Fixes #12350 - LdapLoginModule support for Jetty Password obfuscation.

Now using Credential.getCredential() to mangle the bind password provided in the options.

Signed-off-by: Simone Bordet <simone.bordet@gmail.com>

jetty-core/jetty-security/src/main/java/org/eclipse/jetty/security/jaas/spi/LdapLoginModule.java

@@ -41,7 +41,6 @@
 
 import org.eclipse.jetty.security.UserPrincipal;
 import org.eclipse.jetty.security.jaas.callback.ObjectCallback;
-import org.eclipse.jetty.util.StringUtil;
 import org.eclipse.jetty.util.TypeUtil;
 import org.eclipse.jetty.util.security.Credential;
 import org.slf4j.Logger;
@@ -240,7 +239,7 @@ public JAASUser getUser(String username) throws Exception
 
     protected String doRFC2254Encoding(String inputString)
     {
-        StringBuffer buf = new StringBuffer(inputString.length());
+        StringBuilder buf = new StringBuilder(inputString.length());
         for (int i = 0; i < inputString.length(); i++)
         {
             char c = inputString.charAt(i);
@@ -279,11 +278,10 @@ protected String doRFC2254Encoding(String inputString)
     private Attributes getUserAttributes(String username) throws LoginException
     {
         SearchResult result = findUser(username);
-        Attributes attributes = result.getAttributes();
-        return attributes;
+        return result.getAttributes();
     }
 
-    private String getUserCredentials(Attributes attributes) throws LoginException
+    private String getUserCredentials(Attributes attributes)
     {
         String ldapCredential = null;
 
@@ -421,7 +419,7 @@ public boolean login() throws LoginException
                 return isAuthenticated();
             }
 
-            boolean authed = false;
+            boolean authed;
 
             if (_forceBindingLogin)
             {
@@ -514,7 +512,7 @@ public boolean bindingLogin(String username, Object password) throws LoginExcept
 
         Hashtable<Object, Object> environment = getEnvironment();
 
-        if (userDn == null || "".equals(userDn))
+        if (userDn == null || userDn.isEmpty())
         {
             throw new FailedLoginException("username may not be empty");
         }
@@ -533,10 +531,6 @@ public boolean bindingLogin(String username, Object password) throws LoginExcept
             setAuthenticated(true);
             return true;
         }
-        catch (AuthenticationException e)
-        {
-            throw new FailedLoginException(e.getMessage());
-        }
         catch (NamingException e)
         {
             throw new FailedLoginException(e.getMessage());
@@ -548,7 +542,7 @@ private SearchResult findUser(String username) throws LoginException
         String filter = "(&(objectClass={0})({1}={2}))";
 
         if (LOG.isDebugEnabled())
-            LOG.debug("Searching for user {} with filter: \'{}\' from base dn: {}", username, filter, _userBaseDn);
+            LOG.debug("Searching for user {} with filter: '{}' from base dn: {}", username, filter, _userBaseDn);
 
         Object[] filterArguments = new Object[]{
             _userObjectClass,
@@ -581,7 +575,7 @@ private SearchResult findUser(DirContext dirContext, String filter, Object[] fil
         if (!results.hasMoreElements())
             throw new FailedLoginException("User not found.");
 
-        SearchResult searchResult = (SearchResult)results.nextElement();
+        SearchResult searchResult = results.nextElement();
         if (results.hasMoreElements())
             throw new FailedLoginException("Search result contains ambiguous entries");
 
@@ -610,7 +604,8 @@ public void initialize(Subject subject,
         _port = Integer.parseInt((String)options.get("port"));
         _contextFactory = (String)options.get("contextFactory");
         _bindDn = (String)options.get("bindDn");
-        _bindPassword = (String)options.get("bindPassword");
+        String bindPassword = (String)options.get("bindPassword");
+        _bindPassword = bindPassword == null ? null : Credential.getCredential(bindPassword).toString();
         _authenticationMethod = (String)options.get("authenticationMethod");
 
         _userBaseDn = (String)options.get("userBaseDn");
@@ -731,13 +726,13 @@ public static String convertCredentialLdapToJetty(String encryptedPassword)
 
         if (encryptedPassword.toUpperCase(Locale.ENGLISH).startsWith("{MD5}"))
         {
-            String src = encryptedPassword.substring("{MD5}".length(), encryptedPassword.length());
+            String src = encryptedPassword.substring("{MD5}".length());
             return "MD5:" + base64ToHex(src);
         }
 
         if (encryptedPassword.toUpperCase(Locale.ENGLISH).startsWith("{CRYPT}"))
         {
-            return "CRYPT:" + encryptedPassword.substring("{CRYPT}".length(), encryptedPassword.length());
+            return "CRYPT:" + encryptedPassword.substring("{CRYPT}".length());
         }
 
         return encryptedPassword;
@@ -748,10 +743,4 @@ private static String base64ToHex(String src)
         byte[] bytes = Base64.getDecoder().decode(src);
         return TypeUtil.toString(bytes, 16);
     }
-
-    private static String hexToBase64(String src)
-    {
-        byte[] bytes = StringUtil.fromHexString(src);
-        return Base64.getEncoder().encodeToString(bytes);
-    }
 }

jetty-core/jetty-security/src/test/java/org/eclipse/jetty/security/jaas/JAASLdapLoginServiceTest.java

@@ -164,7 +164,7 @@ public AppConfigurationEntry[] getAppConfigurationEntry(String name)
             options.put("port", Integer.toString(ldapServer.getTransports()[0].getPort()));
             options.put("contextFactory", "com.sun.jndi.ldap.LdapCtxFactory");
             options.put("bindDn", "uid=admin,ou=system");
-            options.put("bindPassword", "secret");
+            options.put("bindPassword", "OBF:1yta1t331v8w1v9q1t331ytc");
             options.put("userBaseDn", "ou=people,dc=jetty,dc=org");
             options.put("roleBaseDn", "ou=groups,dc=jetty,dc=org");
             options.put("roleNameAttribute", "cn");