directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alex Karasulu <akaras...@apache.org>
Subject Re: svn commit: r1095083 - in /directory/apacheds/trunk: core-api/ core-api/src/main/java/org/apache/directory/server/core/ppolicy/ core/src/main/java/org/apache/directory/server/core/authn/
Date Tue, 19 Apr 2011 14:02:29 GMT
Please revert putting this into the core-api: this functionality should be
loaded when needed as an extra rather than a core function of the server.
Plus the dependency on the extras OSGi bundle should not be formed it will
create several classloader issues.

We should move forward with OSGi in the server to make these optional
features loadable.

Thanks,
Alex

On Tue, Apr 19, 2011 at 4:33 PM, <kayyagari@apache.org> wrote:

> Author: kayyagari
> Date: Tue Apr 19 13:33:54 2011
> New Revision: 1095083
>
> URL: http://svn.apache.org/viewvc?rev=1095083&view=rev
> Log:
> o created an interface for validating password quality and added an
> implementation
> o updated the authenticator and policy config to use the validator
> o added dependency on shared-ldap-extras-codec (required to resolve
> PasswordPolicyErrorEnum)
>
> Added:
>
>  directory/apacheds/trunk/core-api/src/main/java/org/apache/directory/server/core/ppolicy/DefaultPasswordValidator.java
>
>  directory/apacheds/trunk/core-api/src/main/java/org/apache/directory/server/core/ppolicy/PasswordValidator.java
> Modified:
>    directory/apacheds/trunk/core-api/pom.xml
>
>  directory/apacheds/trunk/core-api/src/main/java/org/apache/directory/server/core/ppolicy/PasswordPolicyConfiguration.java
>
>  directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authn/AuthenticationInterceptor.java
>
> Modified: directory/apacheds/trunk/core-api/pom.xml
> URL:
> http://svn.apache.org/viewvc/directory/apacheds/trunk/core-api/pom.xml?rev=1095083&r1=1095082&r2=1095083&view=diff
>
> ==============================================================================
> --- directory/apacheds/trunk/core-api/pom.xml (original)
> +++ directory/apacheds/trunk/core-api/pom.xml Tue Apr 19 13:33:54 2011
> @@ -117,6 +117,12 @@
>        <groupId>net.sf.ehcache</groupId>
>        <artifactId>ehcache-core</artifactId>
>    </dependency>
> +
> +    <dependency>
> +      <groupId>org.apache.directory.shared</groupId>
> +      <artifactId>shared-ldap-extras-codec</artifactId>
> +      <scope>provided</scope>
> +    </dependency>
>
>   </dependencies>
>
>
> Added:
> directory/apacheds/trunk/core-api/src/main/java/org/apache/directory/server/core/ppolicy/DefaultPasswordValidator.java
> URL:
> http://svn.apache.org/viewvc/directory/apacheds/trunk/core-api/src/main/java/org/apache/directory/server/core/ppolicy/DefaultPasswordValidator.java?rev=1095083&view=auto
>
> ==============================================================================
> ---
> directory/apacheds/trunk/core-api/src/main/java/org/apache/directory/server/core/ppolicy/DefaultPasswordValidator.java
> (added)
> +++
> directory/apacheds/trunk/core-api/src/main/java/org/apache/directory/server/core/ppolicy/DefaultPasswordValidator.java
> Tue Apr 19 13:33:54 2011
> @@ -0,0 +1,88 @@
> +/*
> + *   Licensed to the Apache Software Foundation (ASF) under one
> + *   or more contributor license agreements.  See the NOTICE file
> + *   distributed with this work for additional information
> + *   regarding copyright ownership.  The ASF licenses this file
> + *   to you under the Apache License, Version 2.0 (the
> + *   "License"); you may not use this file except in compliance
> + *   with the License.  You may obtain a copy of the License at
> + *
> + *     http://www.apache.org/licenses/LICENSE-2.0
> + *
> + *   Unless required by applicable law or agreed to in writing,
> + *   software distributed under the License is distributed on an
> + *   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
> + *   KIND, either express or implied.  See the License for the
> + *   specific language governing permissions and limitations
> + *   under the License.
> + *
> + */
> +
> +package org.apache.directory.server.core.ppolicy;
> +
> +
> +import static
> org.apache.directory.shared.ldap.extras.controls.ppolicy.PasswordPolicyErrorEnum.INSUFFICIENT_PASSWORD_QUALITY;
> +
> +
> +/**
> + * The default password validator.
> + *
> + * @author <a href="mailto:dev@directory.apache.org">Apache Directory
> Project</a>
> + */
> +public class DefaultPasswordValidator implements PasswordValidator
> +{
> +
> +    /** the default validator's instance */
> +    public final static DefaultPasswordValidator INSTANCE = new
> DefaultPasswordValidator();
> +
> +
> +    /**
> +     * Creates a new instance of DefaultPasswordValidator.
> +     */
> +    public DefaultPasswordValidator()
> +    {
> +    }
> +
> +
> +    /**
> +     * {@inheritDoc}
> +     */
> +    public void validate( String password, String entryRdnVal ) throws
> PasswordPolicyException
> +    {
> +        checkUsernameSubstring( password, entryRdnVal );
> +        //TODO add more checks
> +    }
> +
> +
> +    /**
> +     * The password does not contain three letter (or more) tokens from
> the user's account name.
> +     *
> +     * If the account name is less than three characters long, this check
> is not performed
> +     * because the rate at which passwords would be rejected is too high.
> For each token that is
> +     * three or more characters long, that token is searched for in the
> password; if it is present,
> +     * the password change is rejected. For example, the name "First M.
> Last" would be split into
> +     * three tokens: "First", "M", and "Last". Because the second token is
> only one character long,
> +     * it would be ignored. Therefore, this user could not have a password
> that included either
> +     * "first" or "last" as a substring anywhere in the password. All of
> these checks are
> +     * case-insensitive.
> +     */
> +    private void checkUsernameSubstring( String password, String username
> ) throws PasswordPolicyException
> +    {
> +        if ( username == null || username.trim().length() == 0 )
> +        {
> +            return;
> +        }
> +
> +        String[] tokens = username.split( "[^a-zA-Z]" );
> +
> +        for ( int ii = 0; ii < tokens.length; ii++ )
> +        {
> +            if ( password.matches( "(?i).*" + tokens[ii] + ".*" ) )
> +            {
> +                throw new PasswordPolicyException( "Password shouldn't
> contain parts of the username",
> +                    INSUFFICIENT_PASSWORD_QUALITY );
> +            }
> +        }
> +    }
> +
> +}
>
> Modified:
> directory/apacheds/trunk/core-api/src/main/java/org/apache/directory/server/core/ppolicy/PasswordPolicyConfiguration.java
> URL:
> http://svn.apache.org/viewvc/directory/apacheds/trunk/core-api/src/main/java/org/apache/directory/server/core/ppolicy/PasswordPolicyConfiguration.java?rev=1095083&r1=1095082&r2=1095083&view=diff
>
> ==============================================================================
> ---
> directory/apacheds/trunk/core-api/src/main/java/org/apache/directory/server/core/ppolicy/PasswordPolicyConfiguration.java
> (original)
> +++
> directory/apacheds/trunk/core-api/src/main/java/org/apache/directory/server/core/ppolicy/PasswordPolicyConfiguration.java
> Tue Apr 19 13:33:54 2011
> @@ -151,6 +151,9 @@ public class PasswordPolicyConfiguration
>      */
>     private int pwdMaxIdle = 0;
>
> +    /** validator used for checking the quality of password */
> +    //TODO to be injected from config
> +    private PasswordValidator pwdValidator =
> DefaultPasswordValidator.INSTANCE;
>
>     public String getPwdAttribute()
>     {
> @@ -393,6 +396,24 @@ public class PasswordPolicyConfiguration
>
>
>     /**
> +     * @return the pwdValidator
> +     */
> +    public PasswordValidator getPwdValidator()
> +    {
> +        return pwdValidator;
> +    }
> +
> +
> +    /**
> +     * @param pwdValidator the pwdValidator to set
> +     */
> +    public void setPwdValidator( PasswordValidator pwdValidator )
> +    {
> +        this.pwdValidator = pwdValidator;
> +    }
> +
> +
> +    /**
>      * validates the policy configuration and throws a LdapException if
> there are any errors
>      *
>      * @throws LdapException if there are any errors in the configuration
>
> Added:
> directory/apacheds/trunk/core-api/src/main/java/org/apache/directory/server/core/ppolicy/PasswordValidator.java
> URL:
> http://svn.apache.org/viewvc/directory/apacheds/trunk/core-api/src/main/java/org/apache/directory/server/core/ppolicy/PasswordValidator.java?rev=1095083&view=auto
>
> ==============================================================================
> ---
> directory/apacheds/trunk/core-api/src/main/java/org/apache/directory/server/core/ppolicy/PasswordValidator.java
> (added)
> +++
> directory/apacheds/trunk/core-api/src/main/java/org/apache/directory/server/core/ppolicy/PasswordValidator.java
> Tue Apr 19 13:33:54 2011
> @@ -0,0 +1,41 @@
> +/*
> + *   Licensed to the Apache Software Foundation (ASF) under one
> + *   or more contributor license agreements.  See the NOTICE file
> + *   distributed with this work for additional information
> + *   regarding copyright ownership.  The ASF licenses this file
> + *   to you under the Apache License, Version 2.0 (the
> + *   "License"); you may not use this file except in compliance
> + *   with the License.  You may obtain a copy of the License at
> + *
> + *     http://www.apache.org/licenses/LICENSE-2.0
> + *
> + *   Unless required by applicable law or agreed to in writing,
> + *   software distributed under the License is distributed on an
> + *   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
> + *   KIND, either express or implied.  See the License for the
> + *   specific language governing permissions and limitations
> + *   under the License.
> + *
> + */
> +
> +package org.apache.directory.server.core.ppolicy;
> +
> +/**
> + * An interface for implementing password quality verifiers.
> + *
> + * @author <a href="mailto:dev@directory.apache.org">Apache Directory
> Project</a>
> + */
> +public interface PasswordValidator
> +{
> +    /**
> +     * checks if the given password meets the required quality
> contraints.<br>
> +     * <p>Note: the length based validations are already done before
> calling this method<br>
> +     *
> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
> +     *       so the implementor should concentrate on the content
> checking.</p>
> +     *
> +     * @param password the password value
> +     * @param entryRdnVal the value of entry's RDN(typically this is the
> username) e.x 'admin' if the entry's DN is {uid/cn/etc..}=admin,ou=system
> +     * @throws PasswordPolicyException if the password doesn't meet the
> quality contraints
> +     */
> +    void validate( String password, String entryRdnVal ) throws
> PasswordPolicyException;
> +}
>
> Modified:
> directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authn/AuthenticationInterceptor.java
> URL:
> http://svn.apache.org/viewvc/directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authn/AuthenticationInterceptor.java?rev=1095083&r1=1095082&r2=1095083&view=diff
>
> ==============================================================================
> ---
> directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authn/AuthenticationInterceptor.java
> (original)
> +++
> directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authn/AuthenticationInterceptor.java
> Tue Apr 19 13:33:54 2011
> @@ -95,7 +95,6 @@ import org.apache.directory.shared.ldap.
>  import org.apache.directory.shared.ldap.model.entry.Entry;
>  import org.apache.directory.shared.ldap.model.entry.Modification;
>  import org.apache.directory.shared.ldap.model.entry.ModificationOperation;
> -import org.apache.directory.shared.ldap.model.entry.StringValue;
>  import org.apache.directory.shared.ldap.model.entry.Value;
>  import
> org.apache.directory.shared.ldap.model.exception.LdapAuthenticationException;
>  import org.apache.directory.shared.ldap.model.exception.LdapException;
> @@ -357,14 +356,9 @@ public class AuthenticationInterceptor e
>
>             BinaryValue userPassword = ( BinaryValue ) entry.get(
> SchemaConstants.USER_PASSWORD_AT ).get();
>
> -            if ( entry.get( SchemaConstants.CN_AT ) != null )
> -            {
> -                StringValue attr = ( StringValue ) entry.get(
> SchemaConstants.CN_AT ).get();
> -                username = attr.getString();
> -            }
> -
>             try
>             {
> +                username =
> entry.getDn().getRdn().getUpValue().getString();
>                 check( username, userPassword.getValue(), policyConfig );
>             }
>             catch ( PasswordPolicyException e )
> @@ -588,16 +582,11 @@ public class AuthenticationInterceptor e
>             byte[] newPassword = null;
>             if ( ( pwdModDetails != null ) )
>             {
> -                String userName = null;
> -                if ( entry.get( SchemaConstants.CN_AT ) != null )
> -                {
> -                    StringValue attr = ( StringValue ) entry.get(
> SchemaConstants.CN_AT ).get();
> -                    userName = attr.getString();
> -                }
> -
>                 newPassword = pwdModDetails.getNewPwd();
> +
>                 try
>                 {
> +                    String userName =
> entry.getDn().getRdn().getUpValue().getString();
>                     check( userName, newPassword, policyConfig );
>                 }
>                 catch ( PasswordPolicyException e )
> @@ -1191,9 +1180,11 @@ public class AuthenticationInterceptor e
>         }
>
>         String strPassword = Strings.utf8ToString(password);
> +
> +        // perform the length validation
>         validatePasswordLength( strPassword, policyConfig );
> -        checkUsernameSubstring( username, strPassword, policyConfig );
> -        //        checkPasswordChars( strPassword );
> +
> +        policyConfig.getPwdValidator().validate( strPassword, username );
>     }
>
>
> @@ -1227,38 +1218,6 @@ public class AuthenticationInterceptor e
>     }
>
>
> -    /**
> -     * The password does not contain three letter (or more) tokens from
> the user's account name.
> -     *
> -     * If the account name is less than three characters long, this check
> is not performed
> -     * because the rate at which passwords would be rejected is too high.
> For each token that is
> -     * three or more characters long, that token is searched for in the
> password; if it is present,
> -     * the password change is rejected. For example, the name "First M.
> Last" would be split into
> -     * three tokens: "First", "M", and "Last". Because the second token is
> only one character long,
> -     * it would be ignored. Therefore, this user could not have a password
> that included either
> -     * "first" or "last" as a substring anywhere in the password. All of
> these checks are
> -     * case-insensitive.
> -     */
> -    private void checkUsernameSubstring( String username, String password,
> PasswordPolicyConfiguration policyConfig ) throws PasswordPolicyException
> -    {
> -        if ( username == null || username.trim().length() == 0 )
> -        {
> -            return;
> -        }
> -
> -        String[] tokens = username.split( "[^a-zA-Z]" );
> -
> -        for ( int ii = 0; ii < tokens.length; ii++ )
> -        {
> -            if ( password.matches( "(?i).*" + tokens[ii] + ".*" ) )
> -            {
> -                throw new PasswordPolicyException( "Password shouldn't
> contain parts of the username",
> -                    INSUFFICIENT_PASSWORD_QUALITY );
> -            }
> -        }
> -    }
> -
> -
>     private int getPwdTimeBeforeExpiry( Entry userEntry,
> PasswordPolicyConfiguration policyConfig ) throws LdapException
>     {
>         if ( policyConfig.getPwdMaxAge() == 0 )
>
>
>

Mime
View raw message