syncope-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject syncope git commit: Log a warning if the default anonymousKey is being used
Date Thu, 29 Jun 2017 10:04:40 GMT
Repository: syncope
Updated Branches:
  refs/heads/master c50ee3176 -> 3ceb8b597


Log a warning if the default anonymousKey is being used


Project: http://git-wip-us.apache.org/repos/asf/syncope/repo
Commit: http://git-wip-us.apache.org/repos/asf/syncope/commit/3ceb8b59
Tree: http://git-wip-us.apache.org/repos/asf/syncope/tree/3ceb8b59
Diff: http://git-wip-us.apache.org/repos/asf/syncope/diff/3ceb8b59

Branch: refs/heads/master
Commit: 3ceb8b597b203d5e5b7fe96c55487e3df5641cb5
Parents: c50ee31
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Thu Jun 29 10:40:39 2017 +0100
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Thu Jun 29 11:04:36 2017 +0100

----------------------------------------------------------------------
 .../src/test/resources/provisioningTest.xml           |  1 +
 .../spring/security/DefaultCredentialChecker.java     | 14 +++++++++++++-
 .../UsernamePasswordAuthenticationProvider.java       |  1 +
 core/spring/src/main/resources/securityContext.xml    |  1 +
 4 files changed, 16 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/syncope/blob/3ceb8b59/core/provisioning-java/src/test/resources/provisioningTest.xml
----------------------------------------------------------------------
diff --git a/core/provisioning-java/src/test/resources/provisioningTest.xml b/core/provisioning-java/src/test/resources/provisioningTest.xml
index 53fb6d9..e3c1dd2 100644
--- a/core/provisioning-java/src/test/resources/provisioningTest.xml
+++ b/core/provisioning-java/src/test/resources/provisioningTest.xml
@@ -59,6 +59,7 @@ under the License.
   <bean id="credentialChecker" class="org.apache.syncope.core.spring.security.DefaultCredentialChecker">
       <constructor-arg value="${jwsKey}" index="0"/>
       <constructor-arg value="${adminPassword}" index="1"/>
+      <constructor-arg value="${anonymousKey}" index="2"/>
   </bean>
   
 </beans>

http://git-wip-us.apache.org/repos/asf/syncope/blob/3ceb8b59/core/spring/src/main/java/org/apache/syncope/core/spring/security/DefaultCredentialChecker.java
----------------------------------------------------------------------
diff --git a/core/spring/src/main/java/org/apache/syncope/core/spring/security/DefaultCredentialChecker.java
b/core/spring/src/main/java/org/apache/syncope/core/spring/security/DefaultCredentialChecker.java
index a75b39e..a63c588 100644
--- a/core/spring/src/main/java/org/apache/syncope/core/spring/security/DefaultCredentialChecker.java
+++ b/core/spring/src/main/java/org/apache/syncope/core/spring/security/DefaultCredentialChecker.java
@@ -32,13 +32,18 @@ public class DefaultCredentialChecker {
 
     private static final String DEFAULT_ADMIN_PASSWORD = "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8";
 
+    private static final String DEFAULT_ANON_KEY = "anonymousKey";
+
     private final boolean defaultAdminPasswordInUse;
 
     private final boolean defaultJwsKeyInUse;
 
-    public DefaultCredentialChecker(final String jwsKey, final String adminPassword) {
+    private final boolean defaultAnonymousKeyInUse;
+
+    public DefaultCredentialChecker(final String jwsKey, final String adminPassword, final
String anonymousKey) {
         defaultJwsKeyInUse = DEFAULT_JWS_KEY.equals(jwsKey);
         defaultAdminPasswordInUse = DEFAULT_ADMIN_PASSWORD.equals(adminPassword);
+        defaultAnonymousKeyInUse = DEFAULT_ANON_KEY.equals(anonymousKey);
     }
 
     public void checkIsDefaultJWSKeyInUse() {
@@ -55,4 +60,11 @@ public class DefaultCredentialChecker {
         }
     }
 
+    public void checkIsDefaultAnonymousKeyInUse() {
+        if (defaultAnonymousKeyInUse) {
+            LOG.warn("The default anonymousKey property is being used. "
+                    + "This must be changed to avoid a security breach!");
+        }
+    }
+
 }

http://git-wip-us.apache.org/repos/asf/syncope/blob/3ceb8b59/core/spring/src/main/java/org/apache/syncope/core/spring/security/UsernamePasswordAuthenticationProvider.java
----------------------------------------------------------------------
diff --git a/core/spring/src/main/java/org/apache/syncope/core/spring/security/UsernamePasswordAuthenticationProvider.java
b/core/spring/src/main/java/org/apache/syncope/core/spring/security/UsernamePasswordAuthenticationProvider.java
index 2a5430e..da11553 100644
--- a/core/spring/src/main/java/org/apache/syncope/core/spring/security/UsernamePasswordAuthenticationProvider.java
+++ b/core/spring/src/main/java/org/apache/syncope/core/spring/security/UsernamePasswordAuthenticationProvider.java
@@ -98,6 +98,7 @@ public class UsernamePasswordAuthenticationProvider implements AuthenticationPro
 
         if (anonymousUser.equals(authentication.getName())) {
             username[0] = anonymousUser;
+            credentialChecker.checkIsDefaultAnonymousKeyInUse();
             authenticated = authentication.getCredentials().toString().equals(anonymousKey);
         } else if (adminUser.equals(authentication.getName())) {
             username[0] = adminUser;

http://git-wip-us.apache.org/repos/asf/syncope/blob/3ceb8b59/core/spring/src/main/resources/securityContext.xml
----------------------------------------------------------------------
diff --git a/core/spring/src/main/resources/securityContext.xml b/core/spring/src/main/resources/securityContext.xml
index 85a44a4..6fd3cbc 100644
--- a/core/spring/src/main/resources/securityContext.xml
+++ b/core/spring/src/main/resources/securityContext.xml
@@ -52,6 +52,7 @@ under the License.
   <bean id="credentialChecker" class="org.apache.syncope.core.spring.security.DefaultCredentialChecker">
     <constructor-arg value="${jwsKey}" index="0"/>
     <constructor-arg value="${adminPassword}" index="1"/>
+    <constructor-arg value="${anonymousKey}" index="2"/>
   </bean>
 
   <bean id="syncopeJWTSSOProviderDelegate" class="org.apache.cxf.rs.security.jose.jws.HmacJwsSignatureVerifier">


Mime
View raw message