[DS-861] Begin to add password salting.

dspace-api/src/main/java/org/dspace/eperson/EPerson.java

@@ -10,6 +10,8 @@ package org.dspace.eperson;
 import java.sql.SQLException;
 import java.util.ArrayList;
 import java.util.List;
+import org.apache.commons.codec.DecoderException;
+import org.apache.commons.codec.binary.Hex;
 
 import org.apache.log4j.Logger;
 import org.dspace.authorize.AuthorizeException;
@@ -851,22 +853,23 @@ public class EPerson extends DSpaceObject
     }
 
     /**
-     * Set the EPerson's password
+     * Set the EPerson's password.
      * 
      * @param s
-     *            the new email
+     *            the new password.
      */
     public void setPassword(String s)
     {
-        // FIXME: encoding
+        PasswordHash hash = new PasswordHash(s);
-        String encoded = Utils.getMD5(s);
+        myRow.setColumn("password", Utils.toHex(hash.getHash()));
-
+        myRow.setColumn("salt", Utils.toHex(hash.getSalt()));
-        myRow.setColumn("password", encoded);
+        myRow.setColumn("digest_algorithm", hash.getAlgorithm());
         modified = true;
     }
 
     /**
-     * Set the EPerson's password hash
+     * Set the EPerson's password hash.
+     * FIXME include the salt and algorithm
      * 
      * @param s
      *          hash of the password
@@ -878,7 +881,9 @@ public class EPerson extends DSpaceObject
     }
 
     /**
-     * Return the EPerson's password hash
+     * Return the EPerson's password hash.
+     * FIXME return an actual PasswordHash
+     *
      * @return hash of the password
      */
     public String getPasswordHash()
@@ -895,9 +900,19 @@ public class EPerson extends DSpaceObject
      */
     public boolean checkPassword(String attempt)
     {
-        String encoded = Utils.getMD5(attempt);
+        PasswordHash myHash;
-
+        try
-        return (encoded.equals(myRow.getStringColumn("password")));
+        {
+            myHash = new PasswordHash(
+                    myRow.getStringColumn("digest_algorithm"),
+                    myRow.getStringColumn("salt"),
+                    myRow.getStringColumn("password"));
+        } catch (DecoderException ex)
+        {
+            log.error(ex.getMessage());
+            return false;
+        }
+        return myHash.matches(attempt);
     }
 
     /**

dspace/etc/h2/database_schema.sql

@@ -172,7 +172,9 @@ CREATE TABLE EPerson
 (
   eperson_id          INTEGER PRIMARY KEY,
   email               VARCHAR(64),
-  password            VARCHAR(64),
+  password            VARCHAR(128),
+  salt                VARCHAR(32),
+  digest_algorithm    VARCHAR(16),
   firstname           VARCHAR(64),
   lastname            VARCHAR(64),
   can_log_in          BOOL,

dspace/etc/oracle/database_schema.sql

@@ -126,7 +126,9 @@ CREATE TABLE EPerson
 (
   eperson_id          INTEGER PRIMARY KEY,
   email               VARCHAR2(64) UNIQUE,
-  password            VARCHAR2(64),
+  password            VARCHAR2(128),
+  salt                VARCHAR2(32),
+  digest_algorithm    VARCHAR2(16),
   firstname           VARCHAR2(64),
   lastname            VARCHAR2(64),
   can_log_in          NUMBER(1),

dspace/etc/postgres/database_schema.sql

@@ -163,7 +163,9 @@ CREATE TABLE EPerson
 (
   eperson_id          INTEGER PRIMARY KEY,
   email               VARCHAR(64) UNIQUE,
-  password            VARCHAR(64),
+  password            VARCHAR(128),
+  salt                VARCHAR(32),
+  digest_algorithm    VARCHAR(16),
   firstname           VARCHAR(64),
   lastname            VARCHAR(64),
   can_log_in          BOOL,