Author: tchemit Date: 2008-02-13 21:57:42 +0000 (Wed, 13 Feb 2008) New Revision: 935 Modified: trunk/simexplorer-is/simexplorer-is-service/src/java/fr/cemagref/simexplorer/is/service/AuthenticationServiceImpl.java Log: ne pas utiliser les password en clair dans des String, il faut utiliser des tableaux de char. de plus on transmet dans l'appel loginUser, le password deja hash?\195?\169 Modified: trunk/simexplorer-is/simexplorer-is-service/src/java/fr/cemagref/simexplorer/is/service/AuthenticationServiceImpl.java =================================================================== --- trunk/simexplorer-is/simexplorer-is-service/src/java/fr/cemagref/simexplorer/is/service/AuthenticationServiceImpl.java 2008-02-13 21:49:52 UTC (rev 934) +++ trunk/simexplorer-is/simexplorer-is-service/src/java/fr/cemagref/simexplorer/is/service/AuthenticationServiceImpl.java 2008-02-13 21:57:42 UTC (rev 935) @@ -19,8 +19,6 @@ import static org.codelutin.i18n.I18n._; -import java.security.MessageDigest; -import java.security.NoSuchAlgorithmException; import java.util.ArrayList; import java.util.Arrays; import java.util.Date; @@ -75,11 +73,15 @@ * * @return the mail content with password */ - private String getMailContentWithPassword(String login, String password) { + private String getMailContentWithPassword(String login, char[] password) { StringBuffer sb = new StringBuffer(""); sb.append(_("simexplorer.service.mail.header")).append("\n"); sb.append(_("simexplorer.service.mail.login")).append(" : ").append(login).append("\n"); - sb.append(_("simexplorer.service.mail.password")).append(" : ").append(password).append("\n"); + sb.append(_("simexplorer.service.mail.password")).append(" : "); + for (char c : password) { + sb.append(c); + } + sb.append("\n"); sb.append(_("simexplorer.service.mail.footer")).append("\n"); return sb.toString(); } @@ -118,7 +120,6 @@ javax.mail.Message msg = new MimeMessage(mailSession); Address from = InternetAddress.parse(mailFrom)[0]; msg.setFrom(from); - ; msg.setRecipients(javax.mail.Message.RecipientType.TO, InternetAddress.parse(mailRecipient, false)); msg.setSubject(subject); msg.setContent(content, "text/plain"); @@ -133,35 +134,13 @@ } /** - * Compute hash. - * - * @param clearString the clear string - * - * @return the string - * - * @throws SimExplorerServiceException the sim explorer service exception - */ - private String computeHash(String clearString) throws SimExplorerServiceException { - MessageDigest messageDigest = null; - try { - messageDigest = MessageDigest.getInstance("SHA-1"); - } catch (NoSuchAlgorithmException e) { - throw new SimExplorerServiceException(e); - } - messageDigest.reset(); - messageDigest.update(clearString.getBytes()); - String hashedPassword; - hashedPassword = new String(messageDigest.digest()); - return hashedPassword; - } - - /** * Generate password. * * @return the string */ - private String generatePassword() { - return RandomStringUtils.randomAlphanumeric(10); + private char[] generatePassword() { + //TODO ne plus utiliser un String + return RandomStringUtils.randomAlphanumeric(10).toCharArray(); } /** @@ -196,7 +175,7 @@ * @return true, if successful */ private boolean userOwnerOfGroup(User loggedUser, Group group) { - if (group.getOwner().getId() == loggedUser.getId()) { + if (group.getOwner().getId().equals(loggedUser.getId())) { return true; } List<Group> groups = group.getGroups(); @@ -431,11 +410,13 @@ User user = new User(); user.setLogin(login); user.setMail(mail); - String password = generatePassword(); + char[] password = generatePassword(); sendMail(Config.getProperties().getProperty("simexplorer.adminmail"), mail, _("simexplorer.service.mail.subject"), getMailContentWithPassword(login, password)); - String passwordHash = computeHash(password); + String passwordHash = AuthenticationServiceHelper.computeHash(password); user.setPasswordHash(passwordHash); + // reset array + Arrays.fill(password,(char)0); user.setAdmin(false); user.setSuperAdmin(false); dao.saveUser(user); @@ -528,7 +509,7 @@ user.setLogin("superadmin"); user.setMail(""); String password = "password"; - String passwordHash = computeHash(password); + String passwordHash = AuthenticationServiceHelper.computeHash(password.toCharArray()); user.setPasswordHash(passwordHash); user.setAdmin(true); user.setSuperAdmin(true); @@ -546,7 +527,9 @@ superAdminCheck = true; } String token = null; - User loggedUser = dao.loginUser(login, computeHash(password)); + // le password est deja haché + //User loggedUser = dao.loginUser(login, AuthenticationServiceHelper.computeHash(password)); + User loggedUser = dao.loginUser(login, password); if (loggedUser != null) { // FIXME delete previous tokens // dao.deleteTokens(login, 10 * 60 * 1000); @@ -586,10 +569,12 @@ public void resetPassword(String token, String login) throws SimExplorerServiceException { User user = getUser(token, login); if (canAdminUser(token, user.getId())) { - String password = generatePassword(); + char[] password = generatePassword(); sendMail(Config.getProperties().getProperty("simexplorer.adminmail"), user.getMail(), _("simexplorer.service.mail.subject"), getMailContentWithPassword(login, password)); - String passwordHash = computeHash(password); + String passwordHash = AuthenticationServiceHelper.computeHash(password); + // reset char[] + Arrays.fill(password,(char)0); user.setPasswordHash(passwordHash); dao.updateUser(user); } else {