Poco::OSP::Auth

namespace Data

Overview

Classes: AuthParams

Functions: AuthAdminServiceImpl

Classes

struct AuthParams

 more...

Functions

AuthAdminServiceImpl

AuthAdminServiceImpl(
    const Poco::Util::AbstractConfiguration & properties,
    Poco::Logger & logger,
    const AuthParams & authParams,
    const LDAPParams & ldapParams
);

Creates the AuthAdminServiceImpl using the given authentication and LDAP parameters.

Note: if ldapParams.uri is empty, LDAP authentication will be disabled.

See the Poco::Data::Session class for more information on connector names and connection strings.

Variables

Ptr

class OSPAuthData_API AuthAdminServiceImpl :public AbstractLDAPAuthAdminService { public :typedef Poco::AutoPtr < AuthAdminServiceImpl > Ptr;

This class implements the AuthAdminService using a SQL database accessed via the POCO Data library, and optionally LDAP for password verification and permissions.

Upon successful authentication of a user, the class will cache the permissions for the user so that further permission checks are very quick.

This implementation supports multiple variants/versions of storing password hashes.

  • Version 1 is the original mechanism, using MD5 with a global salt. This is no longer considered secure and should no longer be used.
  • Version 2 uses PBKDF2 with HMAC-SHA1 and per-user random salt.
  • Version 3 uses PBKDF2 with HMAC-SHA1 and per-user random salt with additional MD5 password hashing allowing implementation of secure challenge-response authentication mechanisms such as SCRAM-SHA1.

Version 3 is recommended for new deployments. Stored passwords using a lower version than the one configured will automatically be upgraded as soon as a user successfully authenticates.

Note that the getUserAttribute() method of this implementation supports the following special attributes:

  • $salt: Returns the salt used for hashing the given user's password. For Version 1, this will be the configured global salt string. For Version 2, this will be a string consisting entirely of hexadecimal digits. For Version 3, this will be a string containing binary data.
  • $iterations: Returns the number of PBKDF2 iterations used for hashing the given user's password.
  • $hash: Returns the password hash stored for the given user. For Versions 1 and 2, this will be a string consisting entirely of hexadecimal digits. For Version 3, this will be a string containing binary data.
  • $version: Returns the version of the hash used for the given user.