Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

REVIEW: Enhanced password hashing #802

Merged
merged 20 commits into from

3 participants

@scarlucci

These changes are for https://issues.sonatype.org/browse/NXCM-4361. There are corresponding changes for this work in sonatype/security

The goal of the changes is to use a more secure mechanism to hash user passwords. The changes leverage the new PasswordService feature in Shiro 1.2 to encapsulate all of the logic related to how we hash passwords.

Salting:
Passwords are now salted prior to hashing. Salts are unique per user, per password.

Hashing algorithm:
Passwords are now hashed with SHA-512. Previously, passwords were hashed with SHA-1. The password matcher is backwards compatible with SHA-1 and MD5 hashes

Key Stretching:
The hashing algorithm is now applied N times, where N is defined in security-configuration.xml, in the new hashIterations element. The model version of security-configuration.xml has been updated.

Upgrading legacy users:
In order to convert old SHA-1 password hashes, we must wait for the user to login. When they do, we detect that their password hash is old and regenerate the hash

@scarlucci scarlucci closed this
@scarlucci scarlucci reopened this
...ting/internal/TextFilePrefixSourceMarshallerTest.java
@@ -143,7 +143,7 @@ public void roundtrip()
assertThat( outputStream.size(), greaterThan( 15 ) );
final String output = new String( outputStream.toByteArray(), UTF8 );
- assertThat( output, equalTo( withStandardHeaders( prefixFile1( false ) ) ) );
+ assertThat( output.replace("\r", ""), equalTo( withStandardHeaders( prefixFile1( false ) ).replace("\r", "") ) );
@kellyrob99 Owner

Any special reason we have to strip carriage returns now?

This change is obsolete now. I had fixed this awhile ago on this branch, but ended up fixing on master in a better way. I will remove this change

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@kellyrob99 kellyrob99 commented on the diff
...ype/nexus/web/PlexusContainerContextListenerTest.java
@@ -1,66 +0,0 @@
-/*
@kellyrob99 Owner

This doesn't have any relevance to the task at hand, does it?

This test was going to need some updates to work with these changes, and the comments in the test suggested it was obsolete. Before spending any time on this test, I spoke with Tamas, who said to kill it

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@kellyrob99
Owner

Couple of minor questions, but nothing that should hold up merging
+1

@scarlucci scarlucci Undo change to get test working on Windows
This change was already made on master, in a better way
04ec5db
@scarlucci scarlucci merged commit 7829bfc into master
@scarlucci scarlucci deleted the NXCM-4361-salt-rework branch
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Mar 19, 2013
  1. @scarlucci
  2. @scarlucci
  3. @scarlucci
  4. @scarlucci

    Add hashIterations element

    scarlucci authored
  5. @scarlucci

    Change to versioned packages

    scarlucci authored
  6. @scarlucci
  7. @scarlucci
  8. @scarlucci
Commits on Mar 21, 2013
  1. @scarlucci
  2. @scarlucci
Commits on Apr 4, 2013
  1. @scarlucci
  2. @scarlucci

    Revert "Change to versioned packages"

    scarlucci authored
    This reverts commit 396137d.
  3. @scarlucci

    Revert "Update tests to use hamcrest matchers"

    scarlucci authored
    This reverts commit cd370d2.
  4. @scarlucci

    Revert "Update DefaultPasswordGenerator tests"

    scarlucci authored
    This reverts commit 3e01cf4.
  5. @scarlucci
Commits on Apr 5, 2013
  1. @scarlucci
  2. @scarlucci

    Kill test - not needed

    scarlucci authored
    With the password changes, this test was creating nexus-web-utils/null/security-configuration.xml because it was not defining application-conf. Spoke to Tamas about this, and we decided to kill this test
Commits on May 1, 2013
  1. @scarlucci
Commits on May 2, 2013
  1. @scarlucci
Commits on May 3, 2013
  1. @scarlucci

    Undo change to get test working on Windows

    scarlucci authored
    This change was already made on master, in a better way
This page is out of date. Refresh to see the latest.
Showing with 33 additions and 86 deletions.
  1. +1 −0  nexus-core/src/main/java/org/sonatype/nexus/configuration/application/upgrade/Upgrade108to140.java
  2. +2 −2 nexus-core/src/main/resources/META-INF/security/security-configuration.xml
  3. +2 −1  nexus-core/src/test/resources/org/sonatype/nexus/configuration/upgrade/103-1/security-configuration-103.xml
  4. +2 −1  nexus-core/src/test/resources/org/sonatype/nexus/configuration/upgrade/103-2/security-configuration-103.xml
  5. +2 −1  ...-core/src/test/resources/org/sonatype/nexus/configuration/upgrade/nexus1710/security-configuration-1710.xml
  6. +2 −1  nexus-core/src/test/resources/org/sonatype/nexus/configuration/upgrade/security-configuration-001-1.xml
  7. +2 −1  nexus-core/src/test/resources/org/sonatype/nexus/configuration/upgrade/security-configuration-001-2.xml
  8. +2 −1  nexus-core/src/test/resources/org/sonatype/nexus/configuration/upgrade/security-configuration-001-3.xml
  9. +2 −1  nexus-core/src/test/resources/org/sonatype/nexus/configuration/upgrade/security-configuration-100.xml
  10. +2 −1  nexus-core/src/test/resources/org/sonatype/nexus/configuration/upgrade/security-configuration-101.xml
  11. +2 −1  nexus-core/src/test/resources/org/sonatype/nexus/configuration/upgrade/security-configuration-104.xml
  12. +2 −1  nexus-core/src/test/resources/org/sonatype/nexus/configuration/upgrade/security-configuration-105.xml
  13. +2 −1  nexus-core/src/test/resources/org/sonatype/nexus/configuration/upgrade/security-configuration-108.xml
  14. +0 −66 nexus-web-utils/src/test/java/org/sonatype/nexus/web/PlexusContainerContextListenerTest.java
  15. +2 −2 plugins/ldap/nexus-ldap-realm-plugin/src/test/resources/test-conf/security-configuration.xml
  16. +2 −2 plugins/restlet1x/nexus-restlet1x-plugin/src/test/resources/META-INF/security/security-configuration.xml
  17. +2 −1  ...x-plugin/src/test/resources/org/sonatype/nexus/security/UserPrincipalsHelperTest-security-configuration.xml
  18. +2 −2 ...tlet1x-plugin/src/test/resources/org/sonatype/security/web/testapp/SampleAppTest-security-configuration.xml
View
1  ...e/src/main/java/org/sonatype/nexus/configuration/application/upgrade/Upgrade108to140.java
@@ -280,6 +280,7 @@ private void upgradeSecurity( org.sonatype.nexus.configuration.model.v1_0_8.CSec
"Failed to decrype anonymous password in nexus.xml, password might be encrypted in memory.", e );
}
securityConfig.setEnabled( oldsecurity.isEnabled() );
+ securityConfig.setHashIterations(1024);
List<String> realms = oldsecurity.getRealms();
View
4 nexus-core/src/main/resources/META-INF/security/security-configuration.xml
@@ -13,7 +13,7 @@
-->
<security-configuration>
- <version>2.0.3</version>
+ <version>2.0.4</version>
<enabled>true</enabled>
<anonymousAccessEnabled>true</anonymousAccessEnabled>
<anonymousUsername>anonymous</anonymousUsername>
@@ -22,5 +22,5 @@
<realm>XmlAuthenticatingRealm</realm>
<realm>XmlAuthorizingRealm</realm>
</realms>
-
+ <hashIterations>1024</hashIterations>
</security-configuration>
View
3  ...t/resources/org/sonatype/nexus/configuration/upgrade/103-1/security-configuration-103.xml
@@ -1,6 +1,6 @@
<?xml version="1.0" encoding="UTF-8"?>
<security-configuration>
- <version>2.0.3</version>
+ <version>2.0.4</version>
<enabled>true</enabled>
<anonymousAccessEnabled>true</anonymousAccessEnabled>
<anonymousUsername>anonymous</anonymousUsername>
@@ -10,4 +10,5 @@
<realm>XmlAuthorizingRealm</realm>
</realms>
<securityManager>default</securityManager>
+ <hashIterations>1024</hashIterations>
</security-configuration>
View
3  ...t/resources/org/sonatype/nexus/configuration/upgrade/103-2/security-configuration-103.xml
@@ -1,6 +1,6 @@
<?xml version="1.0" encoding="UTF-8"?>
<security-configuration>
- <version>2.0.3</version>
+ <version>2.0.4</version>
<enabled>true</enabled>
<anonymousAccessEnabled>true</anonymousAccessEnabled>
<anonymousUsername>anonymous</anonymousUsername>
@@ -10,4 +10,5 @@
<realm>XmlAuthorizingRealm</realm>
</realms>
<securityManager>default</securityManager>
+ <hashIterations>1024</hashIterations>
</security-configuration>
View
3  ...ources/org/sonatype/nexus/configuration/upgrade/nexus1710/security-configuration-1710.xml
@@ -1,6 +1,6 @@
<?xml version="1.0" encoding="UTF-8"?>
<security-configuration>
- <version>2.0.3</version>
+ <version>2.0.4</version>
<enabled>true</enabled>
<anonymousAccessEnabled>true</anonymousAccessEnabled>
<anonymousUsername>anonymous</anonymousUsername>
@@ -11,4 +11,5 @@
<realm>XmlAuthorizingRealm</realm>
</realms>
<securityManager>default</securityManager>
+ <hashIterations>1024</hashIterations>
</security-configuration>
View
3  .../test/resources/org/sonatype/nexus/configuration/upgrade/security-configuration-001-1.xml
@@ -1,6 +1,6 @@
<?xml version="1.0" encoding="UTF-8"?>
<security-configuration>
- <version>2.0.3</version>
+ <version>2.0.4</version>
<enabled>true</enabled>
<anonymousAccessEnabled>true</anonymousAccessEnabled>
<anonymousUsername>anonymous</anonymousUsername>
@@ -10,4 +10,5 @@
<realm>XmlAuthorizingRealm</realm>
</realms>
<securityManager>default</securityManager>
+ <hashIterations>1024</hashIterations>
</security-configuration>
View
3  .../test/resources/org/sonatype/nexus/configuration/upgrade/security-configuration-001-2.xml
@@ -1,6 +1,6 @@
<?xml version="1.0" encoding="UTF-8"?>
<security-configuration>
- <version>2.0.3</version>
+ <version>2.0.4</version>
<enabled>true</enabled>
<anonymousAccessEnabled>true</anonymousAccessEnabled>
<anonymousUsername>anonymous</anonymousUsername>
@@ -10,4 +10,5 @@
<realm>XmlAuthorizingRealm</realm>
</realms>
<securityManager>default</securityManager>
+ <hashIterations>1024</hashIterations>
</security-configuration>
View
3  .../test/resources/org/sonatype/nexus/configuration/upgrade/security-configuration-001-3.xml
@@ -1,6 +1,6 @@
<?xml version="1.0" encoding="UTF-8"?>
<security-configuration>
- <version>2.0.3</version>
+ <version>2.0.4</version>
<enabled>true</enabled>
<anonymousAccessEnabled>true</anonymousAccessEnabled>
<anonymousUsername>anonymous</anonymousUsername>
@@ -10,4 +10,5 @@
<realm>XmlAuthorizingRealm</realm>
</realms>
<securityManager>default</securityManager>
+ <hashIterations>1024</hashIterations>
</security-configuration>
View
3  ...rc/test/resources/org/sonatype/nexus/configuration/upgrade/security-configuration-100.xml
@@ -1,6 +1,6 @@
<?xml version="1.0" encoding="UTF-8"?>
<security-configuration>
- <version>2.0.3</version>
+ <version>2.0.4</version>
<enabled>true</enabled>
<anonymousAccessEnabled>true</anonymousAccessEnabled>
<anonymousUsername>anonymous</anonymousUsername>
@@ -10,4 +10,5 @@
<realm>XmlAuthorizingRealm</realm>
</realms>
<securityManager>default</securityManager>
+ <hashIterations>1024</hashIterations>
</security-configuration>
View
3  ...rc/test/resources/org/sonatype/nexus/configuration/upgrade/security-configuration-101.xml
@@ -1,6 +1,6 @@
<?xml version="1.0" encoding="UTF-8"?>
<security-configuration>
- <version>2.0.3</version>
+ <version>2.0.4</version>
<enabled>true</enabled>
<anonymousAccessEnabled>true</anonymousAccessEnabled>
<anonymousUsername>anonymous</anonymousUsername>
@@ -10,4 +10,5 @@
<realm>XmlAuthorizingRealm</realm>
</realms>
<securityManager>default</securityManager>
+ <hashIterations>1024</hashIterations>
</security-configuration>
View
3  ...rc/test/resources/org/sonatype/nexus/configuration/upgrade/security-configuration-104.xml
@@ -1,6 +1,6 @@
<?xml version="1.0" encoding="UTF-8"?>
<security-configuration>
- <version>2.0.3</version>
+ <version>2.0.4</version>
<enabled>true</enabled>
<anonymousAccessEnabled>true</anonymousAccessEnabled>
<anonymousUsername>anonymous2</anonymousUsername>
@@ -10,4 +10,5 @@
<realm>XmlAuthorizingRealm</realm>
</realms>
<securityManager>default</securityManager>
+ <hashIterations>1024</hashIterations>
</security-configuration>
View
3  ...rc/test/resources/org/sonatype/nexus/configuration/upgrade/security-configuration-105.xml
@@ -1,6 +1,6 @@
<?xml version="1.0" encoding="UTF-8"?>
<security-configuration>
- <version>2.0.3</version>
+ <version>2.0.4</version>
<enabled>true</enabled>
<anonymousAccessEnabled>true</anonymousAccessEnabled>
<anonymousUsername>anonymous2</anonymousUsername>
@@ -10,4 +10,5 @@
<realm>XmlAuthorizingRealm</realm>
</realms>
<securityManager>default</securityManager>
+ <hashIterations>1024</hashIterations>
</security-configuration>
View
3  ...rc/test/resources/org/sonatype/nexus/configuration/upgrade/security-configuration-108.xml
@@ -1,6 +1,6 @@
<?xml version="1.0" encoding="UTF-8"?>
<security-configuration>
- <version>2.0.3</version>
+ <version>2.0.4</version>
<enabled>true</enabled>
<anonymousAccessEnabled>true</anonymousAccessEnabled>
<anonymousUsername>anonymous</anonymousUsername>
@@ -11,4 +11,5 @@
<realm>XmlAuthorizingRealm</realm>
</realms>
<securityManager>default</securityManager>
+ <hashIterations>1024</hashIterations>
</security-configuration>
View
66 nexus-web-utils/src/test/java/org/sonatype/nexus/web/PlexusContainerContextListenerTest.java
@@ -1,66 +0,0 @@
-/*
@kellyrob99 Owner

This doesn't have any relevance to the task at hand, does it?

This test was going to need some updates to work with these changes, and the comments in the test suggested it was obsolete. Before spending any time on this test, I spoke with Tamas, who said to kill it

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
- * Sonatype Nexus (TM) Open Source Version
- * Copyright (c) 2007-2012 Sonatype, Inc.
- * All rights reserved. Includes the third-party code listed at http://links.sonatype.com/products/nexus/oss/attributions.
- *
- * This program and the accompanying materials are made available under the terms of the Eclipse Public License Version 1.0,
- * which accompanies this distribution and is available at http://www.eclipse.org/legal/epl-v10.html.
- *
- * Sonatype Nexus (TM) Professional Version is available from Sonatype, Inc. "Sonatype" and "Sonatype Nexus" are trademarks
- * of Sonatype, Inc. Apache Maven is a trademark of the Apache Software Foundation. M2eclipse is a trademark of the
- * Eclipse Foundation. All other trademarks are the property of their respective owners.
- */
-package org.sonatype.nexus.web;
-
-import java.io.File;
-
-import javax.servlet.http.HttpServlet;
-
-import org.junit.Assert;
-import org.junit.Before;
-import org.junit.Test;
-
-import com.meterware.httpunit.PostMethodWebRequest;
-import com.meterware.httpunit.WebRequest;
-import com.meterware.servletunit.InvocationContext;
-import com.meterware.servletunit.ServletRunner;
-import com.meterware.servletunit.ServletUnitClient;
-
-// FIXME: Consider dropping this test... its not terribly useful
-
-/**
- * Big fat not: this is semi-finished: maven sets the basedir, hence it was esites to move plexus files to /conf/ folder
- * in root of this module.
- *
- * @author cstamas
- */
-public class PlexusContainerContextListenerTest
-{
- protected File webXml;
-
- protected ServletRunner servletRunner;
-
- @Before
- public void setUp()
- throws Exception
- {
- webXml = new File( "src/test/resources/httpunit/WEB-INF/web.xml" );
-
- servletRunner = new ServletRunner( webXml, "/target/httpunit" );
- }
-
- @Test
- public void testListener()
- throws Exception
- {
- ServletUnitClient client = servletRunner.newClient();
-
- WebRequest request = new PostMethodWebRequest( "http://localhost/target/httpunit/dummyServlet" );
-
- InvocationContext context = client.newInvocation( request );
-
- HttpServlet servlet = (HttpServlet) context.getServlet();
-
- Assert.assertNotNull( servlet.getServletContext().getAttribute( "plexus" ) );
- }
-}
View
4 plugins/ldap/nexus-ldap-realm-plugin/src/test/resources/test-conf/security-configuration.xml
@@ -1,5 +1,5 @@
<security-configuration>
- <version>2.0.3</version>
+ <version>2.0.4</version>
<enabled>true</enabled>
<anonymousAccessEnabled>false</anonymousAccessEnabled>
<anonymousUsername>anonymous-user</anonymousUsername>
@@ -9,5 +9,5 @@
<realm>XmlAuthenticatingRealm</realm>
<realm>XmlAuthorizingRealm</realm>
</realms>
-
+ <hashIterations>1024</hashIterations>
</security-configuration>
View
4 ...1x/nexus-restlet1x-plugin/src/test/resources/META-INF/security/security-configuration.xml
@@ -13,7 +13,7 @@
-->
<security-configuration>
- <version>2.0.3</version>
+ <version>2.0.4</version>
<enabled>true</enabled>
<anonymousAccessEnabled>false</anonymousAccessEnabled>
<anonymousUsername>anonymous-user</anonymousUsername>
@@ -22,5 +22,5 @@
<realm>XmlAuthenticatingRealm</realm>
<realm>XmlAuthorizingRealm</realm>
</realms>
-
+ <hashIterations>1024</hashIterations>
</security-configuration>
View
3  ...resources/org/sonatype/nexus/security/UserPrincipalsHelperTest-security-configuration.xml
@@ -1,5 +1,5 @@
<security-configuration>
- <version>2.0.3</version>
+ <version>2.0.4</version>
<anonymousAccessEnabled>true</anonymousAccessEnabled>
<anonymousUsername>anonymous</anonymousUsername>
<anonymousPassword>{oHoWkZPMDS8Hc3TVuAGDRGYK/NRIM/047Idl50aU19U=}</anonymousPassword>
@@ -8,4 +8,5 @@
<realm>XmlAuthorizingRealm</realm>
</realms>
<securityManager>default</securityManager>
+ <hashIterations>1024</hashIterations>
</security-configuration>
View
4 ...test/resources/org/sonatype/security/web/testapp/SampleAppTest-security-configuration.xml
@@ -13,7 +13,7 @@
-->
<security-configuration>
- <version>2.0.3</version>
+ <version>2.0.4</version>
<enabled>true</enabled>
<anonymousAccessEnabled>false</anonymousAccessEnabled>
<anonymousUsername>anonymous-user</anonymousUsername>
@@ -22,5 +22,5 @@
<realm>XmlAuthorizingRealm</realm>
<realm>XmlAuthenticatingRealm</realm>
</realms>
-
+ <hashIterations>1024</hashIterations>
</security-configuration>
Something went wrong with that request. Please try again.