Changeset 20786 in main


Ignore:
Timestamp:
06/10/20 22:56:23 (3 weeks ago)
Author:
GarthBraithwaite_STG
Message:

java, view - updated to latest spring and spring security. Implemented new passwordencoder with internal docs on how it works.

Location:
trunk
Files:
14 added
13 deleted
10 edited

Legend:

Unmodified
Added
Removed
  • trunk/ibisph-view/src/main/webapp/WEB-INF/config/spring/security-db_authentication.xml

    r20531 r20786  
    3737        <bean id="securityDBAuthenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
    3838                <property name="userDetailsService" ref="securityDBAuthenticationUserDetailsService"/>
     39                <property name="passwordEncoder"    ref="securityPasswordEncoder"/>
    3940        </bean>
    4041
  • trunk/ibisph-view/src/main/webapp/WEB-INF/config/spring/security-xml_authentication.xml

    r4116 r20786  
    2323        <bean id="securityXMLAuthenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
    2424                <property name="userDetailsService" ref="securityXMLAuthenticationUserDetailsService"/>
     25                <property name="passwordEncoder"    ref="securityPasswordEncoder"/>
    2526        </bean>
    2627
  • trunk/ibisph-view/src/main/webapp/WEB-INF/config/spring/security.xml

    r20095 r20786  
    216216
    217217        <bean id="securityAuthenticationUserLogService" class="org.ibisph.user.service.SLF4JUserLog"/>
     218
     219<!--
     220        <bean id ="securityPasswordEncoder" class="org.springframework.security.crypto.password.NoOpPasswordEncoder" factory-method="getInstance"/>
     221-->
     222        <bean id ="securityPasswordEncoder" class="org.springframework.security.crypto.password.DelegatingPasswordEncoder">
     223                <description>
     224                        The delegating encoder allows for various encoders to be used.  These
     225                        encoders can be anything from no encoding/plain text to standard
     226                        public/private key enctrption to the current state of the art slow
     227                        salt based hash encoders.  The delegator simply goes through the map
     228                        to determine which encoder to use.  The map key is the prefix of the
     229                        encoded string surrounded by braces example: {key}.  The authentication
     230                        provider simply calls the "match" with the plain text and the encoded
     231                        text and returns the test.  The default ID encoder specifies the encoder
     232                        to be used when some code is encoding a value.  The delegating encoder
     233                        a great way to have multiple encoders available and to add new ones in
     234                        the future as they become available.
     235
     236                        There are 2 use cases.  1) user authentication (plain text from login
     237                        page) against their encoded (XML/db) stored password string, 2) when
     238                        creating or updating an existing user's password (new registration or
     239                        when saving a user via the admin app - if coded to do so). 
     240
     241                        The "noop" handles the case of no encoding (plain text).  However, when
     242                        using this delegating code the non encoded password still requires a
     243                        matching value prefix with "{noop}" or "{plaintext}" (see below for
     244                        a null value entry).  For example in a user XML file element would 
     245                        look like: [PASSWORD]{noop}MyNotVerySecretPassword[/PASSWORD].
     246
     247                        The other way to handle no encoding is to simply use the NoOpPasswordEncoder
     248                        directly.  The NoOp is deprecated because SS want to let us know it
     249                        is insecure and for legacy use only.  However, they do NOT have plans
     250                        for this to go away anytime soon.  Using a null key for noop works as
     251                        of 6/8/2020. 
     252
     253                        IMPORTANT NOTE: Password encoding is NOT wired up to auto encode when
     254                        saving a new self registered user (or any other field).  The password
     255                        in the ibis UserDetails object is a simple string that is either plain
     256                        text or some encoded value that is read in and used to authenticate. 
     257                        The authentication provider has a handle to the UserDetails and does a
     258                        "match" call.  To encode a value it MUST be explicitly encoded prior
     259                        to saving it. 
     260
     261                        IMPORTANT NOTE #2: If a one way hash type encoder there is NO way of
     262                        decoding it back to its original value so you can't simply decode and
     263                        email a user their password.  Once set the only option is to reset it
     264                        and allow the user to enter a new value which is then encoded and saved.
     265
     266                        IMPORTANT NOTE #3: Encoded values are only good for use with the app/
     267                        code that originally encoded them.  If a value is encoded by some
     268                        other means e.g. a db trigger or some other auto encode feature of a
     269                        db these values must be decoded when selected from the db to be used
     270                        (unless a special encoder is deployed and wired into the app).
     271                </description>
     272                <constructor-arg index="0" value="bcrypt"/>
     273                <constructor-arg index="1">
     274                        <map>
     275                                <entry><key><null/></key><bean class="org.springframework.security.crypto.password.NoOpPasswordEncoder" factory-method="getInstance"/></entry>
     276                                <entry key="bcrypt"><bean class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/></entry>
     277                        </map>
     278                </constructor-arg>
     279        </bean>
    218280
    219281        <bean id="securityAuthenticationProviderList" class="java.util.ArrayList">
  • trunk/ibisph-view/src/main/webapp/WEB-INF/config/spring/user.xml

    r19891 r20786  
    142142                bean version - as well as the other changes that are needed as described
    143143                below:
     144
    144145        <bean id="userMailSender" class="org.springframework.mail.javamail.JavaMailSenderImpl">
    145146                <description>
     
    158159                <property name="host" value="smtp.gmail.com"/>
    159160                <property name="port" value="465"/>
    160                 <property name="username" value=""/>
    161                 <property name="password" value=""/>
     161                <property name="username" value="garth.braithwaite@gmail.com"/>
     162                <property name="password" value="PersonalEmail.2018"/>
    162163                <property name="javaMailProperties">
    163164                        <props>
     165                                <prop key="mail.smtp.host">smtp.gmail.com</prop>
     166                                <prop key="mail.smtp.port">465</prop>
     167                                <prop key="mail.smtp.auth">true</prop>
     168                                <prop key="mail.smtp.starttls.enable">true</prop>
     169
    164170                                <prop key="mail.smtp.connectiontimeout">200000</prop>
    165171                                <prop key="mail.smtp.timeout">10000</prop>
     172
    166173                                <prop key="mail.debug">true</prop>
    167174                        </props>
     
    169176        </bean>
    170177        -->
     178
    171179        <bean id="userMailSender" class="org.springframework.mail.javamail.JavaMailSenderImpl">
    172180                <description>
     
    201209
    202210
     211
    203212        <!-- S E R V I C E S -->
    204213        <bean id="userProfileXMLService" class="org.ibisph.user.service.UserProfileXML">
    205214                <property name="filePath"           value="#{userProfileFilePath.string}"/>
    206215                <property name="documentDAOService" ref="commonRestrictedDocumentDAOService"/>
     216                <property name="passwordEncoder"    ref="securityPasswordEncoder"/>
    207217        </bean>
    208218
  • trunk/ibisph-view/src/main/webapp/css/Error.css

    r20109 r20786  
    117117}
    118118
     119#content h2.Error
     120{
     121        color:                          red;
     122        margin-top:             0em;
     123}
     124
    119125/*============================ End of Style Sheet ============================*/
    120126
  • trunk/ibisph-view/src/main/webapp/xslt/html/user/access/Page.xslt

    r20585 r20786  
    172172                                                        <xsl:with-param name="content" select="$Page.captchaHelpContent"/>
    173173                                                </xsl:call-template>
    174                                                 <input type="text" name="captcha" id="captcha" size="30" maxlength="10"/>
     174                                                <input type="text" name="captcha" id="captcha" size="30" maxlength="10" autocomplete="off"/>
    175175                                        </td>
    176176                                </tr>
  • trunk/ibisph-view/src/main/webapp/xslt/html/user/registration/Page.xslt

    r20585 r20786  
    238238                                                        <xsl:with-param name="content" select="$Page.captchaHelpContent"/>
    239239                                                </xsl:call-template>
    240                                                 <input type="text" name="captcha" id="captcha" size="30" maxlength="10"/>
     240                                                <input type="text" name="captcha" id="captcha" size="30" maxlength="10" autocomplete="off"/>
    241241                                        </td>
    242242                                </tr>
  • trunk/ibisph/src/main/java/org/ibisph/user/service/UserProfileXML.java

    r6282 r20786  
    66import org.ibisph.util.XMLLib;
    77import org.ibisph.xml.service.DocumentDAO;
     8import org.springframework.security.crypto.password.PasswordEncoder;
    89
    910/**
     
    2021  protected String userRootElementName = "USER";
    2122
     23  protected PasswordEncoder passwordEncoder;
     24  protected String encodedPasswordPrefix = "{";
     25 
    2226
    2327  //------------------------------------------- P R O P E R T Y   S E T T E R S
     
    4246
    4347
     48  public void setPasswordEncoder(PasswordEncoder passwordEncoder) { this.passwordEncoder = passwordEncoder; }
     49
     50 
    4451  //-------------------------------------------- P U B L I C   S E R V I C E S
    4552
     
    5057  } //-------------------------- End of Method ------------------------------
    5158
     59  /**
     60   * Saves user definition
     61   * @param userDocument
     62   * @throws Exception
     63   */
    5264  public void saveUser(Node userDocument) throws Exception {
    5365    String id = XMLLib.getText(userDocument, "/USER/ID");
     66
     67    // if password encoder specified AND the password is not yet encoded
     68    // (encoded passwords are like "{encodingtypekey};laksjdf;lkajsdf") then
     69    // encode it before saving.  The encoder has no way of decoding nor to tell
     70    // that the string has already been encoded.
     71    // ANOTHER WAY: if endcoder.matches(plain text, existing PW that might be encoded)
     72    // then use the existing PW that might be encoded when saving.  If not match
     73    // then encode and save it.
     74    if(null != this.passwordEncoder) {
     75      String password = XMLLib.getText(userDocument, "/USER/PASSWORD");
     76      if(!password.startsWith(this.encodedPasswordPrefix)) {
     77        String encodedPassword = this.passwordEncoder.encode(password);
     78        XMLLib.setText(userDocument, "/USER/PASSWORD", encodedPassword);
     79      }
     80    }
     81 
    5482    String filename = getXMLFilePathAndName(id);
    5583    this.documentDAOService.save(userDocument, filename);
Note: See TracChangeset for help on using the changeset viewer.