instanceof UsernamePasswordToken) {
-        HashRequest.Builder builder = new HashRequest.Builder();
-        StringBuilder key = new StringBuilder();
-        key.append(hashService.computeHash(builder.setSource(((UsernamePasswordToken) token).getUsername()).build()).toHex());
-        key.append(hashService.computeHash(builder.setSource(((UsernamePasswordToken) token).getPassword()).build()).toHex());
-        return key.toString();
-      }
-      return super.getAuthenticationCacheKey(token);
+    protected AuthenticationInfo createAuthenticationInfo(AuthenticationToken token, Object
ldapPrincipal, Object ldapCredentials, LdapContext ldapContext) throws NamingException {
+      HashRequest.Builder builder = new HashRequest.Builder();
+      Hash credentialsHash = hashService.computeHash(builder.setSource(token.getCredentials()).setAlgorithmName(HASHING_ALGORITHM).build());
+      return new SimpleAuthenticationInfo(token.getPrincipal(), credentialsHash.toHex(),
credentialsHash.getSalt(), getName());
     }
 }


Mime
View raw message