Author: bpoussin Date: 2012-08-23 10:10:35 +0200 (Thu, 23 Aug 2012) New Revision: 1499 Url: http://nuiton.org/repositories/revision/wikitty/1499 Log: refactoring de la classe Modified: trunk/wikitty-api/src/main/java/org/nuiton/wikitty/services/WikittyServiceAuthentication.java Modified: trunk/wikitty-api/src/main/java/org/nuiton/wikitty/services/WikittyServiceAuthentication.java =================================================================== --- trunk/wikitty-api/src/main/java/org/nuiton/wikitty/services/WikittyServiceAuthentication.java 2012-08-22 06:09:40 UTC (rev 1498) +++ trunk/wikitty-api/src/main/java/org/nuiton/wikitty/services/WikittyServiceAuthentication.java 2012-08-23 08:10:35 UTC (rev 1499) @@ -24,19 +24,15 @@ */ package org.nuiton.wikitty.services; -import java.util.Arrays; import java.util.Collections; -import java.util.Date; +import org.apache.commons.lang3.StringUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.nuiton.util.ApplicationConfig; import org.nuiton.util.TimeLog; import org.nuiton.wikitty.WikittyConfigOption; import org.nuiton.wikitty.WikittyService; -import org.nuiton.wikitty.WikittyUtil; import org.nuiton.wikitty.entities.Wikitty; -import org.nuiton.wikitty.entities.WikittyImpl; -import org.nuiton.wikitty.entities.WikittyTokenHelper; import org.nuiton.wikitty.entities.WikittyUser; import org.nuiton.wikitty.entities.WikittyUserHelper; import org.nuiton.wikitty.query.WikittyQuery; @@ -68,38 +64,64 @@ super(config, ws); if (config != null) { long timeToLogInfo = config.getOptionAsInt(WikittyConfigOption. - WIKITTY_SECURITY_TIME_TO_LOG_INFO.getKey()); + WIKITTY_SERVICE_TIME_TO_LOG_INFO.getKey()); long timeToLogWarn = config.getOptionAsInt(WikittyConfigOption. - WIKITTY_SECURITY_TIME_TO_LOG_WARN.getKey()); + WIKITTY_SERVICE_TIME_TO_LOG_WARN.getKey()); timeLog.setTimeToLogInfo(timeToLogInfo); timeLog.setTimeToLogWarn(timeToLogWarn); } } + /** + * L'exception lever en cas de mauvais login ou mot de passe contient toujours + * le même message pour ne pas aider les attaquants a trouver des comptes + * existant. + * + * @param login le login (ne doit pas etre vide) + * @param password le mot de passe de l'utilisateur + * @return le token de securite a utiliser pour les autres appels + * @throws SecurityException si l'authentification echoue + */ @Override public String login(String login, String password) { long start = TimeLog.getTime(); - String tokenId; + if (StringUtils.isBlank(login)) { + if (log.isDebugEnabled()) { + log.debug(String.format("User try to authenticate with bad blank login: '%s'", login)); + } + throw new SecurityException("bad login or password"); + } + // recherche de l'utilisateur WikittyQuery criteria = new WikittyQueryMaker() .eq(WikittyUser.FQ_FIELD_WIKITTYUSER_LOGIN, login).end(); String userId = getDelegate().findByQuery(null, Collections.singletonList(criteria)).get(0); if (userId == null) { - throw new SecurityException(String.format("no such account '%s'", login)); - } else { - Wikitty user = WikittyServiceEnhanced.restore( - getDelegate(), null, userId); - // check password is valid - if (WikittyUserHelper.getPassword(user).equals(password)) { - tokenId = getToken(user); - } else { - throw new SecurityException("bad login or password"); + if (log.isDebugEnabled()) { + log.debug(String.format("User try to authenticate with bad login: '%s'", login)); } + throw new SecurityException("bad login or password"); } + // on a trouver l'utilisateur on le restore pour verifier le mot de passe + Wikitty user = WikittyServiceEnhanced.restore( + getDelegate(), null, userId); + // check password is valid + if (!StringUtils.equals(WikittyUserHelper.getPassword(user), password)) { + if (log.isDebugEnabled()) { + log.debug(String.format("User '%s' try to authenticate with bad password", login)); + } + throw new SecurityException("bad login or password"); + } + + String tokenId = getToken(user); + if (log.isDebugEnabled()) { + log.debug(String.format("User logged: '%s'", login)); + } + timeLog.log(start, "login"); return tokenId; }