Changeset 5827

Timestamp:

Oct 26, 2011, 12:51:52 PM (11 years ago)

Author:

Nicklas Nordborg

Message:

References #1641: Use bcrypt for storing passwords instead of MD5

This is now implemented in the core and web client and seems to be working good. The update script has not yet been fixed so upgrading will not work.

Location:

trunk

Files:

• doc/3rd-party-components.txt (modified) (1 diff)
• doc/licenses/jbcrypt-license.txt (added)
• doc/src/docbook/developer/migrate_2_3.xml (modified) (1 diff)
• doc/src/docbook/developer/plugins.xml (modified) (1 diff)
• doc/src/docbook/developer/webservices.xml (modified) (1 diff)
• doc/src/docbook/figures/uml/datalayer.authentication.png (modified) (previous)
• doc/src/docbook/user/webclient.xml (modified) (1 diff)
• doc/src/uml/baseuml.mdzip (modified) (previous)
• doc/uml (deleted)
• src/clients/jobagent/net/sf/basedb/clients/jobagent/Agent.java (modified) (1 diff)
• src/clients/jobagent/net/sf/basedb/clients/jobagent/executors/ThreadJobExecutor.java (modified) (1 diff)
• src/core/net/sf/basedb/core/Install.java (modified) (4 diffs)
• src/core/net/sf/basedb/core/PluginSessionControl.java (modified) (1 diff)
• src/core/net/sf/basedb/core/SessionControl.java (modified) (11 diffs)
• src/core/net/sf/basedb/core/Update.java (modified) (3 diffs)
• src/core/net/sf/basedb/core/User.java (modified) (4 diffs)
• src/core/net/sf/basedb/core/data/PasswordData.java (modified) (2 diffs)
• src/core/net/sf/basedb/util/bcrypt (added)
• src/core/net/sf/basedb/util/bcrypt/BCrypt.java (added)
• src/install/net/sf/basedb/install/Webclient.java (modified) (1 diff)
• src/test/TestClient.java (modified) (1 diff)
• src/test/TestSessionControl.java (modified) (2 diffs)
• src/test/TestUser.java (modified) (3 diffs)
• src/test/TestUtil.java (modified) (2 diffs)
• src/test/TestWebservices.java (modified) (1 diff)
• src/test/net/sf/basedb/test/TestUtil.java (modified) (1 diff)
• src/test/net/sf/basedb/test/merge/MergeTest.java (modified) (1 diff)
• src/test/net/sf/basedb/test/performance/ExportTest.java (modified) (1 diff)
• src/test/net/sf/basedb/test/performance/FilterTest.java (modified) (1 diff)
• src/test/net/sf/basedb/test/performance/LowessTest.java (modified) (1 diff)
• src/test/net/sf/basedb/test/performance/PrepareTest.java (modified) (2 diffs)
• src/test/net/sf/basedb/test/performance/RawDataTest.java (modified) (1 diff)
• src/test/net/sf/basedb/test/performance/RootTest.java (modified) (1 diff)
• src/test/net/sf/basedb/test/roles/AdminTest.java (modified) (1 diff)
• src/test/net/sf/basedb/test/roles/GuestTest.java (modified) (1 diff)
• src/test/net/sf/basedb/test/roles/PowerUserTest.java (modified) (1 diff)
• src/test/net/sf/basedb/test/roles/RootTest.java (modified) (1 diff)
• src/test/net/sf/basedb/test/roles/UserTest.java (modified) (1 diff)
• src/webservices/client/java/net/sf/basedb/ws/client/SessionClient.java (modified) (1 diff)
• src/webservices/server/net/sf/basedb/ws/server/SessionService.java (modified) (2 diffs)
• www/exception/not_logged_in.jsp (modified) (5 diffs)
• www/login.jsp (modified) (1 diff)
• www/main.jsp (modified) (5 diffs)
• www/switch.jsp (modified) (4 diffs)

trunk/doc/3rd-party-components.txt

@@ -194 +194 @@
 Jar files : mail-1.4.3.jar
 
+
+jBCrypt
+-------
+Package for safe encryption of passwords using the 'bcrypt' algorithm.
+
+More info : http://www.mindrot.org/projects/jBCrypt/
+Version   : 0.3
+License   : ISC/BSD licence (jbcrypt-license.txt)
+Jar files : None. Distributed as source only. All code is in net/sf/basedb/util/bcrypt/BCrypt.java
 
 JSON.simple 

trunk/doc/src/docbook/developer/migrate_2_3.xml

@@ -239 +239 @@
         </para>
       </listitem>
+      
+      <listitem>
+        <para>
+          Encrypting passwords before logging in is no longer supported. The
+          <methodname>SessionControl.login()</methodname> has been changed to
+          reflect this. While this may seem like a reduction in security it is not.
+          The previously used scheme with MD5 hashes can be cracked by brute-force on 
+          a moderate computer today. If additional security is needed we recommend that
+          BASE is installed with HTTPS access only. See <ulink 
+          url="http://base.thep.lu.se/ticket/1641">ticket #1641 (Use bcrypt for storing 
+          passwords instead of MD5)</ulink> for more information.
+        </para>
+      </listitem>
+      
     </itemizedlist>
 

trunk/doc/src/docbook/developer/plugins.xml

@@ -3591 +3591 @@
           </itemizedlist>
           
-          <note>
-            <para>
-            The <guilabel>Encrypt password</guilabel> option that is
-            available on the login page does not work with external 
-            authentication. The simple reason is that the password is
-            encrypted with a one-way algorithm making it impossible to
-            call <methodname>Authenticator.authenticate()</methodname>.
-            </para>
-          </note>
-          
         </para>
       </sect3>

trunk/doc/src/docbook/developer/webservices.xml

@@ -211 +211 @@
 
 // Login
-session.login(login, password, null, false);
+session.login(login, password, null);
 
 // Get all projects and print out name and ID

trunk/doc/src/docbook/user/webclient.xml

@@ -64 +64 @@
           Logging in is simple, just enter your <guilabel>login</guilabel> 
           and <guilabel>password</guilabel> in the form on the front page
-          and click the <guibutton>Login</guibutton> button. There is
-          a checkbox which allows you to <guilabel>encrypt the password</guilabel>
-          before it is sent to the BASE server. It is checked by default, and
-          it is a good idea to leave it checked unless you have problems logging
-          in. If you are sure you are entering the correct login and password,
-          but still cannot log in, try unchecking the encryption option.
-          If the checkbox is not visible, which happens if the server is
-          using an external authentication server, the password is not encrypted.
+          and click the <guibutton>Login</guibutton> button.
         </para>
       </sect2>

trunk/src/clients/jobagent/net/sf/basedb/clients/jobagent/Agent.java

@@ -889 +889 @@
     {
       log.info("Logging in as user: " + login);
-      sc.login(login, password, "Job agent running on host " + getServerName(), false);
+      sc.login(login, password, "Job agent running on host " + getServerName());
     }
     return sc;

trunk/src/clients/jobagent/net/sf/basedb/clients/jobagent/executors/ThreadJobExecutor.java

@@ -174 +174 @@
       sc = Application.newSessionControl("net.sf.basedb.clients.jobagent", 
         SocketUtil.getLocalHost().toString(), null);
-      sc.login(login, password, loginComment, false);
+      sc.login(login, password, loginComment);
       dc = sc.newDbControl();
       Job job = Job.getById(dc, jobId);

trunk/src/core/net/sf/basedb/core/Install.java

@@ -68 +68 @@
 
 import net.sf.basedb.util.FileUtil;
-import net.sf.basedb.util.MD5;
 import net.sf.basedb.util.Values;
 import net.sf.basedb.util.XMLUtil;
@@ -211 +210 @@
         "This is the root user account of BASE. It has full permission to everything.", 
         roleAdmin, quotaUnlimit, false, false);
-      UserData jobAgentUser = createUser(null, "jobagent", "", "Job agent", 
+      UserData jobAgentUser = createUser(null, "jobagent", null, "Job agent", 
         "This user account is used by the job agents to login and execute jobs. You must "+
         "activate it and set a password before it can be used.",
@@ -218 +217 @@
       // Now that we have a root user let's create a session 
       sessionControl = Application.newSessionControl( null, null, null );
-      sessionControl.login(rootLogin, rootPassword, "InitDBSessionId", false);
+      sessionControl.login(rootLogin, rootPassword, "InitDBSessionId");
   
       progressStep++;
@@ -1230 +1229 @@
         if (systemId != null) user.setSystemId(systemId);
         user.setLogin(login);
-        user.getPassword().setMd5Password(MD5.getHashString(password));
+        if (password != null)
+        {
+          user.getPassword().setCryptedPassword(User.encryptPassword(password));
+        }
         user.setName(name);
         user.setDescription(description);

trunk/src/core/net/sf/basedb/core/PluginSessionControl.java

@@ -64 +64 @@
   */
   @Override
-  public synchronized void login(String login, String password, String comment, boolean encryptedPassword) 
+  public synchronized void login(String login, String password, String comment) 
     throws ItemNotFoundException, PermissionDeniedException, InvalidPasswordException, BaseException
   {

trunk/src/core/net/sf/basedb/core/SessionControl.java

@@ -27 +27 @@
 import net.sf.basedb.core.data.PermissionTemplateData;
 import net.sf.basedb.core.data.UserData;
-import net.sf.basedb.core.data.PasswordData;
 import net.sf.basedb.core.data.SessionData;
 import net.sf.basedb.core.data.ClientData;
@@ -42 +41 @@
 import net.sf.basedb.core.data.ContextData;
 import net.sf.basedb.core.data.ContextIndex;
-import net.sf.basedb.util.MD5;
 import net.sf.basedb.util.Enumeration;
 
@@ -126 +124 @@
   */
   private LoginInfo loginInfo;
-  
-  /**
-    The last generated challenge for password encryption.
-  */
-  private String lastChallenge;
   
   /**
@@ -335 +328 @@
 
   /**
-    Generate a new random string to be used for password encryption
-    in the login method. Using encryption prevents that user passwords
-    are sent in clear text between client and server (ie. web browser and
-    web server).
-    <p>
-    The client application should use the challenge as follows:
-    <ol>
-    <li>Calculate the MD5 of the real UTF-8 encoded password
-    <li>Concatenate this with the challenge with a colon inbetween:
-      <code>MD5:challenge</code>
-    <li>Calculate the MD5 of the concatenated string. This is the
-      encrypted password, which should be sent to the login method.
-    </ol>
-    <p>
-    Note! This is not intended as a replacement for SSL encrypted
-    communication.
-    <p>
-    Note! Each call to this method generates a new random challenge.
-    
-    @return A challenge string used to encrypt the password
-    @see #login(String, String, String, boolean)
-  */
-  public String getChallenge()
-  {
-    lastChallenge = Application.generateRandomId(16);
-    return lastChallenge;
-  }
-  
-  /**
-    Get the last challenge generated.
-  */
-  private String getLastChallenge()
-  {
-    return lastChallenge;
-  }
-  
-  /**
     Log in to BASE. The method checks that the given login is valid, 
     the password is correct and that the user has USE permission for
@@ -394 +350 @@
     @see #isLoggedIn()
     @see #getLoggedInUserId()
-  */
-  public synchronized void login(String login, String password, String comment, boolean encryptedPassword)
+    @since 3.0 (the option to use encrypted passwords has been removed)
+  */
+  public synchronized void login(String login, String password, String comment)
     throws ItemNotFoundException, PermissionDeniedException,
     InvalidPasswordException, BaseException
@@ -421 +378 @@
       if (Application.isUsingInternalAuthentication() || login.equals(root.getLogin()))
       {
-        userData = verifyUserInternal(session, login, password, encryptedPassword);
+        userData = verifyUserInternal(session, login, password);
       }
       else
       {
-        if (encryptedPassword) 
-        {
-          throw new BaseException("Encrypted passwords are not supported when using external authentication");
-        }
         userData = verifyUserExternal(session, login, password);
       }
@@ -451 +404 @@
     internal authentication.
   */
-  private UserData verifyUserInternal(org.hibernate.Session session, String login, String password, boolean encryptedPassword)
+  private UserData verifyUserInternal(org.hibernate.Session session, String login, String password)
     throws ItemNotFoundException, InvalidPasswordException, AccountExpiredException, BaseException
   {
@@ -479 +432 @@
       throw new AccountExpiredException(login, expirationDate);
     }
-    PasswordData passwordData = userData.getPassword();
-    String md5Password = passwordData.getMd5Password();
-    if (encryptedPassword)
-    {
-      md5Password = MD5.getHashString(md5Password + ":" + getLastChallenge());
-    }
-    else
-    {
-      password = MD5.getHashString(password);
-    }
-    if (!md5Password.equals(password))
+    
+    // Check the password
+    String cryptedPassword = userData.getPassword().getCryptedPassword();
+    if (cryptedPassword == null || !User.checkPassword(password, cryptedPassword))
     {
       throw new InvalidPasswordException("User[login="+login+"]");
@@ -525 +471 @@
       if (Config.getBoolean("auth.cachepasswords"))
       {
-        return verifyUserInternal(session, login, password, false);
+        return verifyUserInternal(session, login, password);
       }
       throw new BaseException(ex);
@@ -544 +490 @@
       userData.setLogin(info.login);
       userData.setName(info.name == null ? info.login : info.name);
-      userData.getPassword().setMd5Password("");
       userData.setQuota(HibernateUtil.loadData(session, QuotaData.class, SystemItems.getId(Quota.DEFAULT)));
       User.addDefultRolesAndGroups(session, userData);
@@ -550 +495 @@
     if (Config.getBoolean("auth.cachepasswords"))
     {
-      userData.getPassword().setMd5Password(MD5.getHashString(password));
+      userData.getPassword().setCryptedPassword(User.encryptPassword(password));
       int daysToCache = Config.getInt("auth.daystocache", 0);
       userData.setExpirationDate(daysToCache > 0 ? new Date(System.currentTimeMillis()+daysToCache*24L*3600L*1000L) : null);

trunk/src/core/net/sf/basedb/core/Update.java

@@ -131 +131 @@
       // Test root user account
       SessionControl sc = Application.newSessionControl(null, null, null);
-      sc.login(rootLogin, rootPassword, null, false);
+      sc.login(rootLogin, rootPassword, null);
       if (sc.getLoggedInUserId() != SystemItems.getId(User.ROOT))
       {
@@ -251 +251 @@
       // Test root user account
       SessionControl sc = Application.newSessionControl(null, null, null);
-      sc.login(rootLogin, rootPassword, null, false);
+      sc.login(rootLogin, rootPassword, null);
       if (sc.getLoggedInUserId() != SystemItems.getId(User.ROOT))
       {
@@ -385 +385 @@
       // Test root user account
       SessionControl sc = Application.newSessionControl(null, null, null);
-      sc.login(rootLogin, rootPassword, null, false);
+      sc.login(rootLogin, rootPassword, null);
       if (sc.getLoggedInUserId() != SystemItems.getId(User.ROOT))
       {

trunk/src/core/net/sf/basedb/core/User.java

@@ -34 +34 @@
 import net.sf.basedb.core.hibernate.TypeWrapper;
 import net.sf.basedb.util.MD5;
+import net.sf.basedb.util.bcrypt.BCrypt;
 import net.sf.basedb.core.query.Restriction;
 import net.sf.basedb.core.query.Restrictions;
@@ -48 +49 @@
 import java.util.Set;
 import java.util.Collections;
+
 
 /**
@@ -252 +254 @@
   }
   
+  /**
+    Encrypt the plain-text password. The password is ecnrypted
+    by first calculating the MD5 of the password and then
+    using bcrypt with a random salt on the MD5.
+    
+    @param password The plain-text password
+  */
+  static String encryptPassword(String password)
+  {
+    String md5 = MD5.getHashString(password);
+    return BCrypt.hashpw(md5, BCrypt.gensalt());
+  }
+  
+  /**
+    Check the plain-text password against the crypted password.
+    @param password The plain-text password
+    @param cryptedPassword The crypted password
+    @return
+  */
+  static boolean checkPassword(String password, String cryptedPassword)
+  {
+    String md5 = MD5.getHashString(password);
+    return BCrypt.checkpw(md5, cryptedPassword);
+  }
+  
   User(UserData userData)
   {
@@ -434 +461 @@
     checkPermission(Permission.RESTRICTED_WRITE);
     if (password == null) throw new InvalidUseOfNullException("password");
-    getData().getPassword().setMd5Password(MD5.getHashString(password));
-  }
-
-  /**
-    Set the encrypted password from BASE 1. This method is only intended
-    to be used from the migration application, and will throw a
-    {@link PermissionDeniedException} unless the logged in user is the root and
-    the user account is a newly created account.
-    @param md5Password The MD5 password from a BASE 1 installation
-    @throws PermissionDeniedException If it is not a new user or 
-      root isn't logged in
-    @throws BaseException If there is some other kind of error. 
-  */
-  public void setBase1Password(String md5Password)
-    throws PermissionDeniedException, BaseException
-  {
-    if (isInDatabase() || (SystemItems.getId(User.ROOT) != getSessionControl().getLoggedInUserId()))
-    {
-      throw new PermissionDeniedException(Permission.WRITE, "Password[login="+getLogin()+"]");
-    }
-    getData().getPassword().setMd5Password(md5Password);
+    getData().getPassword().setCryptedPassword(encryptPassword(password));
   }
 

trunk/src/core/net/sf/basedb/core/data/PasswordData.java

@@ -22 +22 @@
 package net.sf.basedb.core.data;
 
+import net.sf.basedb.core.User;
+
 /**
   This class holds the password for a user. It has a one-to-one
@@ -40 +42 @@
   {}
 
-  private String md5Password;
+  private String cryptedPassword;
   /**
-    Get the MD5 encrypted password. It is always returned as a string
-    with 32 hexadecimal characters.
-    @hibernate.property column="`md5password`" type="string" length="32" not-null="true"
+    Get the crypted password.
+    @hibernate.property column="`crypted_password`" type="string" length="255" not-null="false"
+    @since 3.0
   */
-  public String getMd5Password()
+  public String getCryptedPassword()
   {
-    return md5Password;
+    return cryptedPassword;
   }
-  public void setMd5Password(String md5Password)
+  /**
+    Set the encrypted password. The password should be encrypted with
+    {@link User#encryptPassword(String)}.
+    @since 3.0
+  */
+  public void setCryptedPassword(String cryptedPassword)
   {
-    this.md5Password = md5Password;
+    this.cryptedPassword = cryptedPassword;
   }
+
   
   private UserData user;

trunk/src/install/net/sf/basedb/install/Webclient.java

@@ -93 +93 @@
     Application.start(false);
     SessionControl sc = Application.newSessionControl(null, null, null);
-    sc.login(login, password, "Installing web client", false);
+    sc.login(login, password, "Installing web client");
     
     DbControl dc = sc.newDbControl();

trunk/src/test/TestClient.java

@@ -204 +204 @@
       Client c = Client.getById(dc, id);
       SessionControl sc = Application.newSessionControl(c.getExternalId(), null, null);
-      sc.login(TestUtil.getLogin(), TestUtil.getPassword(), "Running test program", false);
+      sc.login(TestUtil.getLogin(), TestUtil.getPassword(), "Running test program");
       sc.logout();
       write("--Login/logout OK");

trunk/src/test/TestSessionControl.java

@@ -40 +40 @@
     test_get_session_control(TestUtil.getLocalIp(), false);
     test_get_session_control("unknown.ip.address", true);
-    test_login_encrypted_password();
     test_user_default_setting("test.default", "This is the users default setting");
     test_user_client_setting("test.client", "This is the users client setting");
@@ -78 +77 @@
         ok = false;
       }
-    }
-  }
-  
-  static void test_login_encrypted_password()
-  {
-    try
-    {
-      TestUtil.logout();
-      TestUtil.loginEncrypted();
-      write("--Login with encrypted password OK");
-    }
-    catch (Throwable ex)
-    {
-      write("--Login with encrypted password FAILED");
-      ex.printStackTrace();
-      ok = false;
     }
   }

trunk/src/test/TestUser.java

@@ -47 +47 @@
     int id2 = test_create(true);
     int id = test_create(false);
-    int base1Id = test_create_base1_user();
     test_load(id);
     test_list(-1);
@@ -91 +90 @@
     // Standard test: Delete
     TestTag.test_delete(tag_id);
-    test_delete(base1Id);
     test_delete(id);
     test_delete(id2);
@@ -140 +138 @@
   }
 
-  static int test_create_base1_user()
-  {
-    if (TestUtil.getSessionControl().getLoggedInUserId() != SystemItems.getId(User.ROOT)) return 0;
-    int id = 0;
-    DbControl dc = null;
-    try
-    {
-      dc = TestUtil.getDbControl();
-      String login = "base1user"+Application.generateRandomId(4);
-      User u = User.getNew(dc, login, "password");
-      u.setName("Base 1 user");
-      u.setDescription("Added at "+new Date());
-      dc.saveItem(u);
-      u.setBase1Password("63a9f0ea7bb98050796b649e85481845");
-      dc.commit();
-      id = u.getId();
-      write_item(0, u);
-      write("--Create BASE 1 user OK");
-    }
-    catch (Throwable ex)
-    {
-      write("--Create BASE 1 user FAILED");
-      ex.printStackTrace();
-      ok = false;
-    }
-    finally
-    {
-      if (dc != null) dc.close();
-    }
-    return id;
-  }
-  
   static void test_load(int id)
   {

trunk/src/test/TestUtil.java

@@ -28 +28 @@
 import net.sf.basedb.core.Permission;
 import net.sf.basedb.core.Version;
-import net.sf.basedb.util.MD5;
 
 import java.io.File;
@@ -183 +182 @@
     throws BaseException
   {
-    login(login, password, false);
-  }
-  
-  public static void loginEncrypted()
-  {
-    String encrypted = MD5.getHashString(MD5.getHashString(password) + ":" + sc.getChallenge());
-    login(login, encrypted, true);
-  }
-  
-  public static void login(String login, String password, boolean encrypted)
-    throws BaseException
-  {
-    sc.login(login, password, "Running test program", encrypted);
+    login(login, password);
+  }
+  
+  public static void login(String login, String password)
+    throws BaseException
+  {
+    sc.login(login, password, "Running test program");
   }
 

trunk/src/test/TestWebservices.java

@@ -530 +530 @@
       write("--Using url: " + url);
       client = new SessionClient(url, null, TestUtil.getClient());
-      client.login(TestUtil.getLogin(), TestUtil.getPassword(), "Test webservices", false);
+      client.login(TestUtil.getLogin(), TestUtil.getPassword(), "Test webservices");
           write("--Create/login session OK: ID=" + client.getId());
     }

trunk/src/test/net/sf/basedb/test/TestUtil.java

@@ -162 +162 @@
     Login to BASE.
   */
-  public static void login(String login, String password, boolean encrypted)
+  public static void login(String login, String password)
   {
     write("--Logging in as: " + login + "\n");
-    getSessionControl().login(login, password, "Running test program", encrypted);
+    getSessionControl().login(login, password, "Running test program");
   }
 

trunk/src/test/net/sf/basedb/test/merge/MergeTest.java

@@ -95 +95 @@
     try
     {
-      TestUtil.login("root", "root", false);
+      TestUtil.login("root", "root");
       
       // Reporters

trunk/src/test/net/sf/basedb/test/performance/ExportTest.java

@@ -65 +65 @@
     try
     {
-      TestUtil.login(user, password, false);
+      TestUtil.login(user, password);
 
       // Configuration options

trunk/src/test/net/sf/basedb/test/performance/FilterTest.java

@@ -63 +63 @@
     try
     {
-      TestUtil.login(user, password, false);
+      TestUtil.login(user, password);
       
       // Configuration options

trunk/src/test/net/sf/basedb/test/performance/LowessTest.java

@@ -66 +66 @@
     try
     {
-      TestUtil.login(user, password, false);
+      TestUtil.login(user, password);
 
       // Configuration options

trunk/src/test/net/sf/basedb/test/performance/PrepareTest.java

@@ -82 +82 @@
     try
     {
-      TestUtil.login(user, password, false);
+      TestUtil.login(user, password);
       dc = TestUtil.getDbControl();
 
@@ -181 +181 @@
     try
     {
-      TestUtil.login(user, password, false);
+      TestUtil.login(user, password);
 
       List<BasicItem> itemsToRemove = new ArrayList<BasicItem>();

trunk/src/test/net/sf/basedb/test/performance/RawDataTest.java

@@ -64 +64 @@
     try
     {
-      TestUtil.login(user, password, false);
+      TestUtil.login(user, password);
 
       // Create raw bioassays

trunk/src/test/net/sf/basedb/test/performance/RootTest.java

@@ -67 +67 @@
     try
     {
-      TestUtil.login(user, password, false);
+      TestUtil.login(user, password);
 
       dc = TestUtil.getDbControl();

trunk/src/test/net/sf/basedb/test/roles/AdminTest.java

@@ -86 +86 @@
     try
     {
-      TestUtil.login("admin", "admin", false);
+      TestUtil.login("admin", "admin");
       dc = TestUtil.getDbControl();
       Group g = createGroup(dc);

trunk/src/test/net/sf/basedb/test/roles/GuestTest.java

@@ -49 +49 @@
     try
     {
-      TestUtil.login("guest", "guest", false);
+      TestUtil.login("guest", "guest");
       // Activate project
       dc = TestUtil.getDbControl();

trunk/src/test/net/sf/basedb/test/roles/PowerUserTest.java

@@ -105 +105 @@
     try
     {
-      TestUtil.login("power", "power", false);
+      TestUtil.login("power", "power");
       
       // Project

trunk/src/test/net/sf/basedb/test/roles/RootTest.java

@@ -56 +56 @@
     try
     {
-      TestUtil.login("root", "root", false);
+      TestUtil.login("root", "root");
       dc = TestUtil.getDbControl();
       User admin = createAdmin(dc);

trunk/src/test/net/sf/basedb/test/roles/UserTest.java

@@ -97 +97 @@
     try
     {
-      TestUtil.login("user", "user", false);
+      TestUtil.login("user", "user");
       PluginDefinition bioSourceBatchImporter = null;
       PluginDefinition sampleBatchImporter = null;

trunk/src/webservices/client/java/net/sf/basedb/ws/client/SessionClient.java

@@ -90 +90 @@
   
   /**
-    Calling the getChallenge method.
-      @return Gets a random string to use with password encryption.
-      @throws AxisFault If communication with web service fails.
-   */
-  public String getChallenge()
-    throws AxisFault
-  {
-    return invokeBlocking("getChallenge", String.class, ID);
-  }
-  
-  /**
     Login to BASE 
       @param login Login name on BASE server
       @param password Password on BASE server
       @param comment A comment to put on the session
-      @param encrypted If the password should be encrypted when logging in.
       @throws AxisFault If something goes wrong when calling the login service
+      @since 3.0
    */
-  public void login(String login, String password, String comment, boolean encrypted)
+  public void login(String login, String password, String comment)
     throws AxisFault
   {
-    invokeBlocking("login", ID, login, password, comment, encrypted);
+    invokeBlocking("login", ID, login, password, comment);
   }
   

trunk/src/webservices/server/net/sf/basedb/ws/server/SessionService.java

@@ -54 +54 @@
 
   /**
-    Service for net.sf.basedb.core.SessionControl#getChallenge()
-      @param ID
-      @return String A radom string
-   */
-  public String getChallenge(String ID)
-  {
-    SessionControl sc = getSessionControl(ID);
-    return sc.getChallenge();
-  }
-  
-  /**
     Service to login to BASE
       @param ID Id of a session control
@@ -70 +59 @@
       @param password Password for the login above.
       @param comment Comment to be used with the new session
-      @param encrypted If encrypted password should be used or not.
       @return The Session ID
+      @since 3.0
    */
-  public String login(String ID, String login, String password, String comment, boolean encrypted)
+  public String login(String ID, String login, String password, String comment)
   {
     SessionControl sc = getSessionControl(ID);
-    sc.login(login, password, comment, encrypted);
+    sc.login(login, password, comment);
     return ID;
   }

trunk/www/exception/not_logged_in.jsp

@@ -52 +52 @@
 %>
 <base:page type="default" menu="exception" title="Not logged in">
-<base:head scripts="md5.js,exception.js" styles="login.css">
+<base:head scripts="exception.js" styles="login.css">
   <script language="JavaScript">
   // hide menubar and resize if it is a popup window
@@ -69 +69 @@
       frm.login.value = topWindow.lastLogin;
       Main.show('timeout');
-    }
-    if (frm.encrypt && topWindow.encrypt != undefined)
-    {
-      frm.encrypt.checked = topWindow.encrypt;
     }
     if (frm.login.value == '')
@@ -109 +105 @@
   {
     var frm = document.forms['login'];
-    if (frm.encrypt && frm.encrypt.checked)
-    {
-      var password = frm.password.value;
-      var md5password = hex_md5(password);
-      md5password = hex_md5(md5password + ':<%=sc.getChallenge()%>');
-      frm.encrypted_password.value = md5password;
-      frm.password.value = '';
-    }
     Main.openPopup('', 'Login', 300, 200);
     frm.submit();
@@ -127 +115 @@
       <input type="hidden" name="ID" value="<%=ID%>">
       <input type="hidden" name="redirect" value="<%=redirect%>">
-      <input type="hidden" name="encrypted_password" value="">
       
       <table class="loginform" width="100%" border="0" align="center">
@@ -159 +146 @@
             <td><base:button onclick="mainPage();" title="Cancel" /></td>
           </tr>
-          <%
-          if (Application.isUsingInternalAuthentication())
-          {
-            %>
-            <tr>
-              <td class="prompt"><label for="encryptPassword">Encrypt password</label></td>
-              <td>
-                <input type="checkbox" name="encrypt" id="encryptPassword" checked value="1"><br>
-              </td>
-            </tr>
-            <%
-          }
-          %>
           <tr>
             <td colspan="4">

trunk/www/login.jsp

@@ -55 +55 @@
   if ("Login".equals(cmd) || cmd == null)
   {
-    boolean encrypted = Values.getBoolean(request.getParameter("encrypt"));
-    String password = encrypted ? request.getParameter("encrypted_password") : request.getParameter("password");
+    String password = request.getParameter("password");
     try
     {
       if (sc.isLoggedIn()) sc.logout();
-      sc.login(login, password, null, encrypted);
+      sc.login(login, password, null);
     }
     catch (LoginException ex)

trunk/www/main.jsp

@@ -66 +66 @@
   %>
   <base:page type="default" title="">
-  <base:head scripts="md5.js" styles="login.css">
+  <base:head styles="login.css">
     <script language="JavaScript" type="text/javascript">
     // Set foucs on the login form
@@ -80 +80 @@
       frm = document.forms['login'];
       if (frm.login.value == '' && window.parent.lastLogin) frm.login.value = window.parent.lastLogin;
-      if (frm.encrypt && window.parent.encrypt != undefined) frm.encrypt.checked = window.parent.encrypt;
       if (frm.login.value == '')
       {
@@ -95 +94 @@
       var frm = document.forms['login'];
       window.parent.lastLogin = frm.login.value;
-      
-      if (frm.encrypt)
-      {
-        window.parent.encrypt = frm.encrypt.checked;
-        if (frm.encrypt.checked)
-        {
-          var password = frm.password.value;
-          var md5password = hex_md5(password);
-          md5password = hex_md5(md5password + ':<%=sc.getChallenge()%>');
-          frm.encrypted_password.value = md5password;
-          frm.password.value = '';
-        }
-      }
       return true;
     }
@@ -154 +140 @@
           <input type="hidden" name="ID" value="<%=ID%>">
           <input type="hidden" name="nextpage" value="<%=root%>my_base/user/index.jsp">
-          <input type="hidden" name="encrypted_password" value="">
           
           <div id="loginForm" <%=denyLogin ? "style=\"display:none;\"" : ""%>>
@@ -174 +159 @@
               onclick="doLogin();" title="Login" tooltip="<%=HTML.encodeTags(broadcastTitle)%>" /></td>
           </tr>
-          <%
-          if (Application.isUsingInternalAuthentication())
-          {
-            %>
-            <tr>
-              <td class="prompt"><label for="encrypt">Encrypt password</label></td>
-              <td>
-                <input type="checkbox" name="encrypt" id="encrypt" <%=false ? "" : "checked"%> value="1"><br>
-              </td>
-            </tr>
-            <%
-          }
-          %>
           <tr>
             <td colspan="3">

trunk/www/switch.jsp

@@ -49 +49 @@
   %>
   <base:page type="popup" title="Switch user">
-  <base:head scripts="md5.js" styles="login.css">
+  <base:head styles="login.css">
     <script language="JavaScript" type="text/javascript">
     // Set foucs on the login form
@@ -77 +77 @@
       var frm = document.forms['login'];
       window.opener.parent.lastLogin = frm.login.value;
-      
-      if (frm.encrypt)
-      {
-        window.opener.parent.encrypt = frm.encrypt.checked;
-        if (frm.encrypt.checked)
-        {
-          var password = frm.password.value;
-          var md5password = hex_md5(password);
-          md5password = hex_md5(md5password + ':<%=sc.getChallenge()%>');
-          frm.encrypted_password.value = md5password;
-          frm.password.value = '';
-        }
-      }
       return true;
     }
@@ -114 +101 @@
     <input type="hidden" name="again" value="1">
     <input type="hidden" name="redirect" value="">
-    <input type="hidden" name="encrypted_password" value="">
   
     <h3 class="docked">Switch user <base:help helpid="switchuser" /></h3>
@@ -142 +128 @@
         </td>
       </tr>
-      <%
-      if (Application.isUsingInternalAuthentication())
-      {
-        %>
-        <tr>
-          <td class="prompt"><label for="encrypt">Encrypt password</label></td>
-          <td>
-            <input type="checkbox" name="encrypt" id="encrypt" checked value="1">
-          </td>
-        </tr>
-        <%
-      }
-      %>
       <tr>
         <td class="prompt"><label for="remainOnPage">Remain on this page</label></td>