Package org.opends.server.extensions

Class SHA1PasswordStorageScheme

  • public final class SHA1PasswordStorageScheme
extends PasswordStorageScheme<C>
    This class defines a Directory Server password storage scheme based on the SHA-1 algorithm defined in FIPS 180-1. This is a one-way digest algorithm so there is no way to retrieve the original clear-text version of the password from the hashed value (although this means that it is not suitable for things that need the clear-text password like DIGEST-MD5). This implementation does not perform any salting, which means that it is more vulnerable to dictionary attacks than salted variants.

    • Constructor Detail

      • SHA1PasswordStorageScheme

        public SHA1PasswordStorageScheme()

    • Method Detail

      • initializePasswordStorageScheme

        public void initializePasswordStorageScheme​(C configuration,
                                            ServerContext serverContext)
                                     throws InitializationException
        Description copied from class: PasswordStorageScheme
        Initializes this password storage scheme handler based on the information in the provided configuration entry. It should also register itself with the Directory Server for the particular storage scheme that it will manage.
        Specified by:
        initializePasswordStorageScheme in class PasswordStorageScheme<C extends PasswordStorageSchemeCfg>
        Parameters:
        configuration - The configuration entry that contains the information to use to initialize this password storage scheme handler.
        serverContext - The server context
        Throws:
        InitializationException - If a problem occurs during initialization that is not related to the server configuration.

      • passwordMatches

        public boolean passwordMatches​(ByteSequence plaintextPassword,
                               ByteSequence storedPassword)
        Description copied from class: PasswordStorageScheme
        Indicates whether the provided plaintext password included in a bind request matches the given stored value. The provided stored value should not include the scheme name in curly braces.
        Specified by:
        passwordMatches in class PasswordStorageScheme<C extends PasswordStorageSchemeCfg>
        Parameters:
        plaintextPassword - The plaintext password provided by the user as part of a simple bind attempt.
        storedPassword - The stored password to compare against the provided plaintext password.
        Returns:
        true if the provided plaintext password matches the provided stored password, or false if not.

      • isStorageSchemeSecure

        public boolean isStorageSchemeSecure()
        Description copied from class: PasswordStorageScheme
        Indicates whether this password storage scheme should be considered "secure". If the encoding used for this scheme does not obscure the value at all, or if it uses a method that is trivial to reverse (e.g., base64), then it should not be considered secure.

        This may be used to determine whether a password may be included in a set of search results, including the possibility of overriding access controls in the case that access controls would allow the password to be returned but the password is considered too insecure to reveal.
        Specified by:
        isStorageSchemeSecure in class PasswordStorageScheme<C extends PasswordStorageSchemeCfg>
        Returns:
        false if it may be trivial to discover the original plain-text password from the encoded form, or true if the scheme offers sufficient protection that revealing the encoded password will not easily reveal the corresponding plain-text value.