diff --git a/src/main/java/es/uvigo/esei/daa/LoginFilter.java b/src/main/java/es/uvigo/esei/daa/LoginFilter.java
index f6fa8c601ca5130c1f4e9f0a792d69e3239bec81..1ca1ad27982e60ea36ecb3b783c32a63f3b11b93 100644
--- a/src/main/java/es/uvigo/esei/daa/LoginFilter.java
+++ b/src/main/java/es/uvigo/esei/daa/LoginFilter.java
@@ -38,6 +38,8 @@ public class LoginFilter implements Filter {
} else {
redirectToIndex(httpRequest, httpResponse);
}
+ } catch (IllegalArgumentException iae) {
+ httpResponse.sendError(HttpServletResponse.SC_FORBIDDEN);
} catch (DAOException e) {
httpResponse.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
}
@@ -101,7 +103,8 @@ public class LoginFilter implements Filter {
}
}
- private boolean checkToken(HttpServletRequest request) throws DAOException {
+ private boolean checkToken(HttpServletRequest request)
+ throws DAOException, IllegalArgumentException {
final Cookie[] cookies = request.getCookies();
if (cookies != null) {
diff --git a/src/main/java/es/uvigo/esei/daa/dao/UsersDAO.java b/src/main/java/es/uvigo/esei/daa/dao/UsersDAO.java
index 66ef5c2495b9ac8b75a8b588b5cfcd61a0a9f177..6d4cfe211e96b2fb81e1ee75f8f1ffcecc547c3b 100644
--- a/src/main/java/es/uvigo/esei/daa/dao/UsersDAO.java
+++ b/src/main/java/es/uvigo/esei/daa/dao/UsersDAO.java
@@ -5,12 +5,11 @@ import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
+import org.apache.commons.codec.binary.Base64;
import org.apache.commons.codec.digest.DigestUtils;
public class UsersDAO extends DAO {
public String checkLogin(String login, String password) throws DAOException {
- final String shaPassword = DigestUtils.sha256Hex(password);
-
try (final Connection conn = this.getConnection()) {
final String query = "SELECT password FROM users WHERE login=?";
@@ -20,9 +19,10 @@ public class UsersDAO extends DAO {
try (ResultSet result = statement.executeQuery()) {
if (result.next()) {
final String dbPassword = result.getString("password");
+ final String shaPassword = DigestUtils.sha256Hex(password);
if (shaPassword.equals(dbPassword)) {
- return DigestUtils.sha256Hex(login + dbPassword);
+ return new String(Base64.encodeBase64((login + ":" + password).getBytes()));
} else {
return null;
}
@@ -36,16 +36,31 @@ public class UsersDAO extends DAO {
}
}
- public String checkToken(String token) throws DAOException {
+ public String checkToken(String token)
+ throws DAOException, IllegalArgumentException {
+ final String decodedToken = new String(Base64.decodeBase64(token.getBytes()));
+ final int colonIndex = decodedToken.indexOf(':');
+
+ if (colonIndex < 0 || colonIndex == decodedToken.length()-1) {
+ throw new IllegalArgumentException("Invalid token");
+ }
+
+ final String login = decodedToken.substring(0, decodedToken.indexOf(':'));
+ final String password = DigestUtils.sha256Hex(
+ decodedToken.substring(decodedToken.indexOf(':') + 1)
+ );
+
try (final Connection conn = this.getConnection()) {
- final String query = "SELECT login FROM users WHERE sha2(concat(login, password), 256)=?";
+ final String query = "SELECT password FROM users WHERE login=?";
try (PreparedStatement statement = conn.prepareStatement(query)) {
- statement.setString(1, token);
+ statement.setString(1, login);
try (ResultSet result = statement.executeQuery()) {
if (result.next()) {
- return result.getString("login");
+ final String dbPassword = result.getString("password");
+
+ return password.equals(dbPassword) ? login : null;
} else {
return null;
}
diff --git a/src/test/java/es/uvigo/esei/daa/web/PeopleWebTest.java b/src/test/java/es/uvigo/esei/daa/web/PeopleWebTest.java
index b89924f2aa7306cdea565a9124877795b764faea..bac7492fe909e8c85c004f96736f3f66fefc0cfe 100644
--- a/src/test/java/es/uvigo/esei/daa/web/PeopleWebTest.java
+++ b/src/test/java/es/uvigo/esei/daa/web/PeopleWebTest.java
@@ -38,10 +38,7 @@ public class PeopleWebTest {
driver.get(baseUrl);
driver.manage().addCookie(
- new Cookie(
- "token",
- "25d35467c91f0f8bbcc9a4f22bb359170643ccfdf38851599a03a8ffc0756666"
- )
+ new Cookie("token", "bXJqYXRvOm1yamF0bw==")
);
// Driver will wait DEFAULT_WAIT_TIME if it doesn't find and element.
driver.manage().timeouts().implicitlyWait(DEFAULT_WAIT_TIME, TimeUnit.SECONDS);
diff --git a/src/test/webapp/rest/people/add.html b/src/test/webapp/rest/people/add.html
index 184475edd6166e70b27cfb6b0fea90240aa627db..c0f7b7df36c086b33d5cd3d060db6152f17887ba 100644
--- a/src/test/webapp/rest/people/add.html
+++ b/src/test/webapp/rest/people/add.html
@@ -34,7 +34,7 @@
| type |
name=value |
- token=25d35467c91f0f8bbcc9a4f22bb359170643ccfdf38851599a03a8ffc0756666 |
+ token=bXJqYXRvOm1yamF0bw== |
| click |
diff --git a/src/test/webapp/rest/people/addNoName.html b/src/test/webapp/rest/people/addNoName.html
index e20f6f6874156a3bee2b065e8fdc6096c336c4b3..04db2e9b02a105d248647e90b47ee2941f1e00ed 100644
--- a/src/test/webapp/rest/people/addNoName.html
+++ b/src/test/webapp/rest/people/addNoName.html
@@ -34,7 +34,7 @@
| type |
name=value |
- token=25d35467c91f0f8bbcc9a4f22bb359170643ccfdf38851599a03a8ffc0756666 |
+ token=bXJqYXRvOm1yamF0bw== |
| click |
diff --git a/src/test/webapp/rest/people/addNoSurname.html b/src/test/webapp/rest/people/addNoSurname.html
index 909988cbd194397305c6997397e7423874a4c250..6b7ebbf457f46d0d2729fde6e24854bd71b0fbcc 100644
--- a/src/test/webapp/rest/people/addNoSurname.html
+++ b/src/test/webapp/rest/people/addNoSurname.html
@@ -34,7 +34,7 @@
| type |
name=value |
- token=25d35467c91f0f8bbcc9a4f22bb359170643ccfdf38851599a03a8ffc0756666 |
+ token=bXJqYXRvOm1yamF0bw== |
| click |
diff --git a/src/test/webapp/rest/people/delete.html b/src/test/webapp/rest/people/delete.html
index 4e3fe0a94f928edfe31515bfb3ea2a96a48d83cf..7c1a242b86336b296ec9932772a4709c89b561ea 100644
--- a/src/test/webapp/rest/people/delete.html
+++ b/src/test/webapp/rest/people/delete.html
@@ -34,7 +34,7 @@
| type |
name=value |
- token=25d35467c91f0f8bbcc9a4f22bb359170643ccfdf38851599a03a8ffc0756666 |
+ token=bXJqYXRvOm1yamF0bw== |
| click |
diff --git a/src/test/webapp/rest/people/deleteInvalidId.html b/src/test/webapp/rest/people/deleteInvalidId.html
index 0c9fa0d8033d1d83a7bb5fa294ec204d8a673003..8d84af44137d53cb60eede774fbc650abf35c1f6 100644
--- a/src/test/webapp/rest/people/deleteInvalidId.html
+++ b/src/test/webapp/rest/people/deleteInvalidId.html
@@ -34,7 +34,7 @@
| type |
name=value |
- token=25d35467c91f0f8bbcc9a4f22bb359170643ccfdf38851599a03a8ffc0756666 |
+ token=bXJqYXRvOm1yamF0bw== |
| click |
diff --git a/src/test/webapp/rest/people/get.html b/src/test/webapp/rest/people/get.html
index 0e5980f47f2bc2963bb0bbd6309c7c469e5cf0af..30f59e5d9748fa97f4c955125f54d0fda99a2d68 100644
--- a/src/test/webapp/rest/people/get.html
+++ b/src/test/webapp/rest/people/get.html
@@ -34,7 +34,7 @@
| type |
name=value |
- token=25d35467c91f0f8bbcc9a4f22bb359170643ccfdf38851599a03a8ffc0756666 |
+ token=bXJqYXRvOm1yamF0bw== |
| click |
diff --git a/src/test/webapp/rest/people/list.html b/src/test/webapp/rest/people/list.html
index 0e5980f47f2bc2963bb0bbd6309c7c469e5cf0af..30f59e5d9748fa97f4c955125f54d0fda99a2d68 100644
--- a/src/test/webapp/rest/people/list.html
+++ b/src/test/webapp/rest/people/list.html
@@ -34,7 +34,7 @@
| type |
name=value |
- token=25d35467c91f0f8bbcc9a4f22bb359170643ccfdf38851599a03a8ffc0756666 |
+ token=bXJqYXRvOm1yamF0bw== |
| click |
diff --git a/src/test/webapp/rest/people/modify.html b/src/test/webapp/rest/people/modify.html
index bd1990cefa87d146d11eaebd4cb5d813f0337098..0adc9f2a68a806af53478c1e425f7814d7812497 100644
--- a/src/test/webapp/rest/people/modify.html
+++ b/src/test/webapp/rest/people/modify.html
@@ -34,7 +34,7 @@
| type |
name=value |
- token=25d35467c91f0f8bbcc9a4f22bb359170643ccfdf38851599a03a8ffc0756666 |
+ token=bXJqYXRvOm1yamF0bw== |
| click |
diff --git a/src/test/webapp/rest/people/modifyInvalidId.html b/src/test/webapp/rest/people/modifyInvalidId.html
index 41632c4f3600e2054b96348ce43b4e2f9c91d1cc..3f9d78c28d04964bce35fde1623916c4c1f3655a 100644
--- a/src/test/webapp/rest/people/modifyInvalidId.html
+++ b/src/test/webapp/rest/people/modifyInvalidId.html
@@ -34,7 +34,7 @@
| type |
name=value |
- token=25d35467c91f0f8bbcc9a4f22bb359170643ccfdf38851599a03a8ffc0756666 |
+ token=bXJqYXRvOm1yamF0bw== |
| click |
diff --git a/src/test/webapp/rest/people/modifyNoId.html b/src/test/webapp/rest/people/modifyNoId.html
index 843ae7211563e8e02c9c637a672160d3b472a965..ed0f3bbb0db98543dd3aae94f5d4100f4ac612ec 100644
--- a/src/test/webapp/rest/people/modifyNoId.html
+++ b/src/test/webapp/rest/people/modifyNoId.html
@@ -34,7 +34,7 @@
| type |
name=value |
- token=25d35467c91f0f8bbcc9a4f22bb359170643ccfdf38851599a03a8ffc0756666 |
+ token=bXJqYXRvOm1yamF0bw== |
| click |
diff --git a/src/test/webapp/rest/people/modifyNoName.html b/src/test/webapp/rest/people/modifyNoName.html
index ca43e00ca89920cac048138b31d3f3616d329eae..c29cf81617684baf34bd828194075ec07260d55e 100644
--- a/src/test/webapp/rest/people/modifyNoName.html
+++ b/src/test/webapp/rest/people/modifyNoName.html
@@ -34,7 +34,7 @@
| type |
name=value |
- token=25d35467c91f0f8bbcc9a4f22bb359170643ccfdf38851599a03a8ffc0756666 |
+ token=bXJqYXRvOm1yamF0bw== |
| click |
diff --git a/src/test/webapp/rest/people/modifyNoSurname.html b/src/test/webapp/rest/people/modifyNoSurname.html
index 25caa0f6e96d68173754310f9ad1bb7548fb790c..fa2f859971853cf66f6827191ca94bf03ace29b7 100644
--- a/src/test/webapp/rest/people/modifyNoSurname.html
+++ b/src/test/webapp/rest/people/modifyNoSurname.html
@@ -34,7 +34,7 @@
| type |
name=value |
- token=25d35467c91f0f8bbcc9a4f22bb359170643ccfdf38851599a03a8ffc0756666 |
+ token=bXJqYXRvOm1yamF0bw== |
| click |
diff --git a/src/test/webapp/web/people/add.html b/src/test/webapp/web/people/add.html
index 7ea2c1e592eb41aa4bab87a8c5db11fc79ce646f..13d4ad63479307e6b37542ee2678fa1c2bdb7bde 100644
--- a/src/test/webapp/web/people/add.html
+++ b/src/test/webapp/web/people/add.html
@@ -13,7 +13,7 @@
| createCookie |
- token=25d35467c91f0f8bbcc9a4f22bb359170643ccfdf38851599a03a8ffc0756666 |
+ token=bXJqYXRvOm1yamF0bw== |
|
diff --git a/src/test/webapp/web/people/delete.html b/src/test/webapp/web/people/delete.html
index 7155a2f4c9b34ffb718a60c9a8c5d8b4bb605c06..d73f24795fac92ee915f93ccebc5e7a240d04a60 100644
--- a/src/test/webapp/web/people/delete.html
+++ b/src/test/webapp/web/people/delete.html
@@ -13,7 +13,7 @@
| createCookie |
- token=25d35467c91f0f8bbcc9a4f22bb359170643ccfdf38851599a03a8ffc0756666 |
+ token=bXJqYXRvOm1yamF0bw== |
|
diff --git a/src/test/webapp/web/people/edit.html b/src/test/webapp/web/people/edit.html
index b513e2664dec52e8fbcd1e04c979af6bccdb5ebb..30688fbe039ee31600c88882d8d086abbfcd0e9c 100644
--- a/src/test/webapp/web/people/edit.html
+++ b/src/test/webapp/web/people/edit.html
@@ -13,7 +13,7 @@
| createCookie |
- token=25d35467c91f0f8bbcc9a4f22bb359170643ccfdf38851599a03a8ffc0756666 |
+ token=bXJqYXRvOm1yamF0bw== |
|
diff --git a/src/test/webapp/web/people/list.html b/src/test/webapp/web/people/list.html
index 8845d962345fecc27a503863205829cc2516b38c..a6b2ac41a9d402ec5e8a93d8b40242ce5c6b073b 100644
--- a/src/test/webapp/web/people/list.html
+++ b/src/test/webapp/web/people/list.html
@@ -13,7 +13,7 @@
| createCookie |
- token=25d35467c91f0f8bbcc9a4f22bb359170643ccfdf38851599a03a8ffc0756666 |
+ token=bXJqYXRvOm1yamF0bw== |
|