public class FileBasedAuthenticator extends AbstractAuthenticator
Many organizations will want to create their own implementation of the methods provided in the
Authenticator
interface backed by their own user repository as this reference implementation
is not very scalable. This reference implementation captures information about users in a simple text file
format that contains user information separated by the pipe "|" character.
Here's an example of a single line from the users.txt file:
account id | account name | hashed password | roles | lockout | status | old password hashes | last hostname | last change | last login | last failed | expiration | failed --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 1203123710837 | mitch | 44k/NAzQUlrCq9musTGGkcMNmdzEGJ8w8qZTLzpxLuQ= | admin,user | unlocked | enabled | u10dW4vTo3ZkoM5xP+blayWCz7KdPKyKUojOn9GJobg= | 192.168.1.255 | 1187201000926 | 1187200991568 | 1187200605330 | 2187200605330 | 1
Authenticator
,
hashPassword(String password, String accountName)
,
GitHub Issue #233: Weak password storageUSER
Modifier and Type | Method and Description |
---|---|
void |
changePassword(User user,
String currentPassword,
String newPassword,
String newPassword2)
Changes the password for the specified user.
|
User |
createUser(String accountName,
String password1,
String password2)
Creates a new User with the information provided.
|
String |
generateStrongPassword()
Generate a strong password.
|
String |
generateStrongPassword(User user,
String oldPassword)
Generate strong password that takes into account the user's information and old password.
|
static Authenticator |
getInstance() |
User |
getUser(long accountId)
Returns the User matching the provided accountId.
|
User |
getUser(String accountName)
Returns the User matching the provided accountName.
|
Set |
getUserNames()
Gets a collection containing all the existing user names.
|
String |
hashPassword(String password,
String accountName)
Returns a string representation of the hashed password, using the
accountName as the salt.
|
protected void |
loadUsersIfNecessary()
Load users if they haven't been loaded in a while.
|
protected void |
loadUsersImmediately() |
static void |
main(String[] args)
Fail safe main program to add or update an account in an emergency.
|
void |
removeUser(String accountName)
Removes the account of the specified accountName.
|
void |
saveUsers()
Saves the user database to the file system.
|
protected void |
saveUsers(PrintWriter writer)
Save users.
|
void |
verifyAccountNameStrength(String newAccountName)
Ensures that the account name passes site-specific complexity requirements, like minimum length.
|
boolean |
verifyPassword(User user,
String password)
Verify that the supplied password matches the password for this user.
|
void |
verifyPasswordStrength(String oldPassword,
String newPassword,
User user)
Ensures that the password meets site-specific complexity requirements, like length or number
of character sets.
|
clearCurrent, exists, getCurrentUser, getUserFromRememberToken, getUserFromSession, login, login, logout, setCurrentUser
public static Authenticator getInstance()
public static void main(String[] args) throws Exception
java -Dorg.owasp.esapi.resources="/path/resources" -classpath esapi.jar org.owasp.esapi.Authenticator alice password admin
args
- the arguments (username, password, role)Exception
- the exceptionpublic User createUser(String accountName, String password1, String password2) throws AuthenticationException
WARNING: The implementation of this method as defined in the
default reference implementation class, FileBasedAuthenticator
,
uses a password hash algorthim that is known to be weak. You are advised
to replace the default reference implementation class with your own custom
implementation that uses a stronger password hashing algorithm.
See class comments in * FileBasedAuthenticator
for further details.
accountName
- the account name of the new userpassword1
- the password of the new userpassword2
- the password of the new user. This field is to encourage user interface designers to include two password fields in their forms.AuthenticationException
- if user creation fails due to any of the qualifications listed in this method's descriptionpublic String generateStrongPassword()
public void changePassword(User user, String currentPassword, String newPassword, String newPassword2) throws AuthenticationException
user
- the user to change the password forcurrentPassword
- the current password for the specified usernewPassword
- the new password to usenewPassword2
- a verification copy of the new passwordAuthenticationException
- if any errors occurpublic boolean verifyPassword(User user, String password)
hashPassword(password, accountName)
method in this class, however see WARNING
the hashPassword
method.
This method is typically used for "reauthentication" for the most sensitive functions, such as transactions, changing email address, and changing other account information.
user
- the user who requires verificationpassword
- the hashed user-supplied passwordAuthenticator.hashPassword(String password, String accountName)
public String generateStrongPassword(User user, String oldPassword)
user
- the user whose information to use when generating passwordoldPassword
- the old password to use when verifying strength of new password. The new password may be checked for fragments of oldPassword.public User getUser(long accountId)
accountId
- the account idpublic User getUser(String accountName)
accountName
- the account namepublic Set getUserNames()
public String hashPassword(String password, String accountName) throws EncryptionException
WARNING: The implementation of this method as defined in the
default reference implementation class, FileBasedAuthenticator
,
is know to be extremely weak. The reference implementation class was
meant to be an example implementation and generally should be avoided
and replaced with your own implementation. See class comments in
FileBasedAuthenticator
for further details.
WARNING: There are several weaknesses in this method:
accountName
parameter is
used as the salt.Encryptor.MasterSalt
, meaning that if that property is changed,
all previously stored passwords become invalid and need to be reset.password
- the password to hashaccountName
- the account name to use as the saltEncryptionException
FileBasedAuthenticator,
the default reference implementation of this interface.
protected void loadUsersIfNecessary()
protected void loadUsersImmediately()
public void removeUser(String accountName) throws AuthenticationException
accountName
- the account name to removeAuthenticationException
- the authentication exception if user does not existpublic void saveUsers() throws AuthenticationException
AuthenticationException
- if the user file could not be writtenprotected void saveUsers(PrintWriter writer) throws AuthenticationCredentialsException
writer
- the print writer to use for savingAuthenticationCredentialsException
public void verifyAccountNameStrength(String newAccountName) throws AuthenticationException
newAccountName
- AuthenticationException
- if account name does not meet complexity requirementspublic void verifyPasswordStrength(String oldPassword, String newPassword, User user) throws AuthenticationException
oldPassword
- the old passwordnewPassword
- the new passworduser
- the userAuthenticationException
- if newPassword is too similar to oldPassword or if newPassword does not meet complexity requirementsCopyright © 2021 The Open Web Application Security Project (OWASP). All rights reserved.