//
// we expect to find a data dictionary
//
DataDictionary dd = (DataDictionary) Monitor.getServiceModule( this, DataDictionary.MODULE );
UserDescriptor userDescriptor = dd.getUser( userName );
if ( userDescriptor == null )
{
//
// Before returning, we pretend to evaluate the password.
// This helps prevent blackhats from discovering legal usernames
// by measuring how long password evaluation takes. For more context,
// see the 2012-02-22 comment on DERBY-5539.
//
PasswordHasher hasher = dd.makePasswordHasher( getDatabaseProperties() );
hasher.hashPasswordIntoString( userName, userPassword ).toCharArray();
return false;
}
PasswordHasher hasher = new PasswordHasher( userDescriptor.getHashingScheme() );
char[] candidatePassword = hasher.hashPasswordIntoString( userName, userPassword ).toCharArray();
char[] actualPassword = userDescriptor.getAndZeroPassword();
try {
if ( (candidatePassword == null) || (actualPassword == null)) { return false; }
if ( candidatePassword.length != actualPassword.length ) { return false; }
for ( int i = 0; i < candidatePassword.length; i++ )
{
if ( candidatePassword[ i ] != actualPassword[ i ] ) { return false; }
}
} finally
{
if ( candidatePassword != null ) { Arrays.fill( candidatePassword, (char) 0 ); }
if ( actualPassword != null ) { Arrays.fill( actualPassword, (char) 0 ); }
}
//
// Password is good. Check whether the password has expired or will expire soon.
//
if ( _passwordLifetimeMillis > 0 )
{
long passwordAge = System.currentTimeMillis() - userDescriptor.getLastModified().getTime();
long remainingLifetime = _passwordLifetimeMillis - passwordAge;
//
// Oops, the password has expired. Fail the authentication. Say nothing more
// so that we give password crackers as little information as possible.