Eclipse Community Forums
Forum Search:

Search      Help    Register    Login    Home
Home » Eclipse Projects » scout » DataSourceSecurityFilter and RAP Client
DataSourceSecurityFilter and RAP Client [message #1608187] Mon, 09 February 2015 10:39 Go to next message
Peter Pfeifer is currently offline Peter PfeiferFriend
Messages: 191
Registered: November 2014
Senior Member

Hello,

I tried to configure the DataSourceSecurityFilter in the RAP configi.ini and added the mysql driver to dependencies of the *-rap-dev.product.

org.eclipse.scout.rt.server.commons.servletfilter.security.DataSourceSecurityFilter#active=true
org.eclipse.scout.rt.server.commons.servletfilter.security.DataSourceSecurityFilter#realm=bbk Development
org.eclipse.scout.rt.server.commons.servletfilter.security.DataSourceSecurityFilter#jdbcDriverName=com.mysql.jdbc.Driver
org.eclipse.scout.rt.server.commons.servletfilter.security.DataSourceSecurityFilter#jdbcMappingName=jdbc:mysql://127.0.0.1:3306/BFZ 
org.eclipse.scout.rt.server.commons.servletfilter.security.DataSourceSecurityFilter#jdbcUsername=admin
org.eclipse.scout.rt.server.commons.servletfilter.security.DataSourceSecurityFilter#jdbcPassword=changeme
org.eclipse.scout.rt.server.commons.servletfilter.security.DataSourceSecurityFilter#selectUserPass=SELECT LOWER(username), id, countyid, seclevel FROM Users WHERE LOWER(username)=? AND PASSWORD=?


When starting the rap client i get the following exception:

HTTP ERROR: 500

Problem accessing /web. Reason:

    javax.servlet.ServletException: com.mysql.jdbc.Driver cannot be found by org.eclipse.scout.rt.server.commons_4.3.0.20150112-1427
Powered by Jetty://


What am I missing?

Thanks,

Peter
Re: DataSourceSecurityFilter and RAP Client [message #1608302 is a reply to message #1608187] Mon, 09 February 2015 12:18 Go to previous messageGo to next message
Jeremie Bresson is currently offline Jeremie BressonFriend
Messages: 1243
Registered: October 2011
Senior Member
Does your product file contain com.bsiag.scout.rt.server.jdbc.mysql5117 in the plugin list? ("Dependencies" Tab in the Product File Editor).

Is it started (when you launch the application)? No resolve product error at the startup.
Re: DataSourceSecurityFilter and RAP Client [message #1608314 is a reply to message #1608302] Mon, 09 February 2015 12:26 Go to previous messageGo to next message
Peter Pfeifer is currently offline Peter PfeiferFriend
Messages: 191
Registered: November 2014
Senior Member

Jeremie Bresson wrote on Mon, 09 February 2015 12:18
Does your product file contain com.bsiag.scout.rt.server.jdbc.mysql5117 in the plugin list? ("Dependencies" Tab in the Product File Editor).

Is it started (when you launch the application)? No resolve product error at the startup.


Yes teh product file contains the mysql bundle... RAP Server is starting without any problems.

The error above shows up when accessing the webapp... I tried to add the mysql bundle to the rap project plugin xml too. But then the RAP server refuses to startup at all...

Peter
Re: DataSourceSecurityFilter and RAP Client [message #1608795 is a reply to message #1608314] Mon, 09 February 2015 19:21 Go to previous messageGo to next message
Jeremie Bresson is currently offline Jeremie BressonFriend
Messages: 1243
Registered: October 2011
Senior Member
Somebody has reported to us a problem he got with a scout-client with the RAP-UI (this is a RAP server) and the scout-server. They were using a derby database (like in the tutorial). If used in the embedded mode, only one connection is allowed. This is a limitation preventing this setup to work well.

With MySql it should not be a problem.

I will try to test this case.
Re: DataSourceSecurityFilter and RAP Client [message #1614499 is a reply to message #1608795] Fri, 13 February 2015 09:32 Go to previous messageGo to next message
Peter Pfeifer is currently offline Peter PfeiferFriend
Messages: 191
Registered: November 2014
Senior Member

Hello Jeremie,

Jeremie Bresson wrote on Mon, 09 February 2015 19:21

I will try to test this case.


sorry for bothering you. But do you have any idea what I can do to fix this. Or better: which eclipse/scout bundles need to have the dependeny on the "com.bsiag.scout.rt.server.jdbc.mysql5117"?

I added the dependency to:


  • at.bfzgruenbach.bbk.server: manifest.mf, bbk-rap.dev.product
  • at.bfzgruenbach.bbk.target: bbk-target
  • at.bfzgruenbach.bbk.ui.rap: bbk-rap-dev.product


When starting i get the follwoing log entries for "bbk-rap-dev.product":
com.mysql.jdbc.Driver cannot be found by org.eclipse.scout.rt.server.commons_4.3.0.20150112-1427
!STACK 0
java.lang.ClassNotFoundException: com.mysql.jdbc.Driver cannot be found by org.eclipse.scout.rt.server.commons_4.3.0.20150112-1427
	at org.eclipse.osgi.internal.loader.BundleLoader.findClassInternal(BundleLoader.java:439)
	at org.eclipse.osgi.internal.loader.BundleLoader.findClass(BundleLoader.java:352)
	at org.eclipse.osgi.internal.loader.BundleLoader.findClass(BundleLoader.java:344)
	at org.eclipse.osgi.internal.loader.ModuleClassLoader.loadClass(ModuleClassLoader.java:160)
	at java.lang.ClassLoader.loadClass(ClassLoader.java:358)
	at java.lang.Class.forName0(Native Method)
	at java.lang.Class.forName(Class.java:191)
	at org.eclipse.scout.rt.server.commons.servletfilter.security.DataSourceSecurityFilter.createJdbcDirectConnection(DataSourceSecurityFilter.java:224)
	at org.eclipse.scout.rt.server.commons.servletfilter.security.DataSourceSecurityFilter.isValidUser(DataSourceSecurityFilter.java:164)
	at org.eclipse.scout.rt.server.commons.servletfilter.security.DataSourceSecurityFilter.negotiate(DataSourceSecurityFilter.java:126)
	at org.eclipse.scout.rt.server.commons.servletfilter.security.AbstractChainableSecurityFilter.doFilter(AbstractChainableSecurityFilter.java:120)
	at org.eclipse.scout.rt.server.commons.internal.FilterChainImpl.doFilter(FilterChainImpl.java:41)
	at org.eclipse.scout.rt.server.commons.servletfilter.security.AbstractChainableSecurityFilter.doFilter(AbstractChainableSecurityFilter.java:106)
	at org.eclipse.scout.rt.server.commons.internal.FilterChainImpl.doFilter(FilterChainImpl.java:41)
	at org.eclipse.scout.rt.server.commons.servletfilter.security.AbstractChainableSecurityFilter.doFilter(AbstractChainableSecurityFilter.java:106)
	at org.eclipse.scout.rt.server.commons.internal.FilterChainImpl.doFilter(FilterChainImpl.java:41)
	at org.eclipse.scout.rt.ui.rap.servletfilter.LogoutFilter.doFilter(LogoutFilter.java:83)
	at org.eclipse.scout.rt.server.commons.internal.FilterChainImpl.doFilter(FilterChainImpl.java:41)
	at org.eclipse.scout.rt.server.commons.servletfilter.ServletFilterDelegate.delegateServiceMethod(ServletFilterDelegate.java:60)
	at org.eclipse.scout.rt.ui.rap.internal.servletfilter.DelegateFilter.doFilter(DelegateFilter.java:48)
	at org.eclipse.equinox.http.registry.internal.FilterManager$FilterWrapper.doFilter(FilterManager.java:173)
	at org.eclipse.equinox.http.servlet.internal.HttpServiceRuntimeImpl$LegacyFilterFactory$LegacyFilter.doFilter(HttpServiceRuntimeImpl.java:1142)
	at org.eclipse.equinox.http.servlet.internal.registration.FilterRegistration.doFilter(FilterRegistration.java:110)
	at org.eclipse.equinox.http.servlet.internal.servlet.FilterChainImpl.doFilter(FilterChainImpl.java:45)
	at org.eclipse.equinox.http.servlet.internal.servlet.ResponseStateHandler.processRequest(ResponseStateHandler.java:70)
	at org.eclipse.equinox.http.servlet.internal.HttpServiceRuntimeImpl.doDispatch(HttpServiceRuntimeImpl.java:487)
	at org.eclipse.equinox.http.servlet.internal.HttpServiceRuntimeImpl.doDispatch(HttpServiceRuntimeImpl.java:442)
	at org.eclipse.equinox.http.servlet.internal.HttpServiceRuntimeImpl.doDispatch(HttpServiceRuntimeImpl.java:228)
	at org.eclipse.equinox.http.servlet.internal.servlet.ProxyServlet.processAlias(ProxyServlet.java:87)
	at org.eclipse.equinox.http.servlet.internal.servlet.ProxyServlet.service(ProxyServlet.java:66)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
	at org.eclipse.equinox.http.jetty.internal.HttpServerManager$InternalHttpServiceServlet.service(HttpServerManager.java:337)
	at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:800)
	at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:587)
	at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:221)
	at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1125)
	at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)
	at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)
	at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1059)
	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
	at org.eclipse.jetty.server.Server.handle(Server.java:497)
	at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:310)
	at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:248)
	at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:540)
	at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:620)
	at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:540)
	at java.lang.Thread.run(Thread.java:745)
2015-02-13 10:29:51.447:WARN:oejs.ServletHandler:qtp564473555-20: 
javax.servlet.ServletException: com.mysql.jdbc.Driver cannot be found by org.eclipse.scout.rt.server.commons_4.3.0.20150112-1427
	at org.eclipse.scout.rt.server.commons.servletfilter.security.DataSourceSecurityFilter.isValidUser(DataSourceSecurityFilter.java:171)
	at org.eclipse.scout.rt.server.commons.servletfilter.security.DataSourceSecurityFilter.negotiate(DataSourceSecurityFilter.java:126)
	at org.eclipse.scout.rt.server.commons.servletfilter.security.AbstractChainableSecurityFilter.doFilter(AbstractChainableSecurityFilter.java:120)
	at org.eclipse.scout.rt.server.commons.internal.FilterChainImpl.doFilter(FilterChainImpl.java:41)
	at org.eclipse.scout.rt.server.commons.servletfilter.security.AbstractChainableSecurityFilter.doFilter(AbstractChainableSecurityFilter.java:106)
	at org.eclipse.scout.rt.server.commons.internal.FilterChainImpl.doFilter(FilterChainImpl.java:41)
	at org.eclipse.scout.rt.server.commons.servletfilter.security.AbstractChainableSecurityFilter.doFilter(AbstractChainableSecurityFilter.java:106)
	at org.eclipse.scout.rt.server.commons.internal.FilterChainImpl.doFilter(FilterChainImpl.java:41)
	at org.eclipse.scout.rt.ui.rap.servletfilter.LogoutFilter.doFilter(LogoutFilter.java:83)
	at org.eclipse.scout.rt.server.commons.internal.FilterChainImpl.doFilter(FilterChainImpl.java:41)
	at org.eclipse.scout.rt.server.commons.servletfilter.ServletFilterDelegate.delegateServiceMethod(ServletFilterDelegate.java:60)
	at org.eclipse.scout.rt.ui.rap.internal.servletfilter.DelegateFilter.doFilter(DelegateFilter.java:48)
	at org.eclipse.equinox.http.registry.internal.FilterManager$FilterWrapper.doFilter(FilterManager.java:173)
	at org.eclipse.equinox.http.servlet.internal.HttpServiceRuntimeImpl$LegacyFilterFactory$LegacyFilter.doFilter(HttpServiceRuntimeImpl.java:1142)
	at org.eclipse.equinox.http.servlet.internal.registration.FilterRegistration.doFilter(FilterRegistration.java:110)
	at org.eclipse.equinox.http.servlet.internal.servlet.FilterChainImpl.doFilter(FilterChainImpl.java:45)
	at org.eclipse.equinox.http.servlet.internal.servlet.ResponseStateHandler.processRequest(ResponseStateHandler.java:70)
	at org.eclipse.equinox.http.servlet.internal.HttpServiceRuntimeImpl.doDispatch(HttpServiceRuntimeImpl.java:487)
	at org.eclipse.equinox.http.servlet.internal.HttpServiceRuntimeImpl.doDispatch(HttpServiceRuntimeImpl.java:442)
	at org.eclipse.equinox.http.servlet.internal.HttpServiceRuntimeImpl.doDispatch(HttpServiceRuntimeImpl.java:228)
	at org.eclipse.equinox.http.servlet.internal.servlet.ProxyServlet.processAlias(ProxyServlet.java:87)
	at org.eclipse.equinox.http.servlet.internal.servlet.ProxyServlet.service(ProxyServlet.java:66)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
	at org.eclipse.equinox.http.jetty.internal.HttpServerManager$InternalHttpServiceServlet.service(HttpServerManager.java:337)
	at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:800)
	at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:587)
	at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:221)
	at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1125)
	at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)
	at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)
	at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1059)
	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
	at org.eclipse.jetty.server.Server.handle(Server.java:497)
	at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:310)
	at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:248)
	at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:540)
	at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:620)
	at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:540)
	at java.lang.Thread.run(Thread.java:745)


Isn't the mysql driver included in the com.bsiag.scout.rt.server.jdbc.mysql5117 bundle?

Thanks Peter
Re: DataSourceSecurityFilter and RAP Client [message #1614864 is a reply to message #1614499] Fri, 13 February 2015 14:51 Go to previous messageGo to next message
Jeremie Bresson is currently offline Jeremie BressonFriend
Messages: 1243
Registered: October 2011
Senior Member
Ok I took some time on your problem.

Peter Pfeifer wrote on Fri, 13 February 2015 10:32
Isn't the mysql driver included in the com.bsiag.scout.rt.server.jdbc.mysql5117 bundle


You can find out by doing CTRL+SHIFT+T and search for "com.mysql.jdbc.Driver".
The Editor show nothing but a "Source not found" error.
If you have clicked "Link with Editor" button (the one with the 2 yellow arrows) in the Package Explorer, you will find out where the class is.
=> com.mysql.jdbc_5117.fragment

You can add this fragment to the list ("Dependencies" Tab in the Product File Editor).

Peter Pfeifer wrote on Mon, 09 February 2015 13:26
I tried to add the mysql bundle to the rap project plugin xml too. But then the RAP server refuses to startup at all...


If you do so, you will have a product validation problem (the dependencies declared in the MANIFEST.MF are not all fulfilled).

(I assume you have added the mysql bundle com.bsiag.scout.rt.server.jdbc.mysql5117 to the rap-dev product xml file. You can not add dependency to plugin.xml)

When you validate your product, you have a "missing requirement con" error, because com.bsiag.scout.rt.server.jdbc.mysql5117 has a dependency to:
* Package: com.mysql.jdbc [1]
* Bundle: org.eclipse.scout.rt.server [2]

You can fulfill the requirement [1] by adding the fragment " com.mysql.jdbc_5117.fragment " into the list. But you cannot fulfill requirement [2] because you do not have the server code in your rap project (it is the Scout client).

At the end if you look what is in the com.bsiag.scout.rt.server.jdbc.mysql5117 bundle you will notice that this is not necessary (You have for example AbstractMySqlSqlService that is not necessary).

On the dependency topic, I recommend you my forum post where I tried to explain target-platform, target-definition, product file...

----

If you look at DataSourceSecurityFilter.negotiate(HttpServletRequest, HttpServletResponse, PrincipalHolder) you will notice that the password parameter (passEncrypted) passed to DataSourceSecurityFilter.isValidUser(String, String) is the Base64 encryption of the Password entered by the in the login box.

Your statement should probabely look more like:
 org.eclipse.scout.rt.server.commons.servletfilter.security.DataSourceSecurityFilter#selectUserPass=SELECT LOWER(username), id, countyid, seclevel FROM Users WHERE LOWER(username)=? AND TO_BASE64(PASSWORD)=?


----

I have asked my coworker what is the state of the art solution of your problem.

In our vision the RAP-Server (aka Scout Client) does not connect to the database.
The solution was presented at the EclipseCon Europe 2012. See the slides: 20121022_BahBah_Slides.pdf
On slide 23 you will see the overview:
index.php/fa/21586/0/

The RAP-Scout-Client has a BasicForwardSecurity filter who will ask the "/auth" servlet on the Scout Server. This servlet is available without any password.
The Server will be responsible to log the user in. This way you have your Database configuration at one single point (the server) and the RAP-Scout-Client knows nothing the Database.
If you do not have a desktop client, you do not need the "/process" servlet in the server.

You can check the Bahbah Chat demo application where this is implemented.

[Updated on: Tue, 21 April 2015 08:58]

Report message to a moderator

Re: DataSourceSecurityFilter and RAP Client [message #1615935 is a reply to message #1614864] Sat, 14 February 2015 07:34 Go to previous messageGo to next message
Peter Pfeifer is currently offline Peter PfeiferFriend
Messages: 191
Registered: November 2014
Senior Member

Hello Jeremie,

thanks for the explanations.

Jeremie Bresson wrote on Fri, 13 February 2015 14:51

I have asked my coworker what is the state of the art solution of your problem.

In our vision the RAP-Server (aka Scout Client) does not connect to the database.
The solution was presented at the EclipseCon Europe 2012. See the slides: 20121022_BahBah_Slides.pdf
On slide 23 you will see the overview:
index.php/fa/21586/0/

The RAP-Scout-Client has a BasicForwardSecurity filter who will ask the "/auth" servlet on the Scout Server. This servlet is available without any password.
The Server will be responsible to log the user in. This way you have your Database configuration at one single point (the server) and the RAP-Scout-Client knows nothing the Database.
If you do not have a desktop client, you do not need the "/process" servlet in the server.

You can check the Bahbah Chat demo application where this is implemented.


Ok. I think I know what you mean. But I have to look further through the code. But if this is more or less the reference implementation of how to authenticate web users, wouldn't this be worth a wiki entry? Since there only securityfilters are mentioned?

Jeremie Bresson wrote on Fri, 13 February 2015 14:51

If you look at DataSourceSecurityFilter.negotiate(HttpServletRequest, HttpServletResponse, PrincipalHolder) you will notice that the password parameter (passEncrypted) passed to DataSourceSecurityFilter.isValidUser(String, String) is the Base64 encryption of the Password entered by the in the login box.

Your statement should probabely look more like:
 org.eclipse.scout.rt.server.commons.servletfilter.security.DataSourceSecurityFilter#selectUserPass=SELECT LOWER(username), id, countyid, seclevel FROM Users WHERE LOWER(username)=? AND TO_BASE64(PASSWORD)=?



This would mean that the password is stored as plain text in the database. I hope nobody is doing that Smile

Thanks

Peter

[Updated on: Tue, 21 April 2015 08:58] by Moderator

Report message to a moderator

Re: DataSourceSecurityFilter and RAP Client [message #1618890 is a reply to message #1615935] Mon, 16 February 2015 07:37 Go to previous messageGo to next message
Urs Beeli is currently offline Urs BeeliFriend
Messages: 566
Registered: October 2012
Location: Bern, Switzerland
Senior Member
Quote:
This would mean that the password is stored as plain text in the database. I hope nobody is doing that Smile


Not quite plain text, it is base64 encoded. But of course, that is more a "security by obscurity" feature than proper encryption.
Re: DataSourceSecurityFilter and RAP Client [message #1619277 is a reply to message #1615935] Mon, 16 February 2015 13:11 Go to previous messageGo to next message
Jeremie Bresson is currently offline Jeremie BressonFriend
Messages: 1243
Registered: October 2011
Senior Member
Peter Pfeifer wrote on Sat, 14 February 2015 08:34
Ok. I think I know what you mean. But I have to look further through the code. But if this is more or less the reference implementation of how to authenticate web users, wouldn't this be worth a wiki entry? Since there only securityfilters are mentioned?


Yes, I wasn't aware of this presentation and of this pattern until I have spoken with one of my co-worker.

Not everything is documented in the wiki. This is an area where a lot can be improved.

Feel free to start something on the wiki (you can ping me in this thread if need help).

Peter Pfeifer wrote on Sat, 14 February 2015 08:34
This would mean that the password is stored as plain text in the database. I hope nobody is doing that Smile


I did it for my tests... But I agree with you, I should have done this the other way around.

I am not sure that a BASE_64 encoding of the USERS.PASSWORD column will add a lot of security.

In a real world scenario, you should probably have your own class extending DataSourceSecurityFilter and provide your own implementation of encryptPass(String). Again I am not a security expert.
Re: DataSourceSecurityFilter and RAP Client [message #1636825 is a reply to message #1619277] Thu, 26 February 2015 11:45 Go to previous messageGo to next message
Marco Dorfliger is currently offline Marco DorfligerFriend
Messages: 43
Registered: January 2015
Member
This is briefly covered by the DataSourceSecurityFilter section in the Security concepts wiki. DataSourceSecurityFilter.negotiate and DataSourceSecurityFilter.encryptPass use base64 encryption by default, so the default implementation would store base64 encrypted passwords in the database. Am I right in thinking that base64 encryption is reversible? That would mean passwords wouldn't actually be protected.

One question I wondered about recently is whether it's possible to implement password salting with the DataSourceSecurityFilter, and if a custom security filter was required how this mechanism might work.

[Updated on: Thu, 26 February 2015 11:50]

Report message to a moderator

icon3.gif  Re: DataSourceSecurityFilter and RAP Client [message #1636872 is a reply to message #1636825] Thu, 26 February 2015 12:19 Go to previous messageGo to next message
Patrick Bänziger is currently offline Patrick BänzigerFriend
Messages: 32
Registered: September 2011
Member
Because I recently stumbled over this when I tried to retrieve a password:
As far as I can see, the passwords are first hashed with MD5 and only then stored in Base64 encoded form. In the source code that I checked (Luna), no salt is used.

See (older) source code on GrepCode.

There exists an inverse function for Base64 (it's just an encoding) to get back the input, but AFAIK not for MD5. Retrieving a password from its hash value is thus non-trivial.
However:


  • if the database is stolen/compromised: Using rainbow tables of known hash values, one could simply look upthe passwords used (if they are among the common passwords contained in the rainbow table)
  • MD5 is not recommended anymore, some sources go as far as to say "should be considered cryptographically broken and unsuitable for further used". See: http://en.wikipedia.org/wiki/MD5

[Updated on: Thu, 26 February 2015 12:21]

Report message to a moderator

Re: DataSourceSecurityFilter and RAP Client [message #1642818 is a reply to message #1636872] Sun, 01 March 2015 08:10 Go to previous messageGo to next message
Marco Dorfliger is currently offline Marco DorfligerFriend
Messages: 43
Registered: January 2015
Member
Yeah, default implementation uses md5 hashes. I came up with something which (I think) is workable. I based my solution on the following article (which for anyone interested provides a fairly succinct all-you-need-to-know explanation of password security): https://crackstation.net/hashing-security.htm.

The first part of my solution is to copy a PBKDF2 hashing algorithm (PasswordHash.java) directly from the crackstation.net website. Other than a package declaration, it requires no modification.

The second part is the security filter implementation, which inherits heavily from DataSourceSecurityFilter:
import java.security.NoSuchAlgorithmException;
import java.security.spec.InvalidKeySpecException;
import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;

import javax.servlet.FilterConfig;
import javax.servlet.ServletException;

import org.eclipse.scout.commons.logger.IScoutLogger;
import org.eclipse.scout.commons.logger.ScoutLogManager;
import org.eclipse.scout.rt.server.commons.servletfilter.FilterConfigInjection;
import org.eclipse.scout.rt.server.commons.servletfilter.security.DataSourceSecurityFilter;

/**
 * @author Marco Dörfliger
 */
public class SaltedDataSourceSecurityFilter extends DataSourceSecurityFilter {
  private static final IScoutLogger LOG = ScoutLogManager.getLogger(SaltedDataSourceSecurityFilter.class);

  private String m_selectStatement;

  @Override
  public void init(FilterConfig config0) throws ServletException {
    super.init(config0);
    FilterConfigInjection.FilterConfig config = new FilterConfigInjection(config0, getClass()).getAnyConfig();
    m_selectStatement = config.getInitParameter("selectUserPass");
    if (m_selectStatement == null) {
      throw new ServletException("Missing init-param with name 'selectUserPass'.");
    }
  }

  @Override
  protected String encryptPass(String pass) throws ServletException {
    return pass;
  }

  /**
   * The selectStatement parameter should be set to something like
   * "SELECT PASSWORD FROM USERS WHERE ACCOUNT_LOCKED=0 AND LOWER(USERNAME)=?"
   */
  @Override
  protected boolean isValidUser(String username, String password, Connection connection) throws SQLException {
    PreparedStatement stmt = null;
    try {
      stmt = connection.prepareStatement(m_selectStatement);
      stmt.setString(1, username);
      stmt.execute();
      ResultSet resultSet = stmt.getResultSet();
      return (resultSet.next() && PasswordHash.validatePassword(password, resultSet.getString(1)));
    }
    catch (NoSuchAlgorithmException | InvalidKeySpecException e) {
      LOG.error("Exception occurred validating password", e);
      return false;
    }
    finally {
      try {
        if (stmt != null) {
          stmt.close();
          stmt = null;
        }
      }
      catch (SQLException e) {
        LOG.warn("Exception in close stmt!", e);
      }
    }
  }

  public static void main(String[] args) throws ServletException {
    SaltedDataSourceSecurityFilter sdssf = new SaltedDataSourceSecurityFilter();
    System.out.println("'sausages' encrypts to " + sdssf.encryptPass("sausages"));
  }
}

The matching configuration lines in config.ini are as follows:
com.mycompany.myproject.server.services.common.security.SaltedDataSourceSecurityFilter#active=true
com.mycompany.myproject.server.services.common.security.SaltedDataSourceSecurityFilter#realm=development
com.mycompany.myproject.server.services.common.security.SaltedDataSourceSecurityFilter#jdbcDriverName=org.postgresql.Driver
com.mycompany.myproject.server.services.common.security.SaltedDataSourceSecurityFilter#jdbcMappingName=jdbc:postgresql://localhost:5432
com.mycompany.myproject.server.services.common.security.SaltedDataSourceSecurityFilter#jdbcUsername=appuser
com.mycompany.myproject.server.services.common.security.SaltedDataSourceSecurityFilter#jdbcPassword=dbpassword
com.mycompany.myproject.server.services.common.security.SaltedDataSourceSecurityFilter#selectUserPass=SELECT PASSWORD FROM USERS WHERE ACCOUNT_LOCKED=0 AND LOWER(USERNAME)=?

Finally, you need to update the extension in the server plugin.xml file, and replace the DataSourceSecurityFilter with the SaltedDataSourceSecurityFilter as follows:
      <filter
            aliases="/process /remotefiles /updatesite"
            class="com.mycompany.myproject.server.services.common.security.SaltedDataSourceSecurityFilter"
            ranking="40">
      </filter>

Afaik the password is still sent "in the clear" from client to server which could be improved upon, but this is a step in the right direction I think.

[Updated on: Sun, 01 March 2015 08:14]

Report message to a moderator

Re: DataSourceSecurityFilter and RAP Client [message #1642960 is a reply to message #1614864] Sun, 01 March 2015 09:47 Go to previous message
Peter Pfeifer is currently offline Peter PfeiferFriend
Messages: 191
Registered: November 2014
Senior Member

Hi Jermie,

Today I found some time to look at the solution:

Jeremie Bresson wrote on Fri, 13 February 2015 14:51

I have asked my coworker what is the state of the art solution of your problem.

In our vision the RAP-Server (aka Scout Client) does not connect to the database.
The solution was presented at the EclipseCon Europe 2012. See the slides: 20121022_BahBah_Slides.pdf


I managed to add all the things as suggested. But what I didn't find is where I can enter a username and password when starting the RAP client. What did I miss here.

But as we already agreed, I'll wait for the hints and tips on form based login Smile

Thanks

Peter
Previous Topic:Checking for unsaved changes before logging out
Next Topic:Delete Row
Goto Forum:
  


Current Time: Thu Oct 19 11:09:39 GMT 2017

Powered by FUDForum. Page generated in 0.03088 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.0.2.
Copyright ©2001-2010 FUDforum Bulletin Board Software