This is an automated email from the ASF dual-hosted git repository. snoopdave pushed a commit to branch ROL-2137 in repository https://gitbox.apache.org/repos/asf/roller.git
commit 344677ce9de7f26526a76ff84524e82f59e1bde0 Author: [email protected] <[email protected]> AuthorDate: Sat May 11 17:13:20 2019 -0400 [ROL-2137] if you're going to enable remember me then you must set a unqiue key. And not the well known springRocks that was the default. --- .../RollerRememberMeAuthenticationProvider.java | 44 ++++++++++++++++++++++ .../ui/core/security/RollerRememberMeServices.java | 20 +++++++++- .../roller/weblogger/config/roller.properties | 6 ++- app/src/main/webapp/WEB-INF/security.xml | 2 +- 4 files changed, 68 insertions(+), 4 deletions(-) diff --git a/app/src/main/java/org/apache/roller/weblogger/ui/core/security/RollerRememberMeAuthenticationProvider.java b/app/src/main/java/org/apache/roller/weblogger/ui/core/security/RollerRememberMeAuthenticationProvider.java new file mode 100644 index 0000000..d805c58 --- /dev/null +++ b/app/src/main/java/org/apache/roller/weblogger/ui/core/security/RollerRememberMeAuthenticationProvider.java @@ -0,0 +1,44 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. The ASF licenses this file to You + * under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. For additional information regarding + * copyright in this work, please see the NOTICE file in the top level + * directory of this distribution. + */ + +package org.apache.roller.weblogger.ui.core.security; + +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; +import org.apache.roller.weblogger.config.WebloggerConfig; +import org.springframework.security.authentication.RememberMeAuthenticationProvider; + + +public class RollerRememberMeAuthenticationProvider extends RememberMeAuthenticationProvider { + private static final Log log = LogFactory.getLog(RollerRememberMeServices.class); + + + public RollerRememberMeAuthenticationProvider(String ignored) { + + String key = WebloggerConfig.getProperty("rememberme.key", "springRocks"); + + if ("springRocks".equals(key)) { + throw new RuntimeException( + "If remember-me is to be enabled, rememberme.key must be specified in the roller " + + "properties file. Make sure it is a secret and make sure it is NOT be springRocks"); + } + setKey(key); + } +} + + diff --git a/app/src/main/java/org/apache/roller/weblogger/ui/core/security/RollerRememberMeServices.java b/app/src/main/java/org/apache/roller/weblogger/ui/core/security/RollerRememberMeServices.java index 5aa7d51..72cfee4 100644 --- a/app/src/main/java/org/apache/roller/weblogger/ui/core/security/RollerRememberMeServices.java +++ b/app/src/main/java/org/apache/roller/weblogger/ui/core/security/RollerRememberMeServices.java @@ -1,3 +1,21 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. The ASF licenses this file to You + * under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. For additional information regarding + * copyright in this work, please see the NOTICE file in the top level + * directory of this distribution. + */ + package org.apache.roller.weblogger.ui.core.security; import org.apache.commons.logging.Log; @@ -13,7 +31,7 @@ import java.security.NoSuchAlgorithmException; public class RollerRememberMeServices extends TokenBasedRememberMeServices { - private static final Log log = LogFactory.getLog(CustomUserRegistry.class); + private static final Log log = LogFactory.getLog(RollerRememberMeServices.class); public RollerRememberMeServices() { diff --git a/app/src/main/resources/org/apache/roller/weblogger/config/roller.properties b/app/src/main/resources/org/apache/roller/weblogger/config/roller.properties index 785a893..125520c 100644 --- a/app/src/main/resources/org/apache/roller/weblogger/config/roller.properties +++ b/app/src/main/resources/org/apache/roller/weblogger/config/roller.properties @@ -604,8 +604,10 @@ config.expandedProperties=uploads.dir,search.index.dir,mediafiles.storage.dir # True to enable history in Atom feeds with next/prev links site.newsfeeds.history.enabled=false -# Some folks consider remember-me type functionality to be a security -rememberme.enabled=true +# Some folks consider remember-me type functionality to be a security risk +# If you enable remember me you MUST define a unique secret key that is not 'springRocks' +rememberme.enabled=false +rememberme.key= # You might want to disable GZIP if your app server already supports it compression.gzipResponse.enabled=true diff --git a/app/src/main/webapp/WEB-INF/security.xml b/app/src/main/webapp/WEB-INF/security.xml index 33f80a2..1e20338 100644 --- a/app/src/main/webapp/WEB-INF/security.xml +++ b/app/src/main/webapp/WEB-INF/security.xml @@ -83,7 +83,7 @@ </beans:bean> <beans:bean id="rememberMeAuthenticationProvider" - class="org.springframework.security.authentication.RememberMeAuthenticationProvider"> + class="org.apache.roller.weblogger.ui.core.security.RollerRememberMeAuthenticationProvider"> <beans:property name="key" value="springRocks"/> </beans:bean>
