* + Password is set as a system property. * + The password is prompted for and read from standard input * + A program is run to get the password. ** Passwords that begin with EXEC: are interpreted as a command, whose * output is read. *
* Passwords that begin with OBF: are de obfuscated. * Passwords can be obfuscated by run org.mortbay.util.Password as a * main class. Obfuscated password are required if a system needs * to recover the full password (eg. so that it may be passed to another * system). They are not secure, but prevent casual observation. *
* Passwords that begin with CHK: are password checksums. The real
* password cannot be retrieved, but comparisons can be made to other
* passwords. A password checksum can be generated by running
* org.mortbay.util.Password as a main class. Checksum passwords are
* a secure way to stor passwords that only need to be checked rather
* than recovered.
*
* Passwords that begin with CRYPT: are oneway encrypted with
* UnixCrypt. The real password cannot be retrieved, but comparisons
* can be made to other passwords. A Crype can be generated by running
* org.mortbay.util.UnixCrypt as a main class, passing password and
* then the username. Checksum passwords are a secure(ish) way to
* store passwords that only need to be checked rather
* than recovered. Note that it is not strong security - specially if
* simple passwords are used.
*
* @version $Id: Password.java,v 1.1 2001/09/02 01:13:08 gregwilkins Exp $
* @author Greg Wilkins (gregw)
*/
public class Password
{
private String _pw;
private char[] _pwc;
private String _cs;
/* ------------------------------------------------------------ */
public Password()
{}
/* ------------------------------------------------------------ */
/** Constructor.
* @param realm
*/
public Password(String realm)
{
this(realm,"",null);
}
/* ------------------------------------------------------------ */
/** Constructor.
* @param realm
*/
public Password(String realm,String passwd)
{
setPassword(realm,passwd);
}
/* ------------------------------------------------------------ */
/** Constructor.
* Attempts to get the password from a system property using
* the realm name as a property key. If no password is found,
* the default is used. If the default is not set then stdin
* is prompted for the password. Then if no password is
* entered, the promptDft is used.
* @param realm The realm name
* @param dft Default password, if none set in the realm
* @param promptDft Default password, if prompt fails
*/
public Password(String realm,String dft,String promptDft)
{
String passwd=System.getProperty(realm,dft);
if (passwd==null || passwd.length()==0)
{
try
{
System.out.print(realm+
((promptDft!=null && promptDft.length()>0)
?" [dft]":"")+" : ");
System.out.flush();
byte[] buf = new byte[512];
int len=System.in.read(buf);
passwd=new String(buf,0,len).trim();
}
catch(IOException e)
{
Code.warning(e);
}
if (passwd==null || passwd.length()==0)
passwd=promptDft;
}
setPassword(realm,passwd);
}
/* ------------------------------------------------------------ */
/**
* @param password
*/
private void setPassword(String realm,String password)
{
_pw=password;
// expand password
while (_pw!=null && _pw.startsWith("EXEC:"))
_pw=expand(realm,_pw.substring(5).trim());
while (_pw!=null && _pw.startsWith("OBF:"))
_pw=deobfuscate(_pw);
if (_pw.startsWith("CHK:"))
{
_cs=_pw;
_pw=null;
_pwc=null;
}
else if (_pw.startsWith("CRYPT:"))
{
_cs=_pw;
_pw=null;
_pwc=null;
}
else
{
_pwc = _pw.toCharArray();
_cs=checksum(_pw);
}
}
/* ------------------------------------------------------------ */
/* Evaluate exec password
* @param realm
* @param pass
* @return
*/
private String expand(String realm, String pass)
{
Process process=null;
try{
process = Runtime.getRuntime().exec(pass);
OutputStream out = process.getOutputStream();
out.write((realm+"\n").getBytes());
out.flush();
InputStream in = process.getInputStream();
byte[] buf = new byte[512];
int len=in.read(buf);
pass=new String(buf,0,len).trim();
}
catch(Exception e)
{
Code.warning(e);
}
finally
{
if (process!=null)
process.destroy();
}
System.err.println("PW="+pass);
return pass;
}
/* ------------------------------------------------------------ */
public String toString()
{
return _pw==null?_cs:_pw;
}
/* ------------------------------------------------------------ */
public String toStarString()
{
if (_pw==null)
return null;
return "********************************************************************************".substring(0,_pw.length());
}
/* ------------------------------------------------------------ */
public char[] getCharArray()
{
if (_pwc==null)
return null;
return _pwc;
}
/* ------------------------------------------------------------ */
public String getChecksum()
{
return _cs;
}
/* ------------------------------------------------------------ */
public boolean check(String passwd)
{
Password pw=new Password("password",passwd);
if (_pw!=null && pw._pw!=null)
return _pw.equals(pw._pw);
if (_cs.startsWith("CRYPT:"))
return _cs.endsWith(UnixCrypt.crypt(passwd,_cs.substring("CRYPT:".length())));
return getChecksum().equals(pw.getChecksum());
}
/* ------------------------------------------------------------ */
public boolean equals(Object o)
{
Password pw=null;
if (o instanceof Password)
{
pw=(Password)o;
if (_pw!=null)
return _pw.equals(pw._pw);
if (_cs!=null && pw._pw==null)
return _cs.equals(pw._cs);
}
return false;
}
/* ------------------------------------------------------------ */
/** Zero the password.
* The checksum is not effected, so comparisons may be made on
* zeroed passwords.
*/
public void zero()
{
_pw=null;
if (_pwc!=null)
java.util.Arrays.fill(_pwc,'\0');
_pwc=null;
}
/* ------------------------------------------------------------ */
public static String obfuscate(String s)
{
StringBuffer buf = new StringBuffer();
byte[] b = s.getBytes();
synchronized(buf)
{
buf.append("OBF:");
for (int i=0;i