Changeset 5827


Ignore:
Timestamp:
Oct 26, 2011, 12:51:52 PM (10 years ago)
Author:
Nicklas Nordborg
Message:

References #1641: Use bcrypt for storing passwords instead of MD5

This is now implemented in the core and web client and seems to be working good. The update script has not yet been fixed so upgrading will not work.

Location:
trunk
Files:
3 added
1 deleted
40 edited

Legend:

Unmodified
Added
Removed
  • trunk/doc/3rd-party-components.txt

    r5676 r5827  
    194194Jar files : mail-1.4.3.jar
    195195
     196
     197jBCrypt
     198-------
     199Package for safe encryption of passwords using the 'bcrypt' algorithm.
     200
     201More info : http://www.mindrot.org/projects/jBCrypt/
     202Version   : 0.3
     203License   : ISC/BSD licence (jbcrypt-license.txt)
     204Jar files : None. Distributed as source only. All code is in net/sf/basedb/util/bcrypt/BCrypt.java
    196205
    197206JSON.simple
  • trunk/doc/src/docbook/developer/migrate_2_3.xml

    r5802 r5827  
    239239        </para>
    240240      </listitem>
     241     
     242      <listitem>
     243        <para>
     244          Encrypting passwords before logging in is no longer supported. The
     245          <methodname>SessionControl.login()</methodname> has been changed to
     246          reflect this. While this may seem like a reduction in security it is not.
     247          The previously used scheme with MD5 hashes can be cracked by brute-force on
     248          a moderate computer today. If additional security is needed we recommend that
     249          BASE is installed with HTTPS access only. See <ulink
     250          url="http://base.thep.lu.se/ticket/1641">ticket #1641 (Use bcrypt for storing
     251          passwords instead of MD5)</ulink> for more information.
     252        </para>
     253      </listitem>
     254     
    241255    </itemizedlist>
    242256
  • trunk/doc/src/docbook/developer/plugins.xml

    r5822 r5827  
    35913591          </itemizedlist>
    35923592         
    3593           <note>
    3594             <para>
    3595             The <guilabel>Encrypt password</guilabel> option that is
    3596             available on the login page does not work with external
    3597             authentication. The simple reason is that the password is
    3598             encrypted with a one-way algorithm making it impossible to
    3599             call <methodname>Authenticator.authenticate()</methodname>.
    3600             </para>
    3601           </note>
    3602          
    36033593        </para>
    36043594      </sect3>
  • trunk/doc/src/docbook/developer/webservices.xml

    r5818 r5827  
    211211
    212212// Login
    213 session.login(login, password, null, false);
     213session.login(login, password, null);
    214214
    215215// Get all projects and print out name and ID
  • trunk/doc/src/docbook/user/webclient.xml

    r5817 r5827  
    6464          Logging in is simple, just enter your <guilabel>login</guilabel>
    6565          and <guilabel>password</guilabel> in the form on the front page
    66           and click the <guibutton>Login</guibutton> button. There is
    67           a checkbox which allows you to <guilabel>encrypt the password</guilabel>
    68           before it is sent to the BASE server. It is checked by default, and
    69           it is a good idea to leave it checked unless you have problems logging
    70           in. If you are sure you are entering the correct login and password,
    71           but still cannot log in, try unchecking the encryption option.
    72           If the checkbox is not visible, which happens if the server is
    73           using an external authentication server, the password is not encrypted.
     66          and click the <guibutton>Login</guibutton> button.
    7467        </para>
    7568      </sect2>
  • trunk/src/clients/jobagent/net/sf/basedb/clients/jobagent/Agent.java

    r5689 r5827  
    889889    {
    890890      log.info("Logging in as user: " + login);
    891       sc.login(login, password, "Job agent running on host " + getServerName(), false);
     891      sc.login(login, password, "Job agent running on host " + getServerName());
    892892    }
    893893    return sc;
  • trunk/src/clients/jobagent/net/sf/basedb/clients/jobagent/executors/ThreadJobExecutor.java

    r4512 r5827  
    174174      sc = Application.newSessionControl("net.sf.basedb.clients.jobagent",
    175175        SocketUtil.getLocalHost().toString(), null);
    176       sc.login(login, password, loginComment, false);
     176      sc.login(login, password, loginComment);
    177177      dc = sc.newDbControl();
    178178      Job job = Job.getById(dc, jobId);
  • trunk/src/core/net/sf/basedb/core/Install.java

    r5788 r5827  
    6868
    6969import net.sf.basedb.util.FileUtil;
    70 import net.sf.basedb.util.MD5;
    7170import net.sf.basedb.util.Values;
    7271import net.sf.basedb.util.XMLUtil;
     
    211210        "This is the root user account of BASE. It has full permission to everything.",
    212211        roleAdmin, quotaUnlimit, false, false);
    213       UserData jobAgentUser = createUser(null, "jobagent", "", "Job agent",
     212      UserData jobAgentUser = createUser(null, "jobagent", null, "Job agent",
    214213        "This user account is used by the job agents to login and execute jobs. You must "+
    215214        "activate it and set a password before it can be used.",
     
    218217      // Now that we have a root user let's create a session
    219218      sessionControl = Application.newSessionControl( null, null, null );
    220       sessionControl.login(rootLogin, rootPassword, "InitDBSessionId", false);
     219      sessionControl.login(rootLogin, rootPassword, "InitDBSessionId");
    221220 
    222221      progressStep++;
     
    12301229        if (systemId != null) user.setSystemId(systemId);
    12311230        user.setLogin(login);
    1232         user.getPassword().setMd5Password(MD5.getHashString(password));
     1231        if (password != null)
     1232        {
     1233          user.getPassword().setCryptedPassword(User.encryptPassword(password));
     1234        }
    12331235        user.setName(name);
    12341236        user.setDescription(description);
  • trunk/src/core/net/sf/basedb/core/PluginSessionControl.java

    r5319 r5827  
    6464  */
    6565  @Override
    66   public synchronized void login(String login, String password, String comment, boolean encryptedPassword)
     66  public synchronized void login(String login, String password, String comment)
    6767    throws ItemNotFoundException, PermissionDeniedException, InvalidPasswordException, BaseException
    6868  {
  • trunk/src/core/net/sf/basedb/core/SessionControl.java

    r5822 r5827  
    2727import net.sf.basedb.core.data.PermissionTemplateData;
    2828import net.sf.basedb.core.data.UserData;
    29 import net.sf.basedb.core.data.PasswordData;
    3029import net.sf.basedb.core.data.SessionData;
    3130import net.sf.basedb.core.data.ClientData;
     
    4241import net.sf.basedb.core.data.ContextData;
    4342import net.sf.basedb.core.data.ContextIndex;
    44 import net.sf.basedb.util.MD5;
    4543import net.sf.basedb.util.Enumeration;
    4644
     
    126124  */
    127125  private LoginInfo loginInfo;
    128  
    129   /**
    130     The last generated challenge for password encryption.
    131   */
    132   private String lastChallenge;
    133126 
    134127  /**
     
    335328
    336329  /**
    337     Generate a new random string to be used for password encryption
    338     in the login method. Using encryption prevents that user passwords
    339     are sent in clear text between client and server (ie. web browser and
    340     web server).
    341     <p>
    342     The client application should use the challenge as follows:
    343     <ol>
    344     <li>Calculate the MD5 of the real UTF-8 encoded password
    345     <li>Concatenate this with the challenge with a colon inbetween:
    346       <code>MD5:challenge</code>
    347     <li>Calculate the MD5 of the concatenated string. This is the
    348       encrypted password, which should be sent to the login method.
    349     </ol>
    350     <p>
    351     Note! This is not intended as a replacement for SSL encrypted
    352     communication.
    353     <p>
    354     Note! Each call to this method generates a new random challenge.
    355    
    356     @return A challenge string used to encrypt the password
    357     @see #login(String, String, String, boolean)
    358   */
    359   public String getChallenge()
    360   {
    361     lastChallenge = Application.generateRandomId(16);
    362     return lastChallenge;
    363   }
    364  
    365   /**
    366     Get the last challenge generated.
    367   */
    368   private String getLastChallenge()
    369   {
    370     return lastChallenge;
    371   }
    372  
    373   /**
    374330    Log in to BASE. The method checks that the given login is valid,
    375331    the password is correct and that the user has USE permission for
     
    394350    @see #isLoggedIn()
    395351    @see #getLoggedInUserId()
    396   */
    397   public synchronized void login(String login, String password, String comment, boolean encryptedPassword)
     352    @since 3.0 (the option to use encrypted passwords has been removed)
     353  */
     354  public synchronized void login(String login, String password, String comment)
    398355    throws ItemNotFoundException, PermissionDeniedException,
    399356    InvalidPasswordException, BaseException
     
    421378      if (Application.isUsingInternalAuthentication() || login.equals(root.getLogin()))
    422379      {
    423         userData = verifyUserInternal(session, login, password, encryptedPassword);
     380        userData = verifyUserInternal(session, login, password);
    424381      }
    425382      else
    426383      {
    427         if (encryptedPassword)
    428         {
    429           throw new BaseException("Encrypted passwords are not supported when using external authentication");
    430         }
    431384        userData = verifyUserExternal(session, login, password);
    432385      }
     
    451404    internal authentication.
    452405  */
    453   private UserData verifyUserInternal(org.hibernate.Session session, String login, String password, boolean encryptedPassword)
     406  private UserData verifyUserInternal(org.hibernate.Session session, String login, String password)
    454407    throws ItemNotFoundException, InvalidPasswordException, AccountExpiredException, BaseException
    455408  {
     
    479432      throw new AccountExpiredException(login, expirationDate);
    480433    }
    481     PasswordData passwordData = userData.getPassword();
    482     String md5Password = passwordData.getMd5Password();
    483     if (encryptedPassword)
    484     {
    485       md5Password = MD5.getHashString(md5Password + ":" + getLastChallenge());
    486     }
    487     else
    488     {
    489       password = MD5.getHashString(password);
    490     }
    491     if (!md5Password.equals(password))
     434   
     435    // Check the password
     436    String cryptedPassword = userData.getPassword().getCryptedPassword();
     437    if (cryptedPassword == null || !User.checkPassword(password, cryptedPassword))
    492438    {
    493439      throw new InvalidPasswordException("User[login="+login+"]");
     
    525471      if (Config.getBoolean("auth.cachepasswords"))
    526472      {
    527         return verifyUserInternal(session, login, password, false);
     473        return verifyUserInternal(session, login, password);
    528474      }
    529475      throw new BaseException(ex);
     
    544490      userData.setLogin(info.login);
    545491      userData.setName(info.name == null ? info.login : info.name);
    546       userData.getPassword().setMd5Password("");
    547492      userData.setQuota(HibernateUtil.loadData(session, QuotaData.class, SystemItems.getId(Quota.DEFAULT)));
    548493      User.addDefultRolesAndGroups(session, userData);
     
    550495    if (Config.getBoolean("auth.cachepasswords"))
    551496    {
    552       userData.getPassword().setMd5Password(MD5.getHashString(password));
     497      userData.getPassword().setCryptedPassword(User.encryptPassword(password));
    553498      int daysToCache = Config.getInt("auth.daystocache", 0);
    554499      userData.setExpirationDate(daysToCache > 0 ? new Date(System.currentTimeMillis()+daysToCache*24L*3600L*1000L) : null);
  • trunk/src/core/net/sf/basedb/core/Update.java

    r5803 r5827  
    131131      // Test root user account
    132132      SessionControl sc = Application.newSessionControl(null, null, null);
    133       sc.login(rootLogin, rootPassword, null, false);
     133      sc.login(rootLogin, rootPassword, null);
    134134      if (sc.getLoggedInUserId() != SystemItems.getId(User.ROOT))
    135135      {
     
    251251      // Test root user account
    252252      SessionControl sc = Application.newSessionControl(null, null, null);
    253       sc.login(rootLogin, rootPassword, null, false);
     253      sc.login(rootLogin, rootPassword, null);
    254254      if (sc.getLoggedInUserId() != SystemItems.getId(User.ROOT))
    255255      {
     
    385385      // Test root user account
    386386      SessionControl sc = Application.newSessionControl(null, null, null);
    387       sc.login(rootLogin, rootPassword, null, false);
     387      sc.login(rootLogin, rootPassword, null);
    388388      if (sc.getLoggedInUserId() != SystemItems.getId(User.ROOT))
    389389      {
  • trunk/src/core/net/sf/basedb/core/User.java

    r5590 r5827  
    3434import net.sf.basedb.core.hibernate.TypeWrapper;
    3535import net.sf.basedb.util.MD5;
     36import net.sf.basedb.util.bcrypt.BCrypt;
    3637import net.sf.basedb.core.query.Restriction;
    3738import net.sf.basedb.core.query.Restrictions;
     
    4849import java.util.Set;
    4950import java.util.Collections;
     51
    5052
    5153/**
     
    252254  }
    253255 
     256  /**
     257    Encrypt the plain-text password. The password is ecnrypted
     258    by first calculating the MD5 of the password and then
     259    using bcrypt with a random salt on the MD5.
     260   
     261    @param password The plain-text password
     262  */
     263  static String encryptPassword(String password)
     264  {
     265    String md5 = MD5.getHashString(password);
     266    return BCrypt.hashpw(md5, BCrypt.gensalt());
     267  }
     268 
     269  /**
     270    Check the plain-text password against the crypted password.
     271    @param password The plain-text password
     272    @param cryptedPassword The crypted password
     273    @return
     274  */
     275  static boolean checkPassword(String password, String cryptedPassword)
     276  {
     277    String md5 = MD5.getHashString(password);
     278    return BCrypt.checkpw(md5, cryptedPassword);
     279  }
     280 
    254281  User(UserData userData)
    255282  {
     
    434461    checkPermission(Permission.RESTRICTED_WRITE);
    435462    if (password == null) throw new InvalidUseOfNullException("password");
    436     getData().getPassword().setMd5Password(MD5.getHashString(password));
    437   }
    438 
    439   /**
    440     Set the encrypted password from BASE 1. This method is only intended
    441     to be used from the migration application, and will throw a
    442     {@link PermissionDeniedException} unless the logged in user is the root and
    443     the user account is a newly created account.
    444     @param md5Password The MD5 password from a BASE 1 installation
    445     @throws PermissionDeniedException If it is not a new user or
    446       root isn't logged in
    447     @throws BaseException If there is some other kind of error.
    448   */
    449   public void setBase1Password(String md5Password)
    450     throws PermissionDeniedException, BaseException
    451   {
    452     if (isInDatabase() || (SystemItems.getId(User.ROOT) != getSessionControl().getLoggedInUserId()))
    453     {
    454       throw new PermissionDeniedException(Permission.WRITE, "Password[login="+getLogin()+"]");
    455     }
    456     getData().getPassword().setMd5Password(md5Password);
     463    getData().getPassword().setCryptedPassword(encryptPassword(password));
    457464  }
    458465
  • trunk/src/core/net/sf/basedb/core/data/PasswordData.java

    r5818 r5827  
    2222package net.sf.basedb.core.data;
    2323
     24import net.sf.basedb.core.User;
     25
    2426/**
    2527  This class holds the password for a user. It has a one-to-one
     
    4042  {}
    4143
    42   private String md5Password;
     44  private String cryptedPassword;
    4345  /**
    44     Get the MD5 encrypted password. It is always returned as a string
    45     with 32 hexadecimal characters.
    46     @hibernate.property column="`md5password`" type="string" length="32" not-null="true"
     46    Get the crypted password.
     47    @hibernate.property column="`crypted_password`" type="string" length="255" not-null="false"
     48    @since 3.0
    4749  */
    48   public String getMd5Password()
     50  public String getCryptedPassword()
    4951  {
    50     return md5Password;
     52    return cryptedPassword;
    5153  }
    52   public void setMd5Password(String md5Password)
     54  /**
     55    Set the encrypted password. The password should be encrypted with
     56    {@link User#encryptPassword(String)}.
     57    @since 3.0
     58  */
     59  public void setCryptedPassword(String cryptedPassword)
    5360  {
    54     this.md5Password = md5Password;
     61    this.cryptedPassword = cryptedPassword;
    5562  }
     63
    5664 
    5765  private UserData user;
  • trunk/src/install/net/sf/basedb/install/Webclient.java

    r5661 r5827  
    9393    Application.start(false);
    9494    SessionControl sc = Application.newSessionControl(null, null, null);
    95     sc.login(login, password, "Installing web client", false);
     95    sc.login(login, password, "Installing web client");
    9696   
    9797    DbControl dc = sc.newDbControl();
  • trunk/src/test/TestClient.java

    r5340 r5827  
    204204      Client c = Client.getById(dc, id);
    205205      SessionControl sc = Application.newSessionControl(c.getExternalId(), null, null);
    206       sc.login(TestUtil.getLogin(), TestUtil.getPassword(), "Running test program", false);
     206      sc.login(TestUtil.getLogin(), TestUtil.getPassword(), "Running test program");
    207207      sc.logout();
    208208      write("--Login/logout OK");
  • trunk/src/test/TestSessionControl.java

    r4889 r5827  
    4040    test_get_session_control(TestUtil.getLocalIp(), false);
    4141    test_get_session_control("unknown.ip.address", true);
    42     test_login_encrypted_password();
    4342    test_user_default_setting("test.default", "This is the users default setting");
    4443    test_user_client_setting("test.client", "This is the users client setting");
     
    7877        ok = false;
    7978      }
    80     }
    81   }
    82  
    83   static void test_login_encrypted_password()
    84   {
    85     try
    86     {
    87       TestUtil.logout();
    88       TestUtil.loginEncrypted();
    89       write("--Login with encrypted password OK");
    90     }
    91     catch (Throwable ex)
    92     {
    93       write("--Login with encrypted password FAILED");
    94       ex.printStackTrace();
    95       ok = false;
    9679    }
    9780  }
  • trunk/src/test/TestUser.java

    r5690 r5827  
    4747    int id2 = test_create(true);
    4848    int id = test_create(false);
    49     int base1Id = test_create_base1_user();
    5049    test_load(id);
    5150    test_list(-1);
     
    9190    // Standard test: Delete
    9291    TestTag.test_delete(tag_id);
    93     test_delete(base1Id);
    9492    test_delete(id);
    9593    test_delete(id2);
     
    140138  }
    141139
    142   static int test_create_base1_user()
    143   {
    144     if (TestUtil.getSessionControl().getLoggedInUserId() != SystemItems.getId(User.ROOT)) return 0;
    145     int id = 0;
    146     DbControl dc = null;
    147     try
    148     {
    149       dc = TestUtil.getDbControl();
    150       String login = "base1user"+Application.generateRandomId(4);
    151       User u = User.getNew(dc, login, "password");
    152       u.setName("Base 1 user");
    153       u.setDescription("Added at "+new Date());
    154       dc.saveItem(u);
    155       u.setBase1Password("63a9f0ea7bb98050796b649e85481845");
    156       dc.commit();
    157       id = u.getId();
    158       write_item(0, u);
    159       write("--Create BASE 1 user OK");
    160     }
    161     catch (Throwable ex)
    162     {
    163       write("--Create BASE 1 user FAILED");
    164       ex.printStackTrace();
    165       ok = false;
    166     }
    167     finally
    168     {
    169       if (dc != null) dc.close();
    170     }
    171     return id;
    172   }
    173  
    174140  static void test_load(int id)
    175141  {
  • trunk/src/test/TestUtil.java

    r5689 r5827  
    2828import net.sf.basedb.core.Permission;
    2929import net.sf.basedb.core.Version;
    30 import net.sf.basedb.util.MD5;
    3130
    3231import java.io.File;
     
    183182    throws BaseException
    184183  {
    185     login(login, password, false);
    186   }
    187  
    188   public static void loginEncrypted()
    189   {
    190     String encrypted = MD5.getHashString(MD5.getHashString(password) + ":" + sc.getChallenge());
    191     login(login, encrypted, true);
    192   }
    193  
    194   public static void login(String login, String password, boolean encrypted)
    195     throws BaseException
    196   {
    197     sc.login(login, password, "Running test program", encrypted);
     184    login(login, password);
     185  }
     186 
     187  public static void login(String login, String password)
     188    throws BaseException
     189  {
     190    sc.login(login, password, "Running test program");
    198191  }
    199192
  • trunk/src/test/TestWebservices.java

    r5748 r5827  
    530530      write("--Using url: " + url);
    531531      client = new SessionClient(url, null, TestUtil.getClient());
    532       client.login(TestUtil.getLogin(), TestUtil.getPassword(), "Test webservices", false);
     532      client.login(TestUtil.getLogin(), TestUtil.getPassword(), "Test webservices");
    533533          write("--Create/login session OK: ID=" + client.getId());
    534534    }
  • trunk/src/test/net/sf/basedb/test/TestUtil.java

    r5146 r5827  
    162162    Login to BASE.
    163163  */
    164   public static void login(String login, String password, boolean encrypted)
     164  public static void login(String login, String password)
    165165  {
    166166    write("--Logging in as: " + login + "\n");
    167     getSessionControl().login(login, password, "Running test program", encrypted);
     167    getSessionControl().login(login, password, "Running test program");
    168168  }
    169169
  • trunk/src/test/net/sf/basedb/test/merge/MergeTest.java

    r5060 r5827  
    9595    try
    9696    {
    97       TestUtil.login("root", "root", false);
     97      TestUtil.login("root", "root");
    9898     
    9999      // Reporters
  • trunk/src/test/net/sf/basedb/test/performance/ExportTest.java

    r4806 r5827  
    6565    try
    6666    {
    67       TestUtil.login(user, password, false);
     67      TestUtil.login(user, password);
    6868
    6969      // Configuration options
  • trunk/src/test/net/sf/basedb/test/performance/FilterTest.java

    r4806 r5827  
    6363    try
    6464    {
    65       TestUtil.login(user, password, false);
     65      TestUtil.login(user, password);
    6666     
    6767      // Configuration options
  • trunk/src/test/net/sf/basedb/test/performance/LowessTest.java

    r4806 r5827  
    6666    try
    6767    {
    68       TestUtil.login(user, password, false);
     68      TestUtil.login(user, password);
    6969
    7070      // Configuration options
  • trunk/src/test/net/sf/basedb/test/performance/PrepareTest.java

    r5630 r5827  
    8282    try
    8383    {
    84       TestUtil.login(user, password, false);
     84      TestUtil.login(user, password);
    8585      dc = TestUtil.getDbControl();
    8686
     
    181181    try
    182182    {
    183       TestUtil.login(user, password, false);
     183      TestUtil.login(user, password);
    184184
    185185      List<BasicItem> itemsToRemove = new ArrayList<BasicItem>();
  • trunk/src/test/net/sf/basedb/test/performance/RawDataTest.java

    r5060 r5827  
    6464    try
    6565    {
    66       TestUtil.login(user, password, false);
     66      TestUtil.login(user, password);
    6767
    6868      // Create raw bioassays
  • trunk/src/test/net/sf/basedb/test/performance/RootTest.java

    r4806 r5827  
    6767    try
    6868    {
    69       TestUtil.login(user, password, false);
     69      TestUtil.login(user, password);
    7070
    7171      dc = TestUtil.getDbControl();
  • trunk/src/test/net/sf/basedb/test/roles/AdminTest.java

    r5788 r5827  
    8686    try
    8787    {
    88       TestUtil.login("admin", "admin", false);
     88      TestUtil.login("admin", "admin");
    8989      dc = TestUtil.getDbControl();
    9090      Group g = createGroup(dc);
  • trunk/src/test/net/sf/basedb/test/roles/GuestTest.java

    r4514 r5827  
    4949    try
    5050    {
    51       TestUtil.login("guest", "guest", false);
     51      TestUtil.login("guest", "guest");
    5252      // Activate project
    5353      dc = TestUtil.getDbControl();
  • trunk/src/test/net/sf/basedb/test/roles/PowerUserTest.java

    r5813 r5827  
    105105    try
    106106    {
    107       TestUtil.login("power", "power", false);
     107      TestUtil.login("power", "power");
    108108     
    109109      // Project
  • trunk/src/test/net/sf/basedb/test/roles/RootTest.java

    r5778 r5827  
    5656    try
    5757    {
    58       TestUtil.login("root", "root", false);
     58      TestUtil.login("root", "root");
    5959      dc = TestUtil.getDbControl();
    6060      User admin = createAdmin(dc);
  • trunk/src/test/net/sf/basedb/test/roles/UserTest.java

    r5788 r5827  
    9797    try
    9898    {
    99       TestUtil.login("user", "user", false);
     99      TestUtil.login("user", "user");
    100100      PluginDefinition bioSourceBatchImporter = null;
    101101      PluginDefinition sampleBatchImporter = null;
  • trunk/src/webservices/client/java/net/sf/basedb/ws/client/SessionClient.java

    r4513 r5827  
    9090 
    9191  /**
    92     Calling the getChallenge method.
    93       @return Gets a random string to use with password encryption.
    94       @throws AxisFault If communication with web service fails.
    95    */
    96   public String getChallenge()
    97     throws AxisFault
    98   {
    99     return invokeBlocking("getChallenge", String.class, ID);
    100   }
    101  
    102   /**
    10392    Login to BASE
    10493      @param login Login name on BASE server
    10594      @param password Password on BASE server
    10695      @param comment A comment to put on the session
    107       @param encrypted If the password should be encrypted when logging in.
    10896      @throws AxisFault If something goes wrong when calling the login service
     97      @since 3.0
    10998   */
    110   public void login(String login, String password, String comment, boolean encrypted)
     99  public void login(String login, String password, String comment)
    111100    throws AxisFault
    112101  {
    113     invokeBlocking("login", ID, login, password, comment, encrypted);
     102    invokeBlocking("login", ID, login, password, comment);
    114103  }
    115104 
  • trunk/src/webservices/server/net/sf/basedb/ws/server/SessionService.java

    r4513 r5827  
    5454
    5555  /**
    56     Service for net.sf.basedb.core.SessionControl#getChallenge()
    57       @param ID
    58       @return String A radom string
    59    */
    60   public String getChallenge(String ID)
    61   {
    62     SessionControl sc = getSessionControl(ID);
    63     return sc.getChallenge();
    64   }
    65  
    66   /**
    6756    Service to login to BASE
    6857      @param ID Id of a session control
     
    7059      @param password Password for the login above.
    7160      @param comment Comment to be used with the new session
    72       @param encrypted If encrypted password should be used or not.
    7361      @return The Session ID
     62      @since 3.0
    7463   */
    75   public String login(String ID, String login, String password, String comment, boolean encrypted)
     64  public String login(String ID, String login, String password, String comment)
    7665  {
    7766    SessionControl sc = getSessionControl(ID);
    78     sc.login(login, password, comment, encrypted);
     67    sc.login(login, password, comment);
    7968    return ID;
    8069  }
  • trunk/www/exception/not_logged_in.jsp

    r5812 r5827  
    5252%>
    5353<base:page type="default" menu="exception" title="Not logged in">
    54 <base:head scripts="md5.js,exception.js" styles="login.css">
     54<base:head scripts="exception.js" styles="login.css">
    5555  <script language="JavaScript">
    5656  // hide menubar and resize if it is a popup window
     
    6969      frm.login.value = topWindow.lastLogin;
    7070      Main.show('timeout');
    71     }
    72     if (frm.encrypt && topWindow.encrypt != undefined)
    73     {
    74       frm.encrypt.checked = topWindow.encrypt;
    7571    }
    7672    if (frm.login.value == '')
     
    109105  {
    110106    var frm = document.forms['login'];
    111     if (frm.encrypt && frm.encrypt.checked)
    112     {
    113       var password = frm.password.value;
    114       var md5password = hex_md5(password);
    115       md5password = hex_md5(md5password + ':<%=sc.getChallenge()%>');
    116       frm.encrypted_password.value = md5password;
    117       frm.password.value = '';
    118     }
    119107    Main.openPopup('', 'Login', 300, 200);
    120108    frm.submit();
     
    127115      <input type="hidden" name="ID" value="<%=ID%>">
    128116      <input type="hidden" name="redirect" value="<%=redirect%>">
    129       <input type="hidden" name="encrypted_password" value="">
    130117     
    131118      <table class="loginform" width="100%" border="0" align="center">
     
    159146            <td><base:button onclick="mainPage();" title="Cancel" /></td>
    160147          </tr>
    161           <%
    162           if (Application.isUsingInternalAuthentication())
    163           {
    164             %>
    165             <tr>
    166               <td class="prompt"><label for="encryptPassword">Encrypt password</label></td>
    167               <td>
    168                 <input type="checkbox" name="encrypt" id="encryptPassword" checked value="1"><br>
    169               </td>
    170             </tr>
    171             <%
    172           }
    173           %>
    174148          <tr>
    175149            <td colspan="4">
  • trunk/www/login.jsp

    r5822 r5827  
    5555  if ("Login".equals(cmd) || cmd == null)
    5656  {
    57     boolean encrypted = Values.getBoolean(request.getParameter("encrypt"));
    58     String password = encrypted ? request.getParameter("encrypted_password") : request.getParameter("password");
     57    String password = request.getParameter("password");
    5958    try
    6059    {
    6160      if (sc.isLoggedIn()) sc.logout();
    62       sc.login(login, password, null, encrypted);
     61      sc.login(login, password, null);
    6362    }
    6463    catch (LoginException ex)
  • trunk/www/main.jsp

    r5812 r5827  
    6666  %>
    6767  <base:page type="default" title="">
    68   <base:head scripts="md5.js" styles="login.css">
     68  <base:head styles="login.css">
    6969    <script language="JavaScript" type="text/javascript">
    7070    // Set foucs on the login form
     
    8080      frm = document.forms['login'];
    8181      if (frm.login.value == '' && window.parent.lastLogin) frm.login.value = window.parent.lastLogin;
    82       if (frm.encrypt && window.parent.encrypt != undefined) frm.encrypt.checked = window.parent.encrypt;
    8382      if (frm.login.value == '')
    8483      {
     
    9594      var frm = document.forms['login'];
    9695      window.parent.lastLogin = frm.login.value;
    97      
    98       if (frm.encrypt)
    99       {
    100         window.parent.encrypt = frm.encrypt.checked;
    101         if (frm.encrypt.checked)
    102         {
    103           var password = frm.password.value;
    104           var md5password = hex_md5(password);
    105           md5password = hex_md5(md5password + ':<%=sc.getChallenge()%>');
    106           frm.encrypted_password.value = md5password;
    107           frm.password.value = '';
    108         }
    109       }
    11096      return true;
    11197    }
     
    154140          <input type="hidden" name="ID" value="<%=ID%>">
    155141          <input type="hidden" name="nextpage" value="<%=root%>my_base/user/index.jsp">
    156           <input type="hidden" name="encrypted_password" value="">
    157142         
    158143          <div id="loginForm" <%=denyLogin ? "style=\"display:none;\"" : ""%>>
     
    174159              onclick="doLogin();" title="Login" tooltip="<%=HTML.encodeTags(broadcastTitle)%>" /></td>
    175160          </tr>
    176           <%
    177           if (Application.isUsingInternalAuthentication())
    178           {
    179             %>
    180             <tr>
    181               <td class="prompt"><label for="encrypt">Encrypt password</label></td>
    182               <td>
    183                 <input type="checkbox" name="encrypt" id="encrypt" <%=false ? "" : "checked"%> value="1"><br>
    184               </td>
    185             </tr>
    186             <%
    187           }
    188           %>
    189161          <tr>
    190162            <td colspan="3">
  • trunk/www/switch.jsp

    r5812 r5827  
    4949  %>
    5050  <base:page type="popup" title="Switch user">
    51   <base:head scripts="md5.js" styles="login.css">
     51  <base:head styles="login.css">
    5252    <script language="JavaScript" type="text/javascript">
    5353    // Set foucs on the login form
     
    7777      var frm = document.forms['login'];
    7878      window.opener.parent.lastLogin = frm.login.value;
    79      
    80       if (frm.encrypt)
    81       {
    82         window.opener.parent.encrypt = frm.encrypt.checked;
    83         if (frm.encrypt.checked)
    84         {
    85           var password = frm.password.value;
    86           var md5password = hex_md5(password);
    87           md5password = hex_md5(md5password + ':<%=sc.getChallenge()%>');
    88           frm.encrypted_password.value = md5password;
    89           frm.password.value = '';
    90         }
    91       }
    9279      return true;
    9380    }
     
    114101    <input type="hidden" name="again" value="1">
    115102    <input type="hidden" name="redirect" value="">
    116     <input type="hidden" name="encrypted_password" value="">
    117103 
    118104    <h3 class="docked">Switch user <base:help helpid="switchuser" /></h3>
     
    142128        </td>
    143129      </tr>
    144       <%
    145       if (Application.isUsingInternalAuthentication())
    146       {
    147         %>
    148         <tr>
    149           <td class="prompt"><label for="encrypt">Encrypt password</label></td>
    150           <td>
    151             <input type="checkbox" name="encrypt" id="encrypt" checked value="1">
    152           </td>
    153         </tr>
    154         <%
    155       }
    156       %>
    157130      <tr>
    158131        <td class="prompt"><label for="remainOnPage">Remain on this page</label></td>
Note: See TracChangeset for help on using the changeset viewer.