/** * $RCSfile$ * $Revision$ * $Date$ * * Copyright (C) 2004 Jive Software. All rights reserved. * * This software is published under the terms of the GNU Public License (GPL), * a copy of which is included in this distribution. */ package org.jivesoftware.messenger.auth; import org.jivesoftware.database.DbConnectionManager; import org.jivesoftware.util.Log; import org.jivesoftware.messenger.user.UserNotFoundException; import org.jivesoftware.stringprep.Stringprep; import org.jivesoftware.stringprep.StringprepException; import java.sql.Connection; import java.sql.PreparedStatement; import java.sql.ResultSet; import java.sql.SQLException; /** * Default AuthProvider implementation. It authenticates against the <tt>jiveUser</tt> * database table and supports plain text and digest authentication. * * Because each call to authenticate() makes a database connection, the * results of authentication should be cached whenever possible. * * @author Matt Tucker */ public class DefaultAuthProvider implements AuthProvider { private static final String AUTHORIZE = "SELECT username FROM jiveUser WHERE username=? AND password=?"; private static final String SELECT_PASSWORD = "SELECT password FROM jiveUser WHERE username=?"; public void authenticate(String username, String password) throws UnauthorizedException { if (username == null || password == null) { throw new UnauthorizedException(); } try { username = Stringprep.nodeprep(username); } catch (StringprepException se) { throw new UnauthorizedException("Illegal username: " + se.getMessage()); } Connection con = null; PreparedStatement pstmt = null; try { con = DbConnectionManager.getConnection(); pstmt = con.prepareStatement(AUTHORIZE); pstmt.setString(1, username); pstmt.setString(2, password); ResultSet rs = pstmt.executeQuery(); // If the query has no results, the username and password // did not match a user record. Therefore, throw an exception. if (!rs.next()) { throw new UnauthorizedException(); } rs.close(); } catch (SQLException e) { Log.error("Exception in DbAuthProvider", e); throw new UnauthorizedException(); } finally { try { if (pstmt != null) pstmt.close(); } catch (Exception e) { Log.error(e); } try { if (con != null) con.close(); } catch (Exception e) { Log.error(e); } } // Got this far, so the user must be authorized. } public void authenticate(String username, String token, String digest) throws UnauthorizedException { if (username == null || token == null || digest == null) { throw new UnauthorizedException(); } try { username = Stringprep.nodeprep(username); } catch (StringprepException se) { throw new UnauthorizedException("Illegal username: " + se.getMessage()); } Connection con = null; PreparedStatement pstmt = null; try { con = DbConnectionManager.getConnection(); pstmt = con.prepareStatement(SELECT_PASSWORD); pstmt.setString(1, username); ResultSet rs = pstmt.executeQuery(); // If the query had no results, the username and password // did not match a user record. Therefore, throw an exception. if (!rs.next()) { throw new UnauthorizedException(); } String pass = rs.getString(1); String anticipatedDigest = AuthFactory.createDigest(token, pass); if (!digest.equalsIgnoreCase(anticipatedDigest)) { throw new UnauthorizedException(); } rs.close(); } catch (SQLException e) { Log.error("Exception in DbAuthProvider", e); throw new UnauthorizedException(); } finally { try { if (pstmt != null) pstmt.close(); } catch (Exception e) { Log.error(e); } try { if (con != null) con.close(); } catch (Exception e) { Log.error(e); } } // Got this far, so the user must be authorized. } public boolean isPlainSupported() { return true; } public boolean isDigestSupported() { return true; } }