This is an automated email from the ASF dual-hosted git repository. solomax pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/openmeetings.git
The following commit(s) were added to refs/heads/master by this push: new 409f74a [OPENMEETINGS-2593] rememberMe should be fixed 409f74a is described below commit 409f74a85cadd20351d0c8e333d116446db27a12 Author: Maxim Solodovnik <solomax...@gmail.com> AuthorDate: Sun Apr 4 23:12:01 2021 +0700 [OPENMEETINGS-2593] rememberMe should be fixed --- .../apache/openmeetings/web/app/Application.java | 6 +++-- .../web/app/OmAuthenticationStrategy.java | 28 +++++++++++++++++----- .../webapp/WEB-INF/classes/openmeetings.properties | 2 ++ .../web/app/TestOmAuthenticationStrategy.java | 2 +- 4 files changed, 29 insertions(+), 9 deletions(-) diff --git a/openmeetings-web/src/main/java/org/apache/openmeetings/web/app/Application.java b/openmeetings-web/src/main/java/org/apache/openmeetings/web/app/Application.java index c70725e..9c0849e 100644 --- a/openmeetings-web/src/main/java/org/apache/openmeetings/web/app/Application.java +++ b/openmeetings-web/src/main/java/org/apache/openmeetings/web/app/Application.java @@ -192,12 +192,14 @@ public class Application extends AuthenticatedWebApplication implements IApplica @Autowired private SipManager sipManager; @Value("${remember.me.encryption.key}") - private String encryptionKey; + private String rememberMeKey; + @Value("${remember.me.encryption.salt}") + private String rememberMeSalt; @Override protected void init() { setWicketApplicationName(super.getName()); - getSecuritySettings().setAuthenticationStrategy(new OmAuthenticationStrategy(encryptionKey)); + getSecuritySettings().setAuthenticationStrategy(new OmAuthenticationStrategy(rememberMeKey, rememberMeSalt)); getApplicationSettings().setAccessDeniedPage(AccessDeniedPage.class); getApplicationSettings().setInternalErrorPage(InternalErrorPage.class); getExceptionSettings().setUnexpectedExceptionDisplay(ExceptionSettings.SHOW_INTERNAL_ERROR_PAGE); diff --git a/openmeetings-web/src/main/java/org/apache/openmeetings/web/app/OmAuthenticationStrategy.java b/openmeetings-web/src/main/java/org/apache/openmeetings/web/app/OmAuthenticationStrategy.java index 070f9ef..e4658dc 100644 --- a/openmeetings-web/src/main/java/org/apache/openmeetings/web/app/OmAuthenticationStrategy.java +++ b/openmeetings-web/src/main/java/org/apache/openmeetings/web/app/OmAuthenticationStrategy.java @@ -18,17 +18,25 @@ */ package org.apache.openmeetings.web.app; +import java.io.ByteArrayOutputStream; +import java.io.IOException; +import java.io.PrintStream; +import java.util.Arrays; + import org.apache.openmeetings.db.entity.user.User.Type; import org.apache.wicket.authentication.strategy.DefaultAuthenticationStrategy; import org.apache.wicket.util.crypt.ICrypt; import org.apache.wicket.util.crypt.SunJceCrypt; import org.apache.wicket.util.string.Strings; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; public class OmAuthenticationStrategy extends DefaultAuthenticationStrategy { + private static final Logger log = LoggerFactory.getLogger(OmAuthenticationStrategy.class); private static final String COOKIE_KEY = "LoggedIn"; - public OmAuthenticationStrategy(String encryptionKey) { - super(COOKIE_KEY, defaultCrypt(encryptionKey)); + public OmAuthenticationStrategy(String encryptionKey, String salt) { + super(COOKIE_KEY, defaultCrypt(encryptionKey, salt)); } /** @@ -68,11 +76,19 @@ public class OmAuthenticationStrategy extends DefaultAuthenticationStrategy { } } - private static ICrypt defaultCrypt(String encryptionKey) { - byte[] salt = SunJceCrypt.randomSalt(); + private static ICrypt defaultCrypt(String encryptionKey, String saltStr) { + SunJceCrypt crypt = null; + try (ByteArrayOutputStream baos = new ByteArrayOutputStream(); + PrintStream ps = new PrintStream(baos);) + { + ps.append(saltStr).append("om_secret"); + byte[] salt = Arrays.copyOfRange(baos.toByteArray(), 0, 8); - SunJceCrypt crypt = new SunJceCrypt(salt, 1000); - crypt.setKey(encryptionKey); + crypt = new SunJceCrypt(salt, 1000); + crypt.setKey(encryptionKey); + } catch (IOException e) { + log.error("Enxpected error while creating crypt", e); + } return crypt; } } diff --git a/openmeetings-web/src/main/webapp/WEB-INF/classes/openmeetings.properties b/openmeetings-web/src/main/webapp/WEB-INF/classes/openmeetings.properties index b2aadca..54796a3 100644 --- a/openmeetings-web/src/main/webapp/WEB-INF/classes/openmeetings.properties +++ b/openmeetings-web/src/main/webapp/WEB-INF/classes/openmeetings.properties @@ -21,6 +21,8 @@ scrypt.cost=16384 ## please ensure this one is unique, better to regenerate it from time to time ## can be generated for ex. here https://www.uuidtools.com remember.me.encryption.key=27574200-a56f-410a-b2c9-3aa3b4b9389a +## some secret set of characters +remember.me.encryption.salt=abrakadabra ################## Timeouts ################## # 5000 == 5 sec diff --git a/openmeetings-web/src/test/java/org/apache/openmeetings/web/app/TestOmAuthenticationStrategy.java b/openmeetings-web/src/test/java/org/apache/openmeetings/web/app/TestOmAuthenticationStrategy.java index 59faea9..a055f3c 100644 --- a/openmeetings-web/src/test/java/org/apache/openmeetings/web/app/TestOmAuthenticationStrategy.java +++ b/openmeetings-web/src/test/java/org/apache/openmeetings/web/app/TestOmAuthenticationStrategy.java @@ -33,7 +33,7 @@ class TestOmAuthenticationStrategy extends AbstractWicketTester { @Test void test() { String encKey = randomUUID().toString(); - OmAuthenticationStrategy s = new OmAuthenticationStrategy(encKey); + OmAuthenticationStrategy s = new OmAuthenticationStrategy(encKey, "test"); s.save(null, null, User.Type.OAUTH, null); assertNull(s.load(), "Wasn't saved, should not be loaded");