From cf184b2c808afc3680625c550b4c3f74c60214cd Mon Sep 17 00:00:00 2001 From: michada Date: Wed, 19 Feb 2014 01:07:22 +0100 Subject: [PATCH] Login method modification. New login method based in HTTP's Basic Authentication used. This new method eliminates the need of the database supporting the SHA256 algorithm and facilitates the future use of Basic Authentication. Tests were updated to use the new token encoding. --- .../java/es/uvigo/esei/daa/LoginFilter.java | 5 +++- .../java/es/uvigo/esei/daa/dao/UsersDAO.java | 29 ++++++++++++++----- .../es/uvigo/esei/daa/web/PeopleWebTest.java | 5 +--- src/test/webapp/rest/people/add.html | 2 +- src/test/webapp/rest/people/addNoName.html | 2 +- src/test/webapp/rest/people/addNoSurname.html | 2 +- src/test/webapp/rest/people/delete.html | 2 +- .../webapp/rest/people/deleteInvalidId.html | 2 +- src/test/webapp/rest/people/get.html | 2 +- src/test/webapp/rest/people/list.html | 2 +- src/test/webapp/rest/people/modify.html | 2 +- .../webapp/rest/people/modifyInvalidId.html | 2 +- src/test/webapp/rest/people/modifyNoId.html | 2 +- src/test/webapp/rest/people/modifyNoName.html | 2 +- .../webapp/rest/people/modifyNoSurname.html | 2 +- src/test/webapp/web/people/add.html | 2 +- src/test/webapp/web/people/delete.html | 2 +- src/test/webapp/web/people/edit.html | 2 +- src/test/webapp/web/people/list.html | 2 +- 19 files changed, 43 insertions(+), 28 deletions(-) diff --git a/src/main/java/es/uvigo/esei/daa/LoginFilter.java b/src/main/java/es/uvigo/esei/daa/LoginFilter.java index f6fa8c6..1ca1ad2 100644 --- a/src/main/java/es/uvigo/esei/daa/LoginFilter.java +++ b/src/main/java/es/uvigo/esei/daa/LoginFilter.java @@ -38,6 +38,8 @@ public class LoginFilter implements Filter { } else { redirectToIndex(httpRequest, httpResponse); } + } catch (IllegalArgumentException iae) { + httpResponse.sendError(HttpServletResponse.SC_FORBIDDEN); } catch (DAOException e) { httpResponse.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR); } @@ -101,7 +103,8 @@ public class LoginFilter implements Filter { } } - private boolean checkToken(HttpServletRequest request) throws DAOException { + private boolean checkToken(HttpServletRequest request) + throws DAOException, IllegalArgumentException { final Cookie[] cookies = request.getCookies(); if (cookies != null) { diff --git a/src/main/java/es/uvigo/esei/daa/dao/UsersDAO.java b/src/main/java/es/uvigo/esei/daa/dao/UsersDAO.java index 66ef5c2..6d4cfe2 100644 --- a/src/main/java/es/uvigo/esei/daa/dao/UsersDAO.java +++ b/src/main/java/es/uvigo/esei/daa/dao/UsersDAO.java @@ -5,12 +5,11 @@ import java.sql.PreparedStatement; import java.sql.ResultSet; import java.sql.SQLException; +import org.apache.commons.codec.binary.Base64; import org.apache.commons.codec.digest.DigestUtils; public class UsersDAO extends DAO { public String checkLogin(String login, String password) throws DAOException { - final String shaPassword = DigestUtils.sha256Hex(password); - try (final Connection conn = this.getConnection()) { final String query = "SELECT password FROM users WHERE login=?"; @@ -20,9 +19,10 @@ public class UsersDAO extends DAO { try (ResultSet result = statement.executeQuery()) { if (result.next()) { final String dbPassword = result.getString("password"); + final String shaPassword = DigestUtils.sha256Hex(password); if (shaPassword.equals(dbPassword)) { - return DigestUtils.sha256Hex(login + dbPassword); + return new String(Base64.encodeBase64((login + ":" + password).getBytes())); } else { return null; } @@ -36,16 +36,31 @@ public class UsersDAO extends DAO { } } - public String checkToken(String token) throws DAOException { + public String checkToken(String token) + throws DAOException, IllegalArgumentException { + final String decodedToken = new String(Base64.decodeBase64(token.getBytes())); + final int colonIndex = decodedToken.indexOf(':'); + + if (colonIndex < 0 || colonIndex == decodedToken.length()-1) { + throw new IllegalArgumentException("Invalid token"); + } + + final String login = decodedToken.substring(0, decodedToken.indexOf(':')); + final String password = DigestUtils.sha256Hex( + decodedToken.substring(decodedToken.indexOf(':') + 1) + ); + try (final Connection conn = this.getConnection()) { - final String query = "SELECT login FROM users WHERE sha2(concat(login, password), 256)=?"; + final String query = "SELECT password FROM users WHERE login=?"; try (PreparedStatement statement = conn.prepareStatement(query)) { - statement.setString(1, token); + statement.setString(1, login); try (ResultSet result = statement.executeQuery()) { if (result.next()) { - return result.getString("login"); + final String dbPassword = result.getString("password"); + + return password.equals(dbPassword) ? login : null; } else { return null; } diff --git a/src/test/java/es/uvigo/esei/daa/web/PeopleWebTest.java b/src/test/java/es/uvigo/esei/daa/web/PeopleWebTest.java index b89924f..bac7492 100644 --- a/src/test/java/es/uvigo/esei/daa/web/PeopleWebTest.java +++ b/src/test/java/es/uvigo/esei/daa/web/PeopleWebTest.java @@ -38,10 +38,7 @@ public class PeopleWebTest { driver.get(baseUrl); driver.manage().addCookie( - new Cookie( - "token", - "25d35467c91f0f8bbcc9a4f22bb359170643ccfdf38851599a03a8ffc0756666" - ) + new Cookie("token", "bXJqYXRvOm1yamF0bw==") ); // Driver will wait DEFAULT_WAIT_TIME if it doesn't find and element. driver.manage().timeouts().implicitlyWait(DEFAULT_WAIT_TIME, TimeUnit.SECONDS); diff --git a/src/test/webapp/rest/people/add.html b/src/test/webapp/rest/people/add.html index 184475e..c0f7b7d 100644 --- a/src/test/webapp/rest/people/add.html +++ b/src/test/webapp/rest/people/add.html @@ -34,7 +34,7 @@ type name=value - token=25d35467c91f0f8bbcc9a4f22bb359170643ccfdf38851599a03a8ffc0756666 + token=bXJqYXRvOm1yamF0bw== click diff --git a/src/test/webapp/rest/people/addNoName.html b/src/test/webapp/rest/people/addNoName.html index e20f6f6..04db2e9 100644 --- a/src/test/webapp/rest/people/addNoName.html +++ b/src/test/webapp/rest/people/addNoName.html @@ -34,7 +34,7 @@ type name=value - token=25d35467c91f0f8bbcc9a4f22bb359170643ccfdf38851599a03a8ffc0756666 + token=bXJqYXRvOm1yamF0bw== click diff --git a/src/test/webapp/rest/people/addNoSurname.html b/src/test/webapp/rest/people/addNoSurname.html index 909988c..6b7ebbf 100644 --- a/src/test/webapp/rest/people/addNoSurname.html +++ b/src/test/webapp/rest/people/addNoSurname.html @@ -34,7 +34,7 @@ type name=value - token=25d35467c91f0f8bbcc9a4f22bb359170643ccfdf38851599a03a8ffc0756666 + token=bXJqYXRvOm1yamF0bw== click diff --git a/src/test/webapp/rest/people/delete.html b/src/test/webapp/rest/people/delete.html index 4e3fe0a..7c1a242 100644 --- a/src/test/webapp/rest/people/delete.html +++ b/src/test/webapp/rest/people/delete.html @@ -34,7 +34,7 @@ type name=value - token=25d35467c91f0f8bbcc9a4f22bb359170643ccfdf38851599a03a8ffc0756666 + token=bXJqYXRvOm1yamF0bw== click diff --git a/src/test/webapp/rest/people/deleteInvalidId.html b/src/test/webapp/rest/people/deleteInvalidId.html index 0c9fa0d..8d84af4 100644 --- a/src/test/webapp/rest/people/deleteInvalidId.html +++ b/src/test/webapp/rest/people/deleteInvalidId.html @@ -34,7 +34,7 @@ type name=value - token=25d35467c91f0f8bbcc9a4f22bb359170643ccfdf38851599a03a8ffc0756666 + token=bXJqYXRvOm1yamF0bw== click diff --git a/src/test/webapp/rest/people/get.html b/src/test/webapp/rest/people/get.html index 0e5980f..30f59e5 100644 --- a/src/test/webapp/rest/people/get.html +++ b/src/test/webapp/rest/people/get.html @@ -34,7 +34,7 @@ type name=value - token=25d35467c91f0f8bbcc9a4f22bb359170643ccfdf38851599a03a8ffc0756666 + token=bXJqYXRvOm1yamF0bw== click diff --git a/src/test/webapp/rest/people/list.html b/src/test/webapp/rest/people/list.html index 0e5980f..30f59e5 100644 --- a/src/test/webapp/rest/people/list.html +++ b/src/test/webapp/rest/people/list.html @@ -34,7 +34,7 @@ type name=value - token=25d35467c91f0f8bbcc9a4f22bb359170643ccfdf38851599a03a8ffc0756666 + token=bXJqYXRvOm1yamF0bw== click diff --git a/src/test/webapp/rest/people/modify.html b/src/test/webapp/rest/people/modify.html index bd1990c..0adc9f2 100644 --- a/src/test/webapp/rest/people/modify.html +++ b/src/test/webapp/rest/people/modify.html @@ -34,7 +34,7 @@ type name=value - token=25d35467c91f0f8bbcc9a4f22bb359170643ccfdf38851599a03a8ffc0756666 + token=bXJqYXRvOm1yamF0bw== click diff --git a/src/test/webapp/rest/people/modifyInvalidId.html b/src/test/webapp/rest/people/modifyInvalidId.html index 41632c4..3f9d78c 100644 --- a/src/test/webapp/rest/people/modifyInvalidId.html +++ b/src/test/webapp/rest/people/modifyInvalidId.html @@ -34,7 +34,7 @@ type name=value - token=25d35467c91f0f8bbcc9a4f22bb359170643ccfdf38851599a03a8ffc0756666 + token=bXJqYXRvOm1yamF0bw== click diff --git a/src/test/webapp/rest/people/modifyNoId.html b/src/test/webapp/rest/people/modifyNoId.html index 843ae72..ed0f3bb 100644 --- a/src/test/webapp/rest/people/modifyNoId.html +++ b/src/test/webapp/rest/people/modifyNoId.html @@ -34,7 +34,7 @@ type name=value - token=25d35467c91f0f8bbcc9a4f22bb359170643ccfdf38851599a03a8ffc0756666 + token=bXJqYXRvOm1yamF0bw== click diff --git a/src/test/webapp/rest/people/modifyNoName.html b/src/test/webapp/rest/people/modifyNoName.html index ca43e00..c29cf81 100644 --- a/src/test/webapp/rest/people/modifyNoName.html +++ b/src/test/webapp/rest/people/modifyNoName.html @@ -34,7 +34,7 @@ type name=value - token=25d35467c91f0f8bbcc9a4f22bb359170643ccfdf38851599a03a8ffc0756666 + token=bXJqYXRvOm1yamF0bw== click diff --git a/src/test/webapp/rest/people/modifyNoSurname.html b/src/test/webapp/rest/people/modifyNoSurname.html index 25caa0f..fa2f859 100644 --- a/src/test/webapp/rest/people/modifyNoSurname.html +++ b/src/test/webapp/rest/people/modifyNoSurname.html @@ -34,7 +34,7 @@ type name=value - token=25d35467c91f0f8bbcc9a4f22bb359170643ccfdf38851599a03a8ffc0756666 + token=bXJqYXRvOm1yamF0bw== click diff --git a/src/test/webapp/web/people/add.html b/src/test/webapp/web/people/add.html index 7ea2c1e..13d4ad6 100644 --- a/src/test/webapp/web/people/add.html +++ b/src/test/webapp/web/people/add.html @@ -13,7 +13,7 @@ createCookie - token=25d35467c91f0f8bbcc9a4f22bb359170643ccfdf38851599a03a8ffc0756666 + token=bXJqYXRvOm1yamF0bw== diff --git a/src/test/webapp/web/people/delete.html b/src/test/webapp/web/people/delete.html index 7155a2f..d73f247 100644 --- a/src/test/webapp/web/people/delete.html +++ b/src/test/webapp/web/people/delete.html @@ -13,7 +13,7 @@ createCookie - token=25d35467c91f0f8bbcc9a4f22bb359170643ccfdf38851599a03a8ffc0756666 + token=bXJqYXRvOm1yamF0bw== diff --git a/src/test/webapp/web/people/edit.html b/src/test/webapp/web/people/edit.html index b513e26..30688fb 100644 --- a/src/test/webapp/web/people/edit.html +++ b/src/test/webapp/web/people/edit.html @@ -13,7 +13,7 @@ createCookie - token=25d35467c91f0f8bbcc9a4f22bb359170643ccfdf38851599a03a8ffc0756666 + token=bXJqYXRvOm1yamF0bw== diff --git a/src/test/webapp/web/people/list.html b/src/test/webapp/web/people/list.html index 8845d96..a6b2ac4 100644 --- a/src/test/webapp/web/people/list.html +++ b/src/test/webapp/web/people/list.html @@ -13,7 +13,7 @@ createCookie - token=25d35467c91f0f8bbcc9a4f22bb359170643ccfdf38851599a03a8ffc0756666 + token=bXJqYXRvOm1yamF0bw== -- 2.18.1