Author: stillalex
Date: Wed Jun 6 11:20:14 2018
New Revision: 1833010
URL: http://svn.apache.org/viewvc?rev=1833010&view=rev
Log:
OAK-7506 Prevent user enumeration by exploiting time delay vulnerability
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserAuthentication.java
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserAuthentication.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserAuthentication.java?rev=1833010&r1=1833009&r2=1833010&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserAuthentication.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserAuthentication.java
Wed Jun 6 11:20:14 2018
@@ -16,6 +16,8 @@
*/
package org.apache.jackrabbit.oak.security.user;
+import java.io.UnsupportedEncodingException;
+import java.security.NoSuchAlgorithmException;
import java.security.Principal;
import java.util.Collections;
import java.util.concurrent.TimeUnit;
@@ -103,6 +105,13 @@ class UserAuthentication implements Auth
UserManager userManager = config.getUserManager(root,
NamePathMapper.DEFAULT);
Authorizable authorizable = userManager.getAuthorizable(loginId);
if (authorizable == null) {
+ // best effort prevent user enumeration timing attacks
+ try {
+ String hash = PasswordUtil.buildPasswordHash("oak");
+ PasswordUtil.isSame(hash, "oak");
+ } catch (NoSuchAlgorithmException |
UnsupportedEncodingException e) {
+ // ignore
+ }
return false;
}
