Author: JirkaM Date: 2010-02-17 19:28:15 +0100 (Wed, 17 Feb 2010) New Revision: 1767 Modified: trunk/server/elvysCommons/src/elvys/server/bl/user/UserBL.java trunk/server/elvysCommons/src/elvys/server/bl/user/UserBLImpl.java trunk/server/elvysCommons/src/elvys/server/bl/user/UserBLTest.java trunk/server/webServer2/JavaSource/cz/elvys/webServer/beans/user/UserEditBean.java trunk/server/webServer2/JavaSource/cz/elvys/webServer/beans/user/UserLoginBean.java trunk/server/webServer2/WebContent/login_body.xhtml Log: * add password salting modified src/elvys/server/bl/user/UserBL.java modified src/elvys/server/bl/user/UserBLImpl.java modified src/elvys/server/bl/user/UserBLTest.java modified JavaSource/cz/elvys/webServer/beans/user/UserEditBean.java modified JavaSource/cz/elvys/webServer/beans/user/UserLoginBean.java modified WebContent/login_body.xhtml Modified: trunk/server/elvysCommons/src/elvys/server/bl/user/UserBL.java =================================================================== --- trunk/server/elvysCommons/src/elvys/server/bl/user/UserBL.java 2010-02-17 18:00:56 UTC (rev 1766) +++ trunk/server/elvysCommons/src/elvys/server/bl/user/UserBL.java 2010-02-17 18:28:15 UTC (rev 1767) @@ -16,22 +16,48 @@ public static final int USER_LOGED_FAILURE = 1; - public List<User> getUserByUserNameAndPasswordMakeSession(String login, String pass) throws ExecuteException; - public List<User> getUserByUserNameAndPassword(String login, String pass, Session sess) throws ExecuteException; + public User getUserByUserNameMakeSession(String login) throws ExecuteException; + public User getUserByUserName(String login, Session sess) throws ExecuteException; + public void saveOrUpdateUser(User user); public List<User> loadAllUsers(int compID,String competency); + /** + * Method for delete user from db structure. + * + * @param user object of user for delete + */ public void deleteUser(User user); + /** + * Method for getting list of permitted companies for company with competency. + * @param compID company identifier + * @param competency level of competency + * @return list of companies + */ public List<Company> loadPermittedCompany(int compID,String competency); + /** + * Method for loading permitted role list. + * @return list of role + */ public List<Role> loadPermittedRolesList(); + + /** + * Method for compare pass with his salting form. + * @param pass + */ + public boolean comparePassword(String pass, String saltedPass); + /** + * Method for create salting form of password. + * @param pass + * @return pass in salt form + */ + public String getSaltPassword(String pass, String securedPart); + + public void saltPasswordForAllUsers(); - public void validateUser(); - - public void storeUser(); - } Modified: trunk/server/elvysCommons/src/elvys/server/bl/user/UserBLImpl.java =================================================================== --- trunk/server/elvysCommons/src/elvys/server/bl/user/UserBLImpl.java 2010-02-17 18:00:56 UTC (rev 1766) +++ trunk/server/elvysCommons/src/elvys/server/bl/user/UserBLImpl.java 2010-02-17 18:28:15 UTC (rev 1767) @@ -1,10 +1,13 @@ package elvys.server.bl.user; +import java.math.BigInteger; +import java.security.SecureRandom; import java.util.ArrayList; import java.util.LinkedList; import java.util.List; +import org.apache.commons.codec.digest.DigestUtils; import org.hibernate.Hibernate; import org.hibernate.HibernateException; import org.hibernate.Query; @@ -20,8 +23,8 @@ public class UserBLImpl implements UserBL { + private static final int PASSWORD_SALT_PART_LENGTH = 8; - private String getSalt() throws ExecuteException{ return null; } @@ -32,10 +35,10 @@ @Override - public List<User> getUserByUserNameAndPasswordMakeSession(String login, String pass) throws ExecuteException { + public User getUserByUserNameMakeSession(String login) throws ExecuteException { Session session = InitSessionFactory.getInstance().getCurrentSession(); Transaction tx = session.getTransaction(); - List<User> users = null; + User user = null; try { tx.begin(); } catch (Exception e) { @@ -43,7 +46,7 @@ } try { - users = getUserByUserNameAndPassword(login,pass,session); + user = getUserByUserName(login,session); tx.commit(); } catch (Exception e) { try { @@ -53,34 +56,24 @@ } throw new Error("User couldn't be obtained from DB",e); } - return users; + return user; } @Override - public List<User> getUserByUserNameAndPassword(String login, String pass, Session sess) throws ExecuteException { + public User getUserByUserName(String login, Session sess) throws ExecuteException { Query query = sess.createQuery("from User user " + "inner join fetch user.role " + "inner join fetch user.company " + - "where username=:usname and password=:psswd"); - query.setString("usname", login); - query.setString("psswd", pass); - - return query.list(); + "where username=:usname"); + query.setString("usname", login); + List<User> users = query.list(); + if(users.size() == 1){ + return users.get(0); + } + return null; } - @Override - public void storeUser() { - // TODO Auto-generated method stub - - } - - @Override - public void validateUser() { - // TODO Auto-generated method stub - - } - public void saveOrUpdateUser(User user){ // ADD validation of password if not updating Session sess = InitSessionFactory.getInstance().getCurrentSession(); @@ -204,4 +197,56 @@ } return rolesList; } + + @Override + public String getSaltPassword(String pass, String securedPart) { + if(securedPart == null){ + SecureRandom random = new SecureRandom(); + securedPart = new BigInteger(100, random).toString().substring(0,PASSWORD_SALT_PART_LENGTH); + } + return securedPart+DigestUtils.md5Hex(pass+securedPart); + } + + @Override + public boolean comparePassword(String pass, String saltedPass) { + String securedPart = saltedPass.substring(0,PASSWORD_SALT_PART_LENGTH); + String newSaltPass = getSaltPassword(pass,securedPart); + if(saltedPass.equals(newSaltPass)){ + return true; + }else{ + return false; + } + } + + @Override + public void saltPasswordForAllUsers() { + Session sess = InitSessionFactory.getInstance().getCurrentSession(); + Transaction tx = sess.getTransaction(); + try { + tx.begin(); + } catch(HibernateException e) { + throw new Error("error occured when initializing hibernate session",e); + } + List<User> users = null; + try { + + Query query = null; + query = sess.createQuery("from User as user"); + + users = query.list(); + tx.commit(); + } catch (Exception e) { + tx.rollback(); + throw new Error("Unable to load all users.", e); + } + + for (User user: users) { + String password = getSaltPassword(user.getPassword(),null); + user.setPassword(password); + saveOrUpdateUser(user); + } + } + + + } Modified: trunk/server/elvysCommons/src/elvys/server/bl/user/UserBLTest.java =================================================================== --- trunk/server/elvysCommons/src/elvys/server/bl/user/UserBLTest.java 2010-02-17 18:00:56 UTC (rev 1766) +++ trunk/server/elvysCommons/src/elvys/server/bl/user/UserBLTest.java 2010-02-17 18:28:15 UTC (rev 1767) @@ -31,10 +31,10 @@ @Test public void testAuthentizeUser() throws Exception { - List<User> list = ubl.getUserByUserNameAndPasswordMakeSession("11111", "pfsafjsfa"); + User list = ubl.getUserByUserNameMakeSession("11111"); - assertTrue(list.size() > 0); + assertTrue(list !=null); } Modified: trunk/server/webServer2/JavaSource/cz/elvys/webServer/beans/user/UserEditBean.java =================================================================== --- trunk/server/webServer2/JavaSource/cz/elvys/webServer/beans/user/UserEditBean.java 2010-02-17 18:00:56 UTC (rev 1766) +++ trunk/server/webServer2/JavaSource/cz/elvys/webServer/beans/user/UserEditBean.java 2010-02-17 18:28:15 UTC (rev 1767) @@ -100,7 +100,7 @@ /** * @return */ - public String prepareCreateUserForm() { + public String prepareCreateUserForm() { selectedUser = new User(); passwordAgain = null; selectedUser.setLocale("cs"); @@ -135,8 +135,11 @@ * @return */ public String saveUser() { + if (selectedUser.getPassword().equals(passwordAgain)) { // salt password + String password = userBL.getSaltPassword(selectedUser.getPassword(),null); + selectedUser.setPassword(password); // password and passwordAgain matched userBL.saveOrUpdateUser(selectedUser); Modified: trunk/server/webServer2/JavaSource/cz/elvys/webServer/beans/user/UserLoginBean.java =================================================================== --- trunk/server/webServer2/JavaSource/cz/elvys/webServer/beans/user/UserLoginBean.java 2010-02-17 18:00:56 UTC (rev 1766) +++ trunk/server/webServer2/JavaSource/cz/elvys/webServer/beans/user/UserLoginBean.java 2010-02-17 18:28:15 UTC (rev 1767) @@ -36,6 +36,7 @@ private static final String LOGGED_IN = "User logged in: "; private static final String TOO_MANY_USERS_FOUND = "Too many users with same credentials found in DB: "; private static final String NOT_FOUND = "User not found in DB: "; + private static final String ERROR_WHILE_READING_USER = "Erro while reading user from DB."; public static enum Competency {SUPERADMIN, ADMIN, USER}; @@ -185,70 +186,67 @@ String ip = req.getRemoteAddr(); String host = req.getRemoteHost(); - List<User> users = null; - // password and username are filled, run authorization try { - users = userBL.getUserByUserNameAndPasswordMakeSession(formUsername, formPassword); + user = userBL.getUserByUserNameMakeSession(formUsername); } catch (ExecuteException e) { // TODO Auto-generated catch block - String message = CommonUtils.prepareErrorMessage(TOO_MANY_USERS_FOUND, "user", formUsername, "ip", ip, "host", host); + String message = CommonUtils.prepareErrorMessage(ERROR_WHILE_READING_USER, "user", formUsername, "ip", ip, "host", host); log.error(message); - } + } String whatToReturn = null; // check the result of search for user - if (users.size() == 1) { - whatToReturn = "success"; - user = users.get(0); - if (!user.isDisabled()) { - loggedIn = true; - if (users.get(0).getRole().getRole().equalsIgnoreCase("user")) { - competency = Competency.USER; - compStr = "user"; - } else if (users.get(0).getRole().getRole().equalsIgnoreCase( - "admin")) { - competency = Competency.ADMIN; - compStr = "admin"; - } else if (users.get(0).getRole().getRole().equalsIgnoreCase( - "superadmin")) { - competency = Competency.SUPERADMIN; - compStr = "superadmin"; - } else { - // unrecognized user's competency - whatToReturn = "failure"; - loggedIn = false; - ValidationMessageHolder holder = MessageUtils.prepareValidationMessageHolder( - "LoginForm:UsernameField", "login.bad"); - MessageUtils.processValidationMessage(holder); - } - if (loggedIn) { - this.locale = users.get(0).getLocale(); - this.companyID = users.get(0).getCompany().getId(); - this.companyName = users.get(0).getCompany().getName(); - this.company = users.get(0).getCompany(); - } - - // print log message about logged user - String message = CommonUtils.prepareErrorMessage(LOGGED_IN, "user", user.getUsername(), "company", user.getCompany().getName(), "ip", ip, "host", host); - log.info(message); - }else{ + if(user!=null){ + // user is selected, check password + if(!userBL.comparePassword(formPassword, user.getPassword())){ // user is disabled whatToReturn = "failure"; ValidationMessageHolder holder = MessageUtils.prepareValidationMessageHolder( "LoginForm:UsernameField", "login.bad"); MessageUtils.processValidationMessage(holder); - } - - } else if (users.size()>1) { - // too many users with same credentials found in DB - whatToReturn = "failure"; - ValidationMessageHolder holder = MessageUtils.prepareValidationMessageHolder( - "LoginForm:UsernameField", "login.bad"); - MessageUtils.processValidationMessage(holder); - String message = CommonUtils.prepareErrorMessage(TOO_MANY_USERS_FOUND, "user", formUsername, "count", users.size(), "ip", ip, "host", host); - log.error(message); + }else{ + + if (!user.isDisabled()) { + loggedIn = true; + if (user.getRole().getRole().equalsIgnoreCase("user")) { + competency = Competency.USER; + compStr = "user"; + } else if (user.getRole().getRole().equalsIgnoreCase( + "admin")) { + competency = Competency.ADMIN; + compStr = "admin"; + } else if (user.getRole().getRole().equalsIgnoreCase( + "superadmin")) { + competency = Competency.SUPERADMIN; + compStr = "superadmin"; + } else { + // unrecognized user's competency + whatToReturn = "failure"; + loggedIn = false; + ValidationMessageHolder holder = MessageUtils.prepareValidationMessageHolder( + "LoginForm:UsernameField", "login.bad"); + MessageUtils.processValidationMessage(holder); + } + if (loggedIn) { + this.locale = user.getLocale(); + this.companyID = user.getCompany().getId(); + this.companyName = user.getCompany().getName(); + this.company = user.getCompany(); + } + + // print log message about logged user + String message = CommonUtils.prepareErrorMessage(LOGGED_IN, "user", user.getUsername(), "company", user.getCompany().getName(), "ip", ip, "host", host); + log.info(message); + }else{ + // user is disabled + whatToReturn = "failure"; + ValidationMessageHolder holder = MessageUtils.prepareValidationMessageHolder( + "LoginForm:UsernameField", "login.bad"); + MessageUtils.processValidationMessage(holder); + } + } } else { // proper user hasn't been found in DB whatToReturn = "failure"; @@ -285,4 +283,14 @@ public void setCompany(Company company) { this.company = company; } + + /** + * Musi co nejdrive pryc, jenom na soleni hesel!! + * @TODO + * + */ + public String XXXsaltMethodXXX(){ + userBL.saltPasswordForAllUsers(); + return "logout"; + } } Modified: trunk/server/webServer2/WebContent/login_body.xhtml =================================================================== --- trunk/server/webServer2/WebContent/login_body.xhtml 2010-02-17 18:00:56 UTC (rev 1766) +++ trunk/server/webServer2/WebContent/login_body.xhtml 2010-02-17 18:28:15 UTC (rev 1767) @@ -41,10 +41,15 @@ </h:outputLabel> <h:inputSecret value="#{user.password}" id="PasswordField" styleClass="loginFormInputPass" /> </h:panelGrid> - <h:commandButton id="Login" action="#{user.login}" alt="${lbl['login.submit']}" styleClass="loginFormSubmitActive"/> - </h:panelGrid> + <h:commandButton id="Login" action="#{user.login}" alt="${lbl['login.submit']}" styleClass="loginFormSubmitActive"/> + </h:panelGrid> </h:form> <h:outputText value="${lbl['login.createdby']}" styleClass="loginFootnote" /> + <h:form> + <h:commandButton value="OSOLIT HESLA! STISKNI POUZE JEDNOUT PRED PRIHLASENIM!! POKUD DVAKRAT, PRESOLIS,POKUD VUBEC, CAJICKY NEPOUSTIME!!" + immediate="true" action="#{user.XXXsaltMethodXXX}" + rendered="true" /> + </h:form> </rich:panel> </f:view>