[elvystrac] r1767 - * add password salting
- From: elvys@xxxxxxxxxxxxxxxxxxxxxx
- To: elvystrac@xxxxxxxxxxxxx
- Date: Wed, 17 Feb 2010 19:28:15 +0100
Author: JirkaM
Date: 2010-02-17 19:28:15 +0100 (Wed, 17 Feb 2010)
New Revision: 1767
Modified:
trunk/server/elvysCommons/src/elvys/server/bl/user/UserBL.java
trunk/server/elvysCommons/src/elvys/server/bl/user/UserBLImpl.java
trunk/server/elvysCommons/src/elvys/server/bl/user/UserBLTest.java
trunk/server/webServer2/JavaSource/cz/elvys/webServer/beans/user/UserEditBean.java
trunk/server/webServer2/JavaSource/cz/elvys/webServer/beans/user/UserLoginBean.java
trunk/server/webServer2/WebContent/login_body.xhtml
Log:
* add password salting
modified src/elvys/server/bl/user/UserBL.java
modified src/elvys/server/bl/user/UserBLImpl.java
modified src/elvys/server/bl/user/UserBLTest.java
modified JavaSource/cz/elvys/webServer/beans/user/UserEditBean.java
modified JavaSource/cz/elvys/webServer/beans/user/UserLoginBean.java
modified WebContent/login_body.xhtml
Modified: trunk/server/elvysCommons/src/elvys/server/bl/user/UserBL.java
===================================================================
--- trunk/server/elvysCommons/src/elvys/server/bl/user/UserBL.java
2010-02-17 18:00:56 UTC (rev 1766)
+++ trunk/server/elvysCommons/src/elvys/server/bl/user/UserBL.java
2010-02-17 18:28:15 UTC (rev 1767)
@@ -16,22 +16,48 @@
public static final int USER_LOGED_FAILURE = 1;
- public List<User> getUserByUserNameAndPasswordMakeSession(String login,
String pass) throws ExecuteException;
- public List<User> getUserByUserNameAndPassword(String login, String
pass, Session sess) throws ExecuteException;
+ public User getUserByUserNameMakeSession(String login) throws
ExecuteException;
+ public User getUserByUserName(String login, Session sess) throws
ExecuteException;
+
public void saveOrUpdateUser(User user);
public List<User> loadAllUsers(int compID,String competency);
+ /**
+ * Method for delete user from db structure.
+ *
+ * @param user object of user for delete
+ */
public void deleteUser(User user);
+ /**
+ * Method for getting list of permitted companies for company with
competency.
+ * @param compID company identifier
+ * @param competency level of competency
+ * @return list of companies
+ */
public List<Company> loadPermittedCompany(int compID,String competency);
+ /**
+ * Method for loading permitted role list.
+ * @return list of role
+ */
public List<Role> loadPermittedRolesList();
+
+ /**
+ * Method for compare pass with his salting form.
+ * @param pass
+ */
+ public boolean comparePassword(String pass, String saltedPass);
+ /**
+ * Method for create salting form of password.
+ * @param pass
+ * @return pass in salt form
+ */
+ public String getSaltPassword(String pass, String securedPart);
+
+ public void saltPasswordForAllUsers();
- public void validateUser();
-
- public void storeUser();
-
}
Modified: trunk/server/elvysCommons/src/elvys/server/bl/user/UserBLImpl.java
===================================================================
--- trunk/server/elvysCommons/src/elvys/server/bl/user/UserBLImpl.java
2010-02-17 18:00:56 UTC (rev 1766)
+++ trunk/server/elvysCommons/src/elvys/server/bl/user/UserBLImpl.java
2010-02-17 18:28:15 UTC (rev 1767)
@@ -1,10 +1,13 @@
package elvys.server.bl.user;
+import java.math.BigInteger;
+import java.security.SecureRandom;
import java.util.ArrayList;
import java.util.LinkedList;
import java.util.List;
+import org.apache.commons.codec.digest.DigestUtils;
import org.hibernate.Hibernate;
import org.hibernate.HibernateException;
import org.hibernate.Query;
@@ -20,8 +23,8 @@
public class UserBLImpl implements UserBL {
+ private static final int PASSWORD_SALT_PART_LENGTH = 8;
-
private String getSalt() throws ExecuteException{
return null;
}
@@ -32,10 +35,10 @@
@Override
- public List<User> getUserByUserNameAndPasswordMakeSession(String login,
String pass) throws ExecuteException {
+ public User getUserByUserNameMakeSession(String login) throws
ExecuteException {
Session session =
InitSessionFactory.getInstance().getCurrentSession();
Transaction tx = session.getTransaction();
- List<User> users = null;
+ User user = null;
try {
tx.begin();
} catch (Exception e) {
@@ -43,7 +46,7 @@
}
try {
- users =
getUserByUserNameAndPassword(login,pass,session);
+ user = getUserByUserName(login,session);
tx.commit();
} catch (Exception e) {
try {
@@ -53,34 +56,24 @@
}
throw new Error("User couldn't be obtained from DB",e);
}
- return users;
+ return user;
}
@Override
- public List<User> getUserByUserNameAndPassword(String login, String
pass, Session sess) throws ExecuteException {
+ public User getUserByUserName(String login, Session sess) throws
ExecuteException {
Query query = sess.createQuery("from User user " +
"inner join fetch user.role " +
"inner join fetch user.company " +
- "where username=:usname and password=:psswd");
- query.setString("usname", login);
- query.setString("psswd", pass);
-
- return query.list();
+ "where username=:usname");
+ query.setString("usname", login);
+ List<User> users = query.list();
+ if(users.size() == 1){
+ return users.get(0);
+ }
+ return null;
}
- @Override
- public void storeUser() {
- // TODO Auto-generated method stub
-
- }
-
- @Override
- public void validateUser() {
- // TODO Auto-generated method stub
-
- }
-
public void saveOrUpdateUser(User user){
// ADD validation of password if not updating
Session sess =
InitSessionFactory.getInstance().getCurrentSession();
@@ -204,4 +197,56 @@
}
return rolesList;
}
+
+ @Override
+ public String getSaltPassword(String pass, String securedPart) {
+ if(securedPart == null){
+ SecureRandom random = new SecureRandom();
+ securedPart = new BigInteger(100,
random).toString().substring(0,PASSWORD_SALT_PART_LENGTH);
+ }
+ return securedPart+DigestUtils.md5Hex(pass+securedPart);
+ }
+
+ @Override
+ public boolean comparePassword(String pass, String saltedPass) {
+ String securedPart =
saltedPass.substring(0,PASSWORD_SALT_PART_LENGTH);
+ String newSaltPass = getSaltPassword(pass,securedPart);
+ if(saltedPass.equals(newSaltPass)){
+ return true;
+ }else{
+ return false;
+ }
+ }
+
+ @Override
+ public void saltPasswordForAllUsers() {
+ Session sess =
InitSessionFactory.getInstance().getCurrentSession();
+ Transaction tx = sess.getTransaction();
+ try {
+ tx.begin();
+ } catch(HibernateException e) {
+ throw new Error("error occured when initializing
hibernate session",e);
+ }
+ List<User> users = null;
+ try {
+
+ Query query = null;
+ query = sess.createQuery("from User as user");
+
+ users = query.list();
+ tx.commit();
+ } catch (Exception e) {
+ tx.rollback();
+ throw new Error("Unable to load all users.", e);
+ }
+
+ for (User user: users) {
+ String password =
getSaltPassword(user.getPassword(),null);
+ user.setPassword(password);
+ saveOrUpdateUser(user);
+ }
+ }
+
+
+
}
Modified: trunk/server/elvysCommons/src/elvys/server/bl/user/UserBLTest.java
===================================================================
--- trunk/server/elvysCommons/src/elvys/server/bl/user/UserBLTest.java
2010-02-17 18:00:56 UTC (rev 1766)
+++ trunk/server/elvysCommons/src/elvys/server/bl/user/UserBLTest.java
2010-02-17 18:28:15 UTC (rev 1767)
@@ -31,10 +31,10 @@
@Test
public void testAuthentizeUser() throws Exception {
- List<User> list =
ubl.getUserByUserNameAndPasswordMakeSession("11111", "pfsafjsfa");
+ User list = ubl.getUserByUserNameMakeSession("11111");
- assertTrue(list.size() > 0);
+ assertTrue(list !=null);
}
Modified:
trunk/server/webServer2/JavaSource/cz/elvys/webServer/beans/user/UserEditBean.java
===================================================================
---
trunk/server/webServer2/JavaSource/cz/elvys/webServer/beans/user/UserEditBean.java
2010-02-17 18:00:56 UTC (rev 1766)
+++
trunk/server/webServer2/JavaSource/cz/elvys/webServer/beans/user/UserEditBean.java
2010-02-17 18:28:15 UTC (rev 1767)
@@ -100,7 +100,7 @@
/**
* @return
*/
- public String prepareCreateUserForm() {
+ public String prepareCreateUserForm() {
selectedUser = new User();
passwordAgain = null;
selectedUser.setLocale("cs");
@@ -135,8 +135,11 @@
* @return
*/
public String saveUser() {
+
if (selectedUser.getPassword().equals(passwordAgain)) {
// salt password
+ String password =
userBL.getSaltPassword(selectedUser.getPassword(),null);
+ selectedUser.setPassword(password);
// password and passwordAgain matched
userBL.saveOrUpdateUser(selectedUser);
Modified:
trunk/server/webServer2/JavaSource/cz/elvys/webServer/beans/user/UserLoginBean.java
===================================================================
---
trunk/server/webServer2/JavaSource/cz/elvys/webServer/beans/user/UserLoginBean.java
2010-02-17 18:00:56 UTC (rev 1766)
+++
trunk/server/webServer2/JavaSource/cz/elvys/webServer/beans/user/UserLoginBean.java
2010-02-17 18:28:15 UTC (rev 1767)
@@ -36,6 +36,7 @@
private static final String LOGGED_IN = "User logged in: ";
private static final String TOO_MANY_USERS_FOUND = "Too many users with
same credentials found in DB: ";
private static final String NOT_FOUND = "User not found in DB: ";
+ private static final String ERROR_WHILE_READING_USER = "Erro while
reading user from DB.";
public static enum Competency {SUPERADMIN, ADMIN, USER};
@@ -185,70 +186,67 @@
String ip = req.getRemoteAddr();
String host = req.getRemoteHost();
- List<User> users = null;
-
// password and username are filled, run authorization
try {
- users =
userBL.getUserByUserNameAndPasswordMakeSession(formUsername, formPassword);
+ user =
userBL.getUserByUserNameMakeSession(formUsername);
} catch (ExecuteException e) {
// TODO Auto-generated catch block
- String message =
CommonUtils.prepareErrorMessage(TOO_MANY_USERS_FOUND, "user", formUsername,
"ip", ip, "host", host);
+ String message =
CommonUtils.prepareErrorMessage(ERROR_WHILE_READING_USER, "user", formUsername,
"ip", ip, "host", host);
log.error(message);
- }
+ }
String whatToReturn = null;
// check the result of search for user
- if (users.size() == 1) {
- whatToReturn = "success";
- user = users.get(0);
- if (!user.isDisabled()) {
- loggedIn = true;
- if
(users.get(0).getRole().getRole().equalsIgnoreCase("user")) {
- competency = Competency.USER;
- compStr = "user";
- } else if
(users.get(0).getRole().getRole().equalsIgnoreCase(
- "admin")) {
- competency = Competency.ADMIN;
- compStr = "admin";
- } else if
(users.get(0).getRole().getRole().equalsIgnoreCase(
- "superadmin")) {
- competency = Competency.SUPERADMIN;
- compStr = "superadmin";
- } else {
- // unrecognized user's competency
- whatToReturn = "failure";
- loggedIn = false;
- ValidationMessageHolder holder =
MessageUtils.prepareValidationMessageHolder(
- "LoginForm:UsernameField",
"login.bad");
-
MessageUtils.processValidationMessage(holder);
- }
- if (loggedIn) {
- this.locale = users.get(0).getLocale();
- this.companyID =
users.get(0).getCompany().getId();
- this.companyName =
users.get(0).getCompany().getName();
- this.company =
users.get(0).getCompany();
- }
-
- // print log message about logged user
- String message =
CommonUtils.prepareErrorMessage(LOGGED_IN, "user", user.getUsername(),
"company", user.getCompany().getName(), "ip", ip, "host", host);
- log.info(message);
- }else{
+ if(user!=null){
+ // user is selected, check password
+ if(!userBL.comparePassword(formPassword,
user.getPassword())){
// user is disabled
whatToReturn = "failure";
ValidationMessageHolder holder =
MessageUtils.prepareValidationMessageHolder(
"LoginForm:UsernameField", "login.bad");
MessageUtils.processValidationMessage(holder);
- }
-
- } else if (users.size()>1) {
- // too many users with same credentials found in DB
- whatToReturn = "failure";
- ValidationMessageHolder holder =
MessageUtils.prepareValidationMessageHolder(
- "LoginForm:UsernameField", "login.bad");
- MessageUtils.processValidationMessage(holder);
- String message =
CommonUtils.prepareErrorMessage(TOO_MANY_USERS_FOUND, "user", formUsername,
"count", users.size(), "ip", ip, "host", host);
- log.error(message);
+ }else{
+
+ if (!user.isDisabled()) {
+ loggedIn = true;
+ if
(user.getRole().getRole().equalsIgnoreCase("user")) {
+ competency = Competency.USER;
+ compStr = "user";
+ } else if
(user.getRole().getRole().equalsIgnoreCase(
+ "admin")) {
+ competency = Competency.ADMIN;
+ compStr = "admin";
+ } else if
(user.getRole().getRole().equalsIgnoreCase(
+ "superadmin")) {
+ competency =
Competency.SUPERADMIN;
+ compStr = "superadmin";
+ } else {
+ // unrecognized user's
competency
+ whatToReturn = "failure";
+ loggedIn = false;
+ ValidationMessageHolder holder
= MessageUtils.prepareValidationMessageHolder(
+
"LoginForm:UsernameField", "login.bad");
+
MessageUtils.processValidationMessage(holder);
+ }
+ if (loggedIn) {
+ this.locale = user.getLocale();
+ this.companyID =
user.getCompany().getId();
+ this.companyName =
user.getCompany().getName();
+ this.company =
user.getCompany();
+ }
+
+ // print log message about logged user
+ String message =
CommonUtils.prepareErrorMessage(LOGGED_IN, "user", user.getUsername(),
"company", user.getCompany().getName(), "ip", ip, "host", host);
+ log.info(message);
+ }else{
+ // user is disabled
+ whatToReturn = "failure";
+ ValidationMessageHolder holder =
MessageUtils.prepareValidationMessageHolder(
+ "LoginForm:UsernameField",
"login.bad");
+
MessageUtils.processValidationMessage(holder);
+ }
+ }
} else {
// proper user hasn't been found in DB
whatToReturn = "failure";
@@ -285,4 +283,14 @@
public void setCompany(Company company) {
this.company = company;
}
+
+ /**
+ * Musi co nejdrive pryc, jenom na soleni hesel!!
+ * @TODO
+ *
+ */
+ public String XXXsaltMethodXXX(){
+ userBL.saltPasswordForAllUsers();
+ return "logout";
+ }
}
Modified: trunk/server/webServer2/WebContent/login_body.xhtml
===================================================================
--- trunk/server/webServer2/WebContent/login_body.xhtml 2010-02-17 18:00:56 UTC
(rev 1766)
+++ trunk/server/webServer2/WebContent/login_body.xhtml 2010-02-17 18:28:15 UTC
(rev 1767)
@@ -41,10 +41,15 @@
</h:outputLabel>
<h:inputSecret value="#{user.password}"
id="PasswordField" styleClass="loginFormInputPass" />
</h:panelGrid>
- <h:commandButton id="Login" action="#{user.login}"
alt="${lbl['login.submit']}" styleClass="loginFormSubmitActive"/>
- </h:panelGrid>
+ <h:commandButton id="Login" action="#{user.login}"
alt="${lbl['login.submit']}" styleClass="loginFormSubmitActive"/>
+ </h:panelGrid>
</h:form>
<h:outputText value="${lbl['login.createdby']}"
styleClass="loginFootnote" />
+ <h:form>
+ <h:commandButton value="OSOLIT HESLA! STISKNI POUZE JEDNOUT PRED
PRIHLASENIM!! POKUD DVAKRAT, PRESOLIS,POKUD VUBEC, CAJICKY NEPOUSTIME!!"
+ immediate="true"
action="#{user.XXXsaltMethodXXX}"
+ rendered="true" />
+ </h:form>
</rich:panel>
</f:view>
Other related posts:
- » [elvystrac] r1767 - * add password salting - elvys
