archive/jdk
1
0
Fork 0
mirror of https://github.com/openjdk/jdk.git synced 2025-09-22 20:14:43 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

5016517: Replace plaintext passwords by hashed passwords for out-of-the-box JMX Agent

Browse source 
Reviewed-by: rriggs, dfuchs, mchung
This commit is contained in:
Harsha Wardhana B 2017-11-28 21:04:42 +05:30
parent 800d7ffc3e
commit 46f665881f
7 changed files with 992 additions and 88 deletions
Download patch file Download diff file Expand all files Collapse all files

84
src/java.management/share/classes/com/sun/jmx/remote/security/FileLoginModule.java
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 2004, 2008, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2004, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -22,22 +22,17 @@
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package com.sun.jmx.remote.security;
import com.sun.jmx.mbeanserver.GetPropertyAction;
import com.sun.jmx.mbeanserver.Util;
import java.io.BufferedInputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.FilePermission;
import java.io.IOException;
import java.security.AccessControlException;
import java.security.AccessController;
import java.util.Arrays;
import java.util.Hashtable;
import java.util.Map;
import java.util.Properties;
import javax.security.auth.*;
import javax.security.auth.callback.*;
@ -59,10 +54,7 @@ import com.sun.jmx.remote.util.EnvHelp;
* the access control file for JMX remote management or in a Java security
* policy.
*
* <p> The password file comprises a list of key-value pairs as specified in
* {@link Properties}. The key represents a user's name and the value is its
* associated cleartext password. By default, the following password file is
* used:
* By default, the following password file is used:
* <pre>
* ${java.home}/conf/management/jmxremote.password
* </pre>
@ -105,6 +97,11 @@ import com.sun.jmx.remote.util.EnvHelp;
* <dd> if <code>true</code>, this module clears the username and password
* stored in the module's shared state after both phases of authentication
* (login and commit) have completed.</dd>
*
* <dt> <code>hashPasswords</code> </dt>
* <dd> if <code>true</code>, this module replaces each clear text password
* with its hash, if present. </dd>
*
* </dl>
*/
public class FileLoginModule implements LoginModule {
@ -135,6 +132,7 @@ public class FileLoginModule implements LoginModule {
private boolean tryFirstPass = false;
private boolean storePass = false;
private boolean clearPass = false;
private boolean hashPasswords = false;
// Authentication status
private boolean succeeded = false;
@ -154,7 +152,7 @@ public class FileLoginModule implements LoginModule {
private String passwordFileDisplayName;
private boolean userSuppliedPasswordFile;
private boolean hasJavaHomePermission;
private Properties userCredentials;
private HashedPasswordManager hashPwdMgr;
/**
* Initialize this <code>LoginModule</code>.
@ -186,6 +184,8 @@ public class FileLoginModule implements LoginModule {
"true".equalsIgnoreCase((String)options.get("storePass"));
clearPass =
"true".equalsIgnoreCase((String)options.get("clearPass"));
hashPasswords
= "true".equalsIgnoreCase((String) options.get("hashPasswords"));
passwordFile = (String)options.get("passwordFile");
passwordFileDisplayName = passwordFile;
@ -221,17 +221,28 @@ public class FileLoginModule implements LoginModule {
public boolean login() throws LoginException {
try {
loadPasswordFile();
synchronized (this) {
if (hashPwdMgr == null) {
hashPwdMgr = new HashedPasswordManager(passwordFile, hashPasswords);
}
}
hashPwdMgr.loadPasswords();
} catch (IOException ioe) {
LoginException le = new LoginException(
"Error: unable to load the password file: " +
passwordFileDisplayName);
throw EnvHelp.initCause(le, ioe);
}
if (userCredentials == null) {
throw new LoginException
("Error: unable to locate the users' credentials.");
} catch (SecurityException e) {
if (userSuppliedPasswordFile || hasJavaHomePermission) {
throw e;
} else {
final FilePermission fp
= new FilePermission(passwordFileDisplayName, "read");
AccessControlException ace = new AccessControlException(
"access denied " + fp.toString());
ace.initCause(e);
throw ace;
}
}
if (logger.debugOn()) {
@ -437,12 +448,7 @@ public class FileLoginModule implements LoginModule {
// get the username and password
getUsernamePassword(usePasswdFromSharedState);
String localPassword;
// userCredentials is initialized in login()
if (((localPassword = userCredentials.getProperty(username)) == null) ||
(! localPassword.equals(new String(password)))) {
if (!hashPwdMgr.authenticate(username, password)) {
// username not found or passwords do not match
if (logger.debugOn()) {
logger.debug("login", "Invalid username or password");
@ -468,38 +474,6 @@ public class FileLoginModule implements LoginModule {
}
}
/*
* Read the password file.
*/
private void loadPasswordFile() throws IOException {
FileInputStream fis;
try {
fis = new FileInputStream(passwordFile);
} catch (SecurityException e) {
if (userSuppliedPasswordFile || hasJavaHomePermission) {
throw e;
} else {
final FilePermission fp =
new FilePermission(passwordFileDisplayName, "read");
AccessControlException ace = new AccessControlException(
"access denied " + fp.toString());
ace.setStackTrace(e.getStackTrace());
throw ace;
}
}
try {
final BufferedInputStream bis = new BufferedInputStream(fis);
try {
userCredentials = new Properties();
userCredentials.load(bis);
} finally {
bis.close();
}
} finally {
fis.close();
}
}
/**
* Get the username and password.
* This method does not return any value.

333
src/java.management/share/classes/com/sun/jmx/remote/security/HashedPasswordManager.java Normal file
View file

@ -0,0 +1,333 @@
/*
* Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package com.sun.jmx.remote.security;
import com.sun.jmx.remote.util.ClassLogger;
import java.io.*;
import java.nio.ByteBuffer;
import java.nio.CharBuffer;
import java.nio.channels.FileLock;
import java.nio.charset.Charset;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.util.Arrays;
import java.util.Base64;
import java.util.HashMap;
import java.util.Map;
import java.util.concurrent.atomic.AtomicBoolean;
/**
* HashedPasswordManager loads passwords from the password file and optionally
* hashes them.
* <p>
* <p>
* This class accepts Unicode UTF-8 encoded file
* <p>
* <p>
* Each entry in the password file contains a username followed by a password.
* Password can be in clear text or as a hash. Hashed passwords must follow the
* below format. hashedPassword = base64_encoded_64_byte_salt W
* base64_encoded_hash W hash_algorithm where, W = spaces,
* base64_encoded_64_byte_salt = 64 byte random salt, base64_encoded_hash =
* hash_algorithm(password + salt), hash_algorithm = Algorithm string as
* specified in
* <a href="{@docRoot}/../specs/security/standard-names.html#messagedigest-algorithms">
* </a>
* hash_algorithm is an optional field. If not specified, SHA3-512 will be
* assumed.
* <p>
* <p>
* If passwords are in clear, they will be over-written by their hash if hashing
* is requested by setting com.sun.management.jmxremote.password.toHashes
* property to true in the management.properties file and if the password file
* is writable and if the system security policy allows writing into the
* password file, if a security manager is configured
* <p>
* <p>
* In order to change the password for a role, replace the hashed password entry
* with a new clear text password or a new hashed password. If the new password
* is in clear, it will be replaced with its hash when a new login attempt is
* made.
* <p>
* <p>
* A given role should have at most one entry in this file. If a role has no
* entry, it has no access. If multiple entries are found for the same role
* name, then the last one will be used.
* <p>
* <p>
* <p>
* A user generated hashed password file can also be used instead of a
* clear-text password file. If generated by the user, hashed passwords must
* follow the format specified above.
*/
final public class HashedPasswordManager {
private static final class UserCredentials {
private final String userName;
private final String hashAlgorithm;
private final String b64Salt;
private final String b64Hash;
public UserCredentials(String userName, String hashAlgorithm, String b64Salt, String b64Hash) {
this.userName = userName;
this.hashAlgorithm = hashAlgorithm;
this.b64Salt = b64Salt;
this.b64Hash = b64Hash;
}
@Override
public String toString() {
return userName + " " + b64Salt + " " + b64Hash + " " + hashAlgorithm;
}
}
private static final String DefaultHashAlgorithm = "SHA3-512";
private static final int DefaultSaltLength = 64;
private final SecureRandom random = new SecureRandom();
private final Map<String, UserCredentials> userCredentialsMap = new HashMap<>();
private final String passwordFile;
private final boolean shouldHashPasswords;
private boolean isLogged = false;
private static final ClassLogger logger
= new ClassLogger("javax.management.remote.misc",
"HashedPasswordManager");
/**
* Creates a new password manager for the input password file
*
* @param filename UTF-8 encoded input file to read passwords from
* @param shouldHashPasswords Request for clear passwords to be hashed
*/
public HashedPasswordManager(String filename, boolean shouldHashPasswords) {
this.passwordFile = filename;
this.shouldHashPasswords = shouldHashPasswords;
}
private String[] getHash(String algorithm, String password) {
try {
byte[] salt = new byte[DefaultSaltLength];
random.nextBytes(salt);
MessageDigest digest = MessageDigest.getInstance(algorithm);
digest.reset();
digest.update(salt);
byte[] hash = digest.digest(password.getBytes(StandardCharsets.UTF_8));
String saltStr = Base64.getEncoder().encodeToString(salt);
String hashStr = Base64.getEncoder().encodeToString(hash);
return new String[]{saltStr, hashStr};
} catch (NoSuchAlgorithmException ex) {
if (logger.debugOn()) {
logger.debug("getHash", "Invalid algorithm : " + algorithm);
}
// We should never reach here as default Hash Algorithm
// must be always present
return new String[]{"", ""};
}
}
private String[] readPasswordFile() throws IOException {
synchronized (HashedPasswordManager.class) {
byte[] data;
File f = new File(passwordFile);
try (FileInputStream fin = new FileInputStream(f);
FileLock lock = fin.getChannel().lock(0L, Long.MAX_VALUE, true)) {
data = new byte[(int) f.length()];
int read = fin.read(data);
if (read != data.length) {
throw new IOException("Failed to read data from the password file");
}
lock.release();
}
String str = new String(data, StandardCharsets.UTF_8);
return str.split("\\r?\\n");
}
}
private void writePasswordFile(String input) throws IOException {
synchronized (HashedPasswordManager.class) {
try (FileOutputStream fout = new FileOutputStream(passwordFile);
OutputStreamWriter out = new OutputStreamWriter(fout, StandardCharsets.UTF_8);
FileLock lock = fout.getChannel().lock()) {
out.write(input);
lock.release();
}
}
}
/**
* Authenticate the supplied credentials against the one present in the file
*
* @param userName Input username
* @param inputPassword Input password
* @return true if authentication succeeds, false otherwise
*/
public synchronized boolean authenticate(String userName, char[] inputPassword) {
if (userCredentialsMap.containsKey(userName)) {
try {
UserCredentials us = userCredentialsMap.get(userName);
byte[] salt = Base64.getDecoder().decode(us.b64Salt);
byte[] targetHash = Base64.getDecoder().decode(us.b64Hash);
MessageDigest digest = MessageDigest.getInstance(us.hashAlgorithm);
digest.reset();
digest.update(salt);
ByteBuffer byteBuffer = Charset.forName("UTF-8").encode(CharBuffer.wrap(inputPassword));
byte[] passwordBytes = new byte[byteBuffer.limit()];
byteBuffer.get(passwordBytes);
byte[] hash = digest.digest(passwordBytes);
return Arrays.equals(hash, targetHash);
} catch (NoSuchAlgorithmException ex) {
if (logger.debugOn()) {
logger.debug("authenticate", "Unrecognized hash algorithm : "
+ userCredentialsMap.get(userName).hashAlgorithm
+ " - for user : " + userName);
}
return false;
}
} else {
if (logger.debugOn()) {
logger.debug("authenticate", "Unknown user : " + userName);
}
return false;
}
}
/**
* Load passwords from the password file.
* <p>
* <p>
* This method should be called for every login attempt to load new/changed
* credentials, if any.
* <p>
* <p>
* If hashing is requested, clear passwords will be over-written with their
* SHA3-512 hash
*
* @throws IOException If unable to access the file
* @throws SecurityException If read/write file permissions are not granted
*/
public synchronized void loadPasswords()
throws IOException, SecurityException {
SecurityManager security = System.getSecurityManager();
if (security != null) {
security.checkRead(passwordFile);
}
AtomicBoolean hasClearPasswords = new AtomicBoolean(false);
StringBuilder sbuf = new StringBuilder();
final String header = "# The passwords in this file are hashed.\n"
+ "# In order to change the password for a role, replace the hashed "
+ "password entry\n"
+ "# with a clear text password or a new hashed password. "
+ "If the new password is in clear,\n# it will be replaced with its "
+ "hash when a new login attempt is made.\n\n";
userCredentialsMap.clear();
Arrays.stream(readPasswordFile()).forEach(line -> {
if (line.trim().startsWith("#")) { // Ignore comments
sbuf.append(line).append("\n");
return;
}
String[] tokens = line.split("\\s+");
switch (tokens.length) {
case 2: {
// Password is in clear
String[] b64str = getHash(DefaultHashAlgorithm, tokens[1]);
UserCredentials us = new UserCredentials(tokens[0], DefaultHashAlgorithm, b64str[0], b64str[1]);
sbuf.append(us.userName).append(" ").append(us.b64Salt).
append(" ").append(us.b64Hash).append(" ").
append(us.hashAlgorithm).append("\n");
if (userCredentialsMap.get(tokens[0]) != null) {
if (logger.debugOn()) {
logger.debug("loadPasswords", "Ignoring entry for role : " + tokens[0]);
}
}
userCredentialsMap.put(tokens[0], us);
hasClearPasswords.set(true);
if (logger.debugOn()) {
logger.debug("loadPasswords",
"Found atleast one clear password");
}
break;
}
case 3:
case 4: {
// Passwords are hashed
UserCredentials us = new UserCredentials(tokens[0], (tokens.length == 4 ? tokens[3] : DefaultHashAlgorithm),
tokens[1], tokens[2]);
sbuf.append(line).append("\n");
if (userCredentialsMap.get(tokens[0]) != null) {
if (logger.debugOn()) {
logger.debug("loadPasswords", "Ignoring entry for role : " + tokens[0]);
}
}
userCredentialsMap.put(tokens[0], us);
break;
}
default:
sbuf.append(line).append("\n");
break;
}
});
if (!shouldHashPasswords && hasClearPasswords.get()) {
if (logger.debugOn()) {
logger.debug("loadPasswords",
"Passwords in " + passwordFile + " are in clear but are requested "
+ "not to be hashed !!!");
}
}
// Check if header needs to be inserted
if (sbuf.indexOf("# The passwords in this file are hashed") != 0) {
sbuf.insert(0, header);
}
// Even if we are unable to write hashed passwords to password file,
// passwords will be hashed in memory so that jvm heap dump should not
// give away clear passwords
if (shouldHashPasswords && hasClearPasswords.get()) {
if (new File(passwordFile).canWrite()) {
writePasswordFile(sbuf.toString());
if (logger.debugOn()) {
logger.debug("loadPasswords",
"Wrote hashed passwords to file : " + passwordFile);
}
} else if (logger.debugOn() && !isLogged) {
isLogged = true;
logger.debug("loadPasswords",
"Passwords in " + passwordFile + " are in clear and password file is read-only. "
+ "Passwords cannot be hashed !!!!");
}
}
}
}

16
src/java.management/share/classes/com/sun/jmx/remote/security/JMXPluggableAuthenticator.java
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 2004, 2008, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2004, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -34,8 +34,6 @@ import java.security.PrivilegedExceptionAction;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import java.util.Properties;
import javax.management.remote.JMXPrincipal;
import javax.management.remote.JMXAuthenticator;
import javax.security.auth.AuthPermission;
import javax.security.auth.Subject;
@ -91,10 +89,12 @@ public final class JMXPluggableAuthenticator implements JMXAuthenticator {
String loginConfigName = null;
String passwordFile = null;
String hashPasswords = null;
if (env != null) {
loginConfigName = (String) env.get(LOGIN_CONFIG_PROP);
passwordFile = (String) env.get(PASSWORD_FILE_PROP);
hashPasswords = (String) env.get(HASH_PASSWORDS);
}
try {
@ -114,6 +114,7 @@ public final class JMXPluggableAuthenticator implements JMXAuthenticator {
}
final String pf = passwordFile;
final String hashPass = hashPasswords;
try {
loginContext = AccessController.doPrivileged(
new PrivilegedExceptionAction<LoginContext>() {
@ -122,7 +123,7 @@ public final class JMXPluggableAuthenticator implements JMXAuthenticator {
LOGIN_CONFIG_NAME,
null,
new JMXCallbackHandler(),
new FileLoginConfig(pf));
new FileLoginConfig(pf, hashPass));
}
});
} catch (PrivilegedActionException pae) {
@ -250,6 +251,8 @@ public final class JMXPluggableAuthenticator implements JMXAuthenticator {
private static final String LOGIN_CONFIG_NAME = "JMXPluggableAuthenticator";
private static final String PASSWORD_FILE_PROP =
"jmx.remote.x.password.file";
private static final String HASH_PASSWORDS =
"jmx.remote.x.password.toHashes";
private static final ClassLogger logger =
new ClassLogger("javax.management.remote.misc", LOGIN_CONFIG_NAME);
@ -303,19 +306,22 @@ private static class FileLoginConfig extends Configuration {
// The option that identifies the password file to use
private static final String PASSWORD_FILE_OPTION = "passwordFile";
private static final String HASH_PASSWORDS = "hashPasswords";
/**
* Creates an instance of <code>FileLoginConfig</code>
*
* @param passwordFile A filepath that identifies the password file to use.
* If null then the default password file is used.
* @param hashPasswords Flag to indicate if the password file needs to be hashed
*/
public FileLoginConfig(String passwordFile) {
public FileLoginConfig(String passwordFile, String hashPasswords) {
Map<String, String> options;
if (passwordFile != null) {
options = new HashMap<String, String>(1);
options.put(PASSWORD_FILE_OPTION, passwordFile);
options.put(HASH_PASSWORDS, hashPasswords);
} else {
options = Collections.emptyMap();
}