This is an automated email from the ASF dual-hosted git repository.
solomax pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/openmeetings.git
The following commit(s) were added to refs/heads/master by this push:
new 409f74a [OPENMEETINGS-2593] rememberMe should be fixed
409f74a is described below
commit 409f74a85cadd20351d0c8e333d116446db27a12
Author: Maxim Solodovnik <solomax...@gmail.com>
AuthorDate: Sun Apr 4 23:12:01 2021 +0700
[OPENMEETINGS-2593] rememberMe should be fixed
---
.../apache/openmeetings/web/app/Application.java | 6 +++--
.../web/app/OmAuthenticationStrategy.java | 28 +++++++++++++++++-----
.../webapp/WEB-INF/classes/openmeetings.properties | 2 ++
.../web/app/TestOmAuthenticationStrategy.java | 2 +-
4 files changed, 29 insertions(+), 9 deletions(-)
diff --git
a/openmeetings-web/src/main/java/org/apache/openmeetings/web/app/Application.java
b/openmeetings-web/src/main/java/org/apache/openmeetings/web/app/Application.java
index c70725e..9c0849e 100644
---
a/openmeetings-web/src/main/java/org/apache/openmeetings/web/app/Application.java
+++
b/openmeetings-web/src/main/java/org/apache/openmeetings/web/app/Application.java
@@ -192,12 +192,14 @@ public class Application extends
AuthenticatedWebApplication implements IApplica
@Autowired
private SipManager sipManager;
@Value("${remember.me.encryption.key}")
- private String encryptionKey;
+ private String rememberMeKey;
+ @Value("${remember.me.encryption.salt}")
+ private String rememberMeSalt;
@Override
protected void init() {
setWicketApplicationName(super.getName());
- getSecuritySettings().setAuthenticationStrategy(new
OmAuthenticationStrategy(encryptionKey));
+ getSecuritySettings().setAuthenticationStrategy(new
OmAuthenticationStrategy(rememberMeKey, rememberMeSalt));
getApplicationSettings().setAccessDeniedPage(AccessDeniedPage.class);
getApplicationSettings().setInternalErrorPage(InternalErrorPage.class);
getExceptionSettings().setUnexpectedExceptionDisplay(ExceptionSettings.SHOW_INTERNAL_ERROR_PAGE);
diff --git
a/openmeetings-web/src/main/java/org/apache/openmeetings/web/app/OmAuthenticationStrategy.java
b/openmeetings-web/src/main/java/org/apache/openmeetings/web/app/OmAuthenticationStrategy.java
index 070f9ef..e4658dc 100644
---
a/openmeetings-web/src/main/java/org/apache/openmeetings/web/app/OmAuthenticationStrategy.java
+++
b/openmeetings-web/src/main/java/org/apache/openmeetings/web/app/OmAuthenticationStrategy.java
@@ -18,17 +18,25 @@
*/
package org.apache.openmeetings.web.app;
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.PrintStream;
+import java.util.Arrays;
+
import org.apache.openmeetings.db.entity.user.User.Type;
import org.apache.wicket.authentication.strategy.DefaultAuthenticationStrategy;
import org.apache.wicket.util.crypt.ICrypt;
import org.apache.wicket.util.crypt.SunJceCrypt;
import org.apache.wicket.util.string.Strings;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
public class OmAuthenticationStrategy extends DefaultAuthenticationStrategy {
+ private static final Logger log =
LoggerFactory.getLogger(OmAuthenticationStrategy.class);
private static final String COOKIE_KEY = "LoggedIn";
- public OmAuthenticationStrategy(String encryptionKey) {
- super(COOKIE_KEY, defaultCrypt(encryptionKey));
+ public OmAuthenticationStrategy(String encryptionKey, String salt) {
+ super(COOKIE_KEY, defaultCrypt(encryptionKey, salt));
}
/**
@@ -68,11 +76,19 @@ public class OmAuthenticationStrategy extends
DefaultAuthenticationStrategy {
}
}
- private static ICrypt defaultCrypt(String encryptionKey) {
- byte[] salt = SunJceCrypt.randomSalt();
+ private static ICrypt defaultCrypt(String encryptionKey, String
saltStr) {
+ SunJceCrypt crypt = null;
+ try (ByteArrayOutputStream baos = new ByteArrayOutputStream();
+ PrintStream ps = new PrintStream(baos);)
+ {
+ ps.append(saltStr).append("om_secret");
+ byte[] salt = Arrays.copyOfRange(baos.toByteArray(), 0,
8);
- SunJceCrypt crypt = new SunJceCrypt(salt, 1000);
- crypt.setKey(encryptionKey);
+ crypt = new SunJceCrypt(salt, 1000);
+ crypt.setKey(encryptionKey);
+ } catch (IOException e) {
+ log.error("Enxpected error while creating crypt", e);
+ }
return crypt;
}
}
diff --git
a/openmeetings-web/src/main/webapp/WEB-INF/classes/openmeetings.properties
b/openmeetings-web/src/main/webapp/WEB-INF/classes/openmeetings.properties
index b2aadca..54796a3 100644
--- a/openmeetings-web/src/main/webapp/WEB-INF/classes/openmeetings.properties
+++ b/openmeetings-web/src/main/webapp/WEB-INF/classes/openmeetings.properties
@@ -21,6 +21,8 @@ scrypt.cost=16384
## please ensure this one is unique, better to regenerate it from time to time
## can be generated for ex. here https://www.uuidtools.com
remember.me.encryption.key=27574200-a56f-410a-b2c9-3aa3b4b9389a
+## some secret set of characters
+remember.me.encryption.salt=abrakadabra
################## Timeouts ##################
# 5000 == 5 sec
diff --git
a/openmeetings-web/src/test/java/org/apache/openmeetings/web/app/TestOmAuthenticationStrategy.java
b/openmeetings-web/src/test/java/org/apache/openmeetings/web/app/TestOmAuthenticationStrategy.java
index 59faea9..a055f3c 100644
---
a/openmeetings-web/src/test/java/org/apache/openmeetings/web/app/TestOmAuthenticationStrategy.java
+++
b/openmeetings-web/src/test/java/org/apache/openmeetings/web/app/TestOmAuthenticationStrategy.java
@@ -33,7 +33,7 @@ class TestOmAuthenticationStrategy extends
AbstractWicketTester {
@Test
void test() {
String encKey = randomUUID().toString();
- OmAuthenticationStrategy s = new
OmAuthenticationStrategy(encKey);
+ OmAuthenticationStrategy s = new
OmAuthenticationStrategy(encKey, "test");
s.save(null, null, User.Type.OAUTH, null);
assertNull(s.load(), "Wasn't saved, should not be loaded");
