| java.lang.Object
 org.apache.derby.impl.jdbc.authentication.AuthenticationServiceBase
All known Subclasses: org.apache.derby.impl.jdbc.authentication.JNDIAuthenticationService, org.apache.derby.impl.jdbc.authentication.SpecificAuthenticationServiceImpl, org.apache.derby.impl.jdbc.authentication.NoneAuthenticationServiceImpl, org.apache.derby.impl.jdbc.authentication.BasicAuthenticationServiceImpl,
| AuthenticationServiceBase | | abstract public class AuthenticationServiceBase implements AuthenticationService,ModuleControl,ModuleSupportable,PropertySetCallback(Code) | | This is the authentication service base class.
There can be 1 Authentication Service for the whole Cloudscape
system and/or 1 authentication per database.
In a near future, we intend to allow multiple authentication services
per system and/or per database.
It should be extended by the specialized authentication services.
IMPORTANT NOTE:
--------------
User passwords are encrypted using SHA-1 message digest algorithm
if they're stored in the database; otherwise they are not encrypted
if they were defined at the system level.
SHA-1 digest is single hash (one way) digest and is considered very
secure (160 bits).
author:
Francois |
| Method Summary | |
| public Serviceable | apply(String key, Serializable value, Dictionary p)
| | public boolean | authenticate(String databaseName, Properties userInfo)
Authenticate a User inside JBMS.T his is an overload method. | | public void | boot(boolean create, Properties properties)
Start this module. | | protected String | encryptPassword(String plainTxtUserPassword)
This method encrypts a clear user password using a
Single Hash algorithm such as SHA-1 (SHA equivalent)
(it is a 160 bits digest)
The digest is returned as an object string. | | public String | getDatabaseProperty(String key)
| | public String | getProperty(String key)
Returns a property if it was set at the database or
system level. | | public String | getSystemProperty(String key)
| | public void | init(boolean dbOnly, Dictionary p)
| | public Serializable | map(String key, Serializable value, Dictionary p)
| | final protected boolean | requireAuthentication(Properties properties)
| | protected void | setAuthenticationService(UserAuthenticator aScheme)
| | public void | stop()
| | protected String | substitutePassword(String userName, String password, Properties info, boolean databaseUser)
Strong Password Substitution (USRSSBPWD). | | public boolean | validate(String key, Serializable value, Dictionary p)
|
| AuthenticationTrace | | final public static String AuthenticationTrace(Code) | | Trace flag to trace authentication operations
|
| ID_PATTERN_NEW_SCHEME | | final public static String ID_PATTERN_NEW_SCHEME(Code) | | Pattern that is prefixed to the stored password in the new authentication scheme
|
| MAGICLEN_NEWENCRYPT_SCHEME | | final public static int MAGICLEN_NEWENCRYPT_SCHEME(Code) | | Length of the encrypted password in the new authentication scheme
See Beetle4601
|
| SECMEC_USRSSBPWD | | final protected static int SECMEC_USRSSBPWD(Code) | | Userid with Strong password substitute DRDA security mechanism
|
| AuthenticationServiceBase | | public AuthenticationServiceBase()(Code) | | |
| encryptPassword | | protected String encryptPassword(String plainTxtUserPassword)(Code) | | This method encrypts a clear user password using a
Single Hash algorithm such as SHA-1 (SHA equivalent)
(it is a 160 bits digest)
The digest is returned as an object string.
Parameters:
plainTxtUserPassword - Plain text user password encrypted user password (digest) as a String object |
| getProperty | | public String getProperty(String key)(Code) | | Returns a property if it was set at the database or
system level. Treated as SERVICE property by default.
a property string value. |
| requireAuthentication | | final protected boolean requireAuthentication(Properties properties)(Code) | | |
| substitutePassword | | protected String substitutePassword(String userName, String password, Properties info, boolean databaseUser)(Code) | | Strong Password Substitution (USRSSBPWD).
This method generate a password subtitute to authenticate a client
which is using a DRDA security mechanism such as SECMEC_USRSSBPWD.
Depending how the user is defined in Derby and if BUILTIN
is used, the stored password can be in clear-text (system level)
or encrypted (hashed - *not decryptable*)) (database level) - If the
user has authenticated at the network level via SECMEC_USRSSBPWD, it
means we're presented with a password substitute and we need to
generate a substitute password coming from the store to compare with
the one passed-in.
NOTE: A lot of this logic could be shared with the DRDA decryption
and client encryption managers - This will be done _once_
code sharing along with its rules are defined between the
Derby engine, client and network code (PENDING).
Substitution algorithm works as follow:
PW_TOKEN = SHA-1(PW, ID)
The password (PW) and user name (ID) can be of any length greater
than or equal to 1 byte.
The client generates a 20-byte password substitute (PW_SUB) as follows:
PW_SUB = SHA-1(PW_TOKEN, RDr, RDs, ID, PWSEQs)
w/ (RDs) as the random client seed and (RDr) as the server one.
See PWDSSB - Strong Password Substitution Security Mechanism
(DRDA Vol.3 - P.650)
a substituted password. |
|
|