Introduced salt while securing user passwords

author: Shireesh Anjal <shireesh@gluster.com> 2011-08-01 17:41:24 +0530
committer: Shireesh Anjal <shireesh@gluster.com> 2011-08-01 17:41:24 +0530
commit: 0445a80450a557a6e6f6ac84577ff11067938594 (patch)
tree: 5d8b820ece31bed556b4bc5e1655bf7a06a27e6b /src
parent: e81ef45c14f35f876177df0dc556c893592a24d0 (diff)
5 files changed, 61 insertions, 9 deletions
diff --git a/src/com.gluster.storage.management.gateway/src/com/gluster/storage/management/gateway/filters/AuditFilter.java b/src/com.gluster.storage.management.gateway/src/com/gluster/storage/management/gateway/filters/AuditFilter.java
index 31810123..705bab79 100644
--- a/src/com.gluster.storage.management.gateway/src/com/gluster/storage/management/gateway/filters/AuditFilter.java
+++ b/src/com.gluster.storage.management.gateway/src/com/gluster/storage/management/gateway/filters/AuditFilter.java
@@ -3,6 +3,10 @@
  */
 package com.gluster.storage.management.gateway.filters;
 
+import java.util.Date;
+
+import org.apache.log4j.Logger;
+
 import com.sun.jersey.spi.container.ContainerRequest;
 import com.sun.jersey.spi.container.ContainerRequestFilter;
 import com.sun.jersey.spi.container.ContainerResponse;
@@ -13,7 +17,8 @@ import com.sun.jersey.spi.container.ResourceFilter;
  * Resource filter for maintaining audit trail of resource access
  */
 public class AuditFilter implements ResourceFilter, ContainerRequestFilter, ContainerResponseFilter {
-
+	private static final Logger logger = Logger.getLogger(AuditFilter.class);
+	
 	@Override
 	public ContainerRequestFilter getRequestFilter() {
 		return this;
@@ -26,13 +31,13 @@ public class AuditFilter implements ResourceFilter, ContainerRequestFilter, Cont
 
 	@Override
 	public ContainerRequest filter(ContainerRequest req) {
-		System.out.println("REQUEST: [" + req.getMethod() + "][" + req.getPath() + "]");
+		logger.info("REQUEST: [" + req.getMethod() + "][" + req.getPath() + "]");
 		return req;
 	}
 
 	@Override
 	public ContainerResponse filter(ContainerRequest req, ContainerResponse response) {
-		System.out.println("RESPONSE: [" + req.getMethod() + "][" + req.getPath() + "]");
+		logger.info("RESPONSE: [" + req.getMethod() + "][" + req.getPath() + "]");
 		return response;
 	}
 }
diff --git a/src/com.gluster.storage.management.gateway/src/com/gluster/storage/management/gateway/resources/v1_0/DiscoveredServersResource.java b/src/com.gluster.storage.management.gateway/src/com/gluster/storage/management/gateway/resources/v1_0/DiscoveredServersResource.java
index 2d07bd24..5a038670 100644
--- a/src/com.gluster.storage.management.gateway/src/com/gluster/storage/management/gateway/resources/v1_0/DiscoveredServersResource.java
+++ b/src/com.gluster.storage.management.gateway/src/com/gluster/storage/management/gateway/resources/v1_0/DiscoveredServersResource.java
@@ -33,6 +33,7 @@ import javax.ws.rs.QueryParam;
 import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.Response;
 
+import org.apache.log4j.Logger;
 import org.springframework.stereotype.Component;
 
 import com.gluster.storage.management.core.model.Server;
@@ -55,6 +56,8 @@ public class DiscoveredServersResource extends AbstractResource {
 	
 	private List<String> discoveredServerNames = new ArrayList<String>();
 	
+	private static final Logger logger = Logger.getLogger(DiscoveredServersResource.class);
+	
 	public List<String> getDiscoveredServerNames() {
 		return discoveredServerNames;
 	}
@@ -104,7 +107,7 @@ public class DiscoveredServersResource extends AbstractResource {
 			try {
 				discoveredServers.add(getDiscoveredServer(serverName));
 			} catch(Exception e) {
-				// TODO: Log the exception 
+				logger.warn("Could not fetch details of discovered server [ " + serverName + "]", e);
 				// continue with next discovered server
 			}
 		}
diff --git a/src/com.gluster.storage.management.gateway/src/com/gluster/storage/management/gateway/resources/v1_0/UsersResource.java b/src/com.gluster.storage.management.gateway/src/com/gluster/storage/management/gateway/resources/v1_0/UsersResource.java
index 4b2701f2..d67a024e 100644
--- a/src/com.gluster.storage.management.gateway/src/com/gluster/storage/management/gateway/resources/v1_0/UsersResource.java
+++ b/src/com.gluster.storage.management.gateway/src/com/gluster/storage/management/gateway/resources/v1_0/UsersResource.java
@@ -32,11 +32,17 @@ import javax.ws.rs.core.Response;
 
 import org.apache.log4j.Logger;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.authentication.dao.SaltSource;
 import org.springframework.security.authentication.encoding.PasswordEncoder;
+import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.provisioning.JdbcUserDetailsManager;
 import org.springframework.stereotype.Component;
 
+import com.gluster.storage.management.core.exceptions.GlusterRuntimeException;
+import com.gluster.storage.management.core.exceptions.GlusterValidationException;
 import com.gluster.storage.management.core.model.Status;
 import com.sun.jersey.spi.resource.Singleton;
 
@@ -50,6 +56,12 @@ public class UsersResource extends AbstractResource {
 	@Autowired
 	private PasswordEncoder passwordEncoder;
 	
+	@Autowired
+	private SaltSource saltSource;
+
+	@Autowired
+	private UserDetailsService userDetailsService;
+	
 	private static final Logger logger = Logger.getLogger(UsersResource.class);
 
 	@Path("{" + PATH_PARAM_USER + "}")
@@ -77,14 +89,29 @@ public class UsersResource extends AbstractResource {
 
 	@Path("{" + PATH_PARAM_USER + "}")
 	@PUT
-	public Response changePassword(@FormParam("oldpassword") String oldPassword,
+	public Response changePassword(@PathParam("user") String username, @FormParam("oldpassword") String oldPassword,
 			@FormParam("newpassword") String newPassword) {
 		try {
-			jdbcUserService.changePassword(oldPassword, passwordEncoder.encodePassword(newPassword, null));
+			Authentication auth = SecurityContextHolder.getContext().getAuthentication();
+			String loggedInUser = ((UserDetails)auth.getPrincipal()).getUsername();
+			if(!loggedInUser.equals(username)) {
+				// Temporary check as we currently have only one user.
+				throw new GlusterValidationException("User [" + loggedInUser
+						+ "] is not allowed to change password of user [" + username + "]!");
+			}
+
+			String correctOldPassword = auth.getCredentials().toString();
+			if(!oldPassword.equals(correctOldPassword)) {
+				throw new GlusterValidationException("Invalid old password!");
+			}
+			
+			UserDetails user = userDetailsService.loadUserByUsername(username);
+			String encodedNewPassword = passwordEncoder.encodePassword(newPassword, saltSource.getSalt(user));
+			jdbcUserService.changePassword(oldPassword, encodedNewPassword);
 		} catch (Exception ex) {
 			String errMsg = "Could not change password. Error: [" + ex.getMessage() + "]";
 			logger.error(errMsg, ex);
-			return errorResponse(errMsg);
+			throw new GlusterRuntimeException(errMsg);
 		}
 		return noContentResponse();
 	}
diff --git a/src/com.gluster.storage.management.gateway/src/com/gluster/storage/management/gateway/tasks/InitServerTask.java b/src/com.gluster.storage.management.gateway/src/com/gluster/storage/management/gateway/tasks/InitServerTask.java
index 6d525785..b29f271f 100644
--- a/src/com.gluster.storage.management.gateway/src/com/gluster/storage/management/gateway/tasks/InitServerTask.java
+++ b/src/com.gluster.storage.management.gateway/src/com/gluster/storage/management/gateway/tasks/InitServerTask.java
@@ -35,7 +35,10 @@ import org.apache.derby.tools.ij;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.jdbc.core.RowCallbackHandler;
 import org.springframework.jdbc.core.support.JdbcDaoSupport;
+import org.springframework.security.authentication.dao.SaltSource;
 import org.springframework.security.authentication.encoding.PasswordEncoder;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.core.userdetails.UserDetailsService;
 
 import com.gluster.storage.management.core.constants.CoreConstants;
 import com.gluster.storage.management.core.exceptions.GlusterRuntimeException;
@@ -48,6 +51,12 @@ import com.gluster.storage.management.gateway.data.PersistenceDao;
 public class InitServerTask extends JdbcDaoSupport {
 	@Autowired
 	private PasswordEncoder passwordEncoder;
+	
+	@Autowired
+	private SaltSource saltSource;
+	
+	@Autowired
+	private UserDetailsService userDetailsService;
 
 	@Autowired
 	private String appVersion;
@@ -66,7 +75,9 @@ public class InitServerTask extends JdbcDaoSupport {
 			public void processRow(ResultSet rs) throws SQLException {
 				String username = rs.getString(1);
 				String password = rs.getString(2);
-				String encodedPassword = passwordEncoder.encodePassword(password, null);
+				UserDetails user = userDetailsService.loadUserByUsername(username);
+				
+				String encodedPassword = passwordEncoder.encodePassword(password, saltSource.getSalt(user));
 				getJdbcTemplate().update("update users set password = ? where username = ?", encodedPassword, username);
 				logger.debug("Updating password for username: " + username);
 			}
diff --git a/src/com.gluster.storage.management.gateway/src/spring/gluster-server-security.xml b/src/com.gluster.storage.management.gateway/src/spring/gluster-server-security.xml
index abcd8c05..91df8cc9 100644
--- a/src/com.gluster.storage.management.gateway/src/spring/gluster-server-security.xml
+++ b/src/com.gluster.storage.management.gateway/src/spring/gluster-server-security.xml
@@ -23,6 +23,10 @@
 		<http-basic />
 	</http>
 
+	<beans:bean class="org.springframework.security.authentication.dao.ReflectionSaltSource" id="saltSource">
+		<beans:property name="userPropertyToUse" value="username" />
+	</beans:bean>
+
 	<beans:bean
 		class="org.springframework.security.authentication.encoding.ShaPasswordEncoder"
 		id="passwordEncoder" />
@@ -30,7 +34,9 @@
 	<authentication-manager alias="authenticationManager">
 		<authentication-provider user-service-ref="jdbcUserService">
 			<!-- Passwords are SHA encrypted -->
-			<password-encoder hash="sha" />
+			<password-encoder ref="passwordEncoder" hash="sha">
+				<salt-source ref="saltSource" />
+			</password-encoder>
 		</authentication-provider>
 	</authentication-manager>
author	Shireesh Anjal <shireesh@gluster.com>	2011-08-01 17:41:24 +0530
committer	Shireesh Anjal <shireesh@gluster.com>	2011-08-01 17:41:24 +0530
commit	0445a80450a557a6e6f6ac84577ff11067938594 (patch)
tree	5d8b820ece31bed556b4bc5e1655bf7a06a27e6b /src
parent	e81ef45c14f35f876177df0dc556c893592a24d0 (diff)