Merge with aa6c509f154d3cfec350ea4cf1803ac7af982bda

This commit is contained in:
Heng Sin Low 2012-08-01 18:18:37 +08:00
commit cb10841f6f
16 changed files with 758 additions and 144 deletions

View File

@ -0,0 +1,78 @@
-- 29/06/2011 1:33:27 PM
-- -
UPDATE AD_Column SET FieldLength=1024,Updated=TO_DATE('2011-06-29 13:33:27','YYYY-MM-DD HH24:MI:SS'),UpdatedBy=100 WHERE AD_Column_ID=417
;
-- 29/06/2011 1:33:31 PM
-- -
ALTER TABLE AD_User MODIFY Password NVARCHAR2(1024) DEFAULT NULL
;
-- 29/06/2011 1:34:52 PM
-- -
INSERT INTO AD_Element (AD_Client_ID,AD_Element_ID,AD_Org_ID,ColumnName,Created,CreatedBy,Description,EntityType,IsActive,Name,PrintName,Updated,UpdatedBy) VALUES (0,55218,0,'Salt',TO_DATE('2011-06-29 13:34:50','YYYY-MM-DD HH24:MI:SS'),100,'Random data added to improve password hash effectiveness','D','Y','Salt','Salt',TO_DATE('2011-06-29 13:34:50','YYYY-MM-DD HH24:MI:SS'),100)
;
-- 29/06/2011 1:34:52 PM
-- -
INSERT INTO AD_Element_Trl (AD_Language,AD_Element_ID, Description,Help,Name,PO_Description,PO_Help,PO_Name,PO_PrintName,PrintName, IsTranslated,AD_Client_ID,AD_Org_ID,Created,Createdby,Updated,UpdatedBy) SELECT l.AD_Language,t.AD_Element_ID, t.Description,t.Help,t.Name,t.PO_Description,t.PO_Help,t.PO_Name,t.PO_PrintName,t.PrintName, 'N',t.AD_Client_ID,t.AD_Org_ID,t.Created,t.Createdby,t.Updated,t.UpdatedBy FROM AD_Language l, AD_Element t WHERE l.IsActive='Y' AND l.IsSystemLanguage='Y' AND l.IsBaseLanguage='N' AND t.AD_Element_ID=55218 AND NOT EXISTS (SELECT * FROM AD_Element_Trl tt WHERE tt.AD_Language=l.AD_Language AND tt.AD_Element_ID=t.AD_Element_ID)
;
-- 29/06/2011 1:36:39 PM
-- -
ALTER TABLE AD_User ADD Salt NVARCHAR2(16) DEFAULT NULL
;
-- 29/06/2011 1:37:48 PM
-- -
INSERT INTO AD_Column (AD_Client_ID,AD_Column_ID,AD_Element_ID,AD_Org_ID,AD_Reference_ID,AD_Table_ID,ColumnName,Created,CreatedBy,Description,EntityType,FieldLength,IsActive,IsAllowLogging,IsAlwaysUpdateable,IsAutocomplete,IsEncrypted,IsIdentifier,IsKey,IsMandatory,IsParent,IsSelectionColumn,IsSyncDatabase,IsTranslated,IsUpdateable,Name,SeqNo,Updated,UpdatedBy,Version) VALUES (0,61756,55218,0,10,114,'Salt',TO_DATE('2011-06-29 13:37:47','YYYY-MM-DD HH24:MI:SS'),100,'Random data added to improve password hash effectiveness','D',16,'Y','Y','N','N','N','N','N','N','N','N','N','N','N','Salt',0,TO_DATE('2011-06-29 13:37:47','YYYY-MM-DD HH24:MI:SS'),100,0)
;
-- 29/06/2011 1:37:48 PM
-- -
INSERT INTO AD_Column_Trl (AD_Language,AD_Column_ID, Name, IsTranslated,AD_Client_ID,AD_Org_ID,Created,Createdby,Updated,UpdatedBy) SELECT l.AD_Language,t.AD_Column_ID, t.Name, 'N',t.AD_Client_ID,t.AD_Org_ID,t.Created,t.Createdby,t.Updated,t.UpdatedBy FROM AD_Language l, AD_Column t WHERE l.IsActive='Y' AND l.IsSystemLanguage='Y' AND l.IsBaseLanguage='N' AND t.AD_Column_ID=61756 AND NOT EXISTS (SELECT * FROM AD_Column_Trl tt WHERE tt.AD_Language=l.AD_Language AND tt.AD_Column_ID=t.AD_Column_ID)
;
-- 29/06/2011 4:59:43 PM
-- -
INSERT INTO AD_Process (AccessLevel,AD_Client_ID,AD_Org_ID,AD_Process_ID,Classname,CopyFromProcess,Created,CreatedBy,Description,EntityType,Help,IsActive,IsBetaFunctionality,IsDirectPrint,IsReport,IsServerProcess,Name,ShowHelp,Statistic_Count,Statistic_Seconds,Updated,UpdatedBy,Value) VALUES ('4',0,0,53259,'org.compiere.process.HashPasswords','N',TO_DATE('2011-06-29 16:59:41','YYYY-MM-DD HH24:MI:SS'),100,'Convert existing plain text/encrypted user passwords to one way hash','D','This process will overwrite existing user passwords with a salted SHA-512 hash of the password so that they cannot be recovered if your database is compromised.
(Note: If your password column is currently encrypted, the hash will also be encrypted.)','Y','N','N','N','N','Convert passwords to hashes','Y',0,0,TO_DATE('2011-06-29 16:59:41','YYYY-MM-DD HH24:MI:SS'),100,'AD_User_HashPassword')
;
-- 29/06/2011 4:59:43 PM
-- -
INSERT INTO AD_Process_Trl (AD_Language,AD_Process_ID, Description,Help,Name, IsTranslated,AD_Client_ID,AD_Org_ID,Created,Createdby,Updated,UpdatedBy) SELECT l.AD_Language,t.AD_Process_ID, t.Description,t.Help,t.Name, 'N',t.AD_Client_ID,t.AD_Org_ID,t.Created,t.Createdby,t.Updated,t.UpdatedBy FROM AD_Language l, AD_Process t WHERE l.IsActive='Y' AND l.IsSystemLanguage='Y' AND l.IsBaseLanguage='N' AND t.AD_Process_ID=53259 AND NOT EXISTS (SELECT * FROM AD_Process_Trl tt WHERE tt.AD_Language=l.AD_Language AND tt.AD_Process_ID=t.AD_Process_ID)
;
-- 29/06/2011 5:00:28 PM
-- -
INSERT INTO AD_Menu (Action,AD_Client_ID,AD_Menu_ID,AD_Org_ID,AD_Process_ID,Created,CreatedBy,EntityType,IsActive,IsCentrallyMaintained,IsReadOnly,IsSOTrx,IsSummary,Name,Updated,UpdatedBy) VALUES ('P',0,53348,0,53259,TO_DATE('2011-06-29 17:00:27','YYYY-MM-DD HH24:MI:SS'),100,'D','Y','Y','N','N','N','Hash Passwords',TO_DATE('2011-06-29 17:00:27','YYYY-MM-DD HH24:MI:SS'),100)
;
-- 29/06/2011 5:00:28 PM
-- -
INSERT INTO AD_Menu_Trl (AD_Language,AD_Menu_ID, Description,Name, IsTranslated,AD_Client_ID,AD_Org_ID,Created,Createdby,Updated,UpdatedBy) SELECT l.AD_Language,t.AD_Menu_ID, t.Description,t.Name, 'N',t.AD_Client_ID,t.AD_Org_ID,t.Created,t.Createdby,t.Updated,t.UpdatedBy FROM AD_Language l, AD_Menu t WHERE l.IsActive='Y' AND l.IsSystemLanguage='Y' AND l.IsBaseLanguage='N' AND t.AD_Menu_ID=53348 AND NOT EXISTS (SELECT * FROM AD_Menu_Trl tt WHERE tt.AD_Language=l.AD_Language AND tt.AD_Menu_ID=t.AD_Menu_ID)
;
-- 29/06/2011 5:00:28 PM
-- -
INSERT INTO AD_TreeNodeMM (AD_Client_ID,AD_Org_ID, IsActive,Created,CreatedBy,Updated,UpdatedBy, AD_Tree_ID, Node_ID, Parent_ID, SeqNo) SELECT t.AD_Client_ID, 0, 'Y', SysDate, 100, SysDate, 100,t.AD_Tree_ID, 53348, 0, 999 FROM AD_Tree t WHERE t.AD_Client_ID=0 AND t.IsActive='Y' AND t.IsAllNodes='Y' AND t.TreeType='MM' AND NOT EXISTS (SELECT * FROM AD_TreeNodeMM e WHERE e.AD_Tree_ID=t.AD_Tree_ID AND Node_ID=53348)
;
-- 29/06/2011 5:00:53 PM
-- -
UPDATE AD_TreeNodeMM SET Parent_ID=367, SeqNo=999, Updated=SysDate WHERE AD_Tree_ID=10 AND Node_ID=53348
;
-- Jul 24, 2012 5:50:06 PM COT
INSERT INTO AD_SysConfig (AD_SysConfig_ID,EntityType,ConfigurationLevel,Value,Description,AD_SysConfig_UU,Created,Updated,AD_Client_ID,AD_Org_ID,CreatedBy,IsActive,UpdatedBy,Name) VALUES (200013,'D','S','N','Enable hash passwords, please use Hash Password process to enable','569577c3-3bfa-4d0f-a2e3-d98752164667',TO_DATE('2012-07-24 17:50:04','YYYY-MM-DD HH24:MI:SS'),TO_DATE('2012-07-24 17:50:04','YYYY-MM-DD HH24:MI:SS'),0,0,0,'Y',0,'USER_PASSWORD_HASH')
;
UPDATE AD_System
SET LastMigrationScriptApplied='854_PasswordHash_IDEMPIERE-347.sql'
WHERE LastMigrationScriptApplied<'854_PasswordHash_IDEMPIERE-347.sql'
OR LastMigrationScriptApplied IS NULL
;

View File

@ -0,0 +1,78 @@
-- 29/06/2011 1:33:27 PM
-- -
UPDATE AD_Column SET FieldLength=1024,Updated=TO_TIMESTAMP('2011-06-29 13:33:27','YYYY-MM-DD HH24:MI:SS'),UpdatedBy=100 WHERE AD_Column_ID=417
;
-- 29/06/2011 1:33:31 PM
-- -
INSERT INTO t_alter_column values('ad_user','Password','VARCHAR(1024)',null,'NULL')
;
-- 29/06/2011 1:34:52 PM
-- -
INSERT INTO AD_Element (AD_Client_ID,AD_Element_ID,AD_Org_ID,ColumnName,Created,CreatedBy,Description,EntityType,IsActive,Name,PrintName,Updated,UpdatedBy) VALUES (0,55218,0,'Salt',TO_TIMESTAMP('2011-06-29 13:34:50','YYYY-MM-DD HH24:MI:SS'),100,'Random data added to improve password hash effectiveness','D','Y','Salt','Salt',TO_TIMESTAMP('2011-06-29 13:34:50','YYYY-MM-DD HH24:MI:SS'),100)
;
-- 29/06/2011 1:34:52 PM
-- -
INSERT INTO AD_Element_Trl (AD_Language,AD_Element_ID, Description,Help,Name,PO_Description,PO_Help,PO_Name,PO_PrintName,PrintName, IsTranslated,AD_Client_ID,AD_Org_ID,Created,Createdby,Updated,UpdatedBy) SELECT l.AD_Language,t.AD_Element_ID, t.Description,t.Help,t.Name,t.PO_Description,t.PO_Help,t.PO_Name,t.PO_PrintName,t.PrintName, 'N',t.AD_Client_ID,t.AD_Org_ID,t.Created,t.Createdby,t.Updated,t.UpdatedBy FROM AD_Language l, AD_Element t WHERE l.IsActive='Y' AND l.IsSystemLanguage='Y' AND l.IsBaseLanguage='N' AND t.AD_Element_ID=55218 AND NOT EXISTS (SELECT * FROM AD_Element_Trl tt WHERE tt.AD_Language=l.AD_Language AND tt.AD_Element_ID=t.AD_Element_ID)
;
-- 29/06/2011 1:36:39 PM
-- -
ALTER TABLE AD_User ADD COLUMN Salt VARCHAR(16) DEFAULT NULL
;
-- 29/06/2011 1:37:48 PM
-- -
INSERT INTO AD_Column (AD_Client_ID,AD_Column_ID,AD_Element_ID,AD_Org_ID,AD_Reference_ID,AD_Table_ID,ColumnName,Created,CreatedBy,Description,EntityType,FieldLength,IsActive,IsAllowLogging,IsAlwaysUpdateable,IsAutocomplete,IsEncrypted,IsIdentifier,IsKey,IsMandatory,IsParent,IsSelectionColumn,IsSyncDatabase,IsTranslated,IsUpdateable,Name,SeqNo,Updated,UpdatedBy,Version) VALUES (0,61756,55218,0,10,114,'Salt',TO_TIMESTAMP('2011-06-29 13:37:47','YYYY-MM-DD HH24:MI:SS'),100,'Random data added to improve password hash effectiveness','D',16,'Y','Y','N','N','N','N','N','N','N','N','N','N','N','Salt',0,TO_TIMESTAMP('2011-06-29 13:37:47','YYYY-MM-DD HH24:MI:SS'),100,0)
;
-- 29/06/2011 1:37:48 PM
-- -
INSERT INTO AD_Column_Trl (AD_Language,AD_Column_ID, Name, IsTranslated,AD_Client_ID,AD_Org_ID,Created,Createdby,Updated,UpdatedBy) SELECT l.AD_Language,t.AD_Column_ID, t.Name, 'N',t.AD_Client_ID,t.AD_Org_ID,t.Created,t.Createdby,t.Updated,t.UpdatedBy FROM AD_Language l, AD_Column t WHERE l.IsActive='Y' AND l.IsSystemLanguage='Y' AND l.IsBaseLanguage='N' AND t.AD_Column_ID=61756 AND NOT EXISTS (SELECT * FROM AD_Column_Trl tt WHERE tt.AD_Language=l.AD_Language AND tt.AD_Column_ID=t.AD_Column_ID)
;
-- 29/06/2011 4:59:43 PM
-- -
INSERT INTO AD_Process (AccessLevel,AD_Client_ID,AD_Org_ID,AD_Process_ID,Classname,CopyFromProcess,Created,CreatedBy,Description,EntityType,Help,IsActive,IsBetaFunctionality,IsDirectPrint,IsReport,IsServerProcess,Name,ShowHelp,Statistic_Count,Statistic_Seconds,Updated,UpdatedBy,Value) VALUES ('4',0,0,53259,'org.compiere.process.HashPasswords','N',TO_TIMESTAMP('2011-06-29 16:59:41','YYYY-MM-DD HH24:MI:SS'),100,'Convert existing plain text/encrypted user passwords to one way hash','D','This process will overwrite existing user passwords with a salted SHA-512 hash of the password so that they cannot be recovered if your database is compromised.
(Note: If your password column is currently encrypted, the hash will also be encrypted.)','Y','N','N','N','N','Convert passwords to hashes','Y',0,0,TO_TIMESTAMP('2011-06-29 16:59:41','YYYY-MM-DD HH24:MI:SS'),100,'AD_User_HashPassword')
;
-- 29/06/2011 4:59:43 PM
-- -
INSERT INTO AD_Process_Trl (AD_Language,AD_Process_ID, Description,Help,Name, IsTranslated,AD_Client_ID,AD_Org_ID,Created,Createdby,Updated,UpdatedBy) SELECT l.AD_Language,t.AD_Process_ID, t.Description,t.Help,t.Name, 'N',t.AD_Client_ID,t.AD_Org_ID,t.Created,t.Createdby,t.Updated,t.UpdatedBy FROM AD_Language l, AD_Process t WHERE l.IsActive='Y' AND l.IsSystemLanguage='Y' AND l.IsBaseLanguage='N' AND t.AD_Process_ID=53259 AND NOT EXISTS (SELECT * FROM AD_Process_Trl tt WHERE tt.AD_Language=l.AD_Language AND tt.AD_Process_ID=t.AD_Process_ID)
;
-- 29/06/2011 5:00:28 PM
-- -
INSERT INTO AD_Menu (Action,AD_Client_ID,AD_Menu_ID,AD_Org_ID,AD_Process_ID,Created,CreatedBy,EntityType,IsActive,IsCentrallyMaintained,IsReadOnly,IsSOTrx,IsSummary,Name,Updated,UpdatedBy) VALUES ('P',0,53348,0,53259,TO_TIMESTAMP('2011-06-29 17:00:27','YYYY-MM-DD HH24:MI:SS'),100,'D','Y','Y','N','N','N','Hash Passwords',TO_TIMESTAMP('2011-06-29 17:00:27','YYYY-MM-DD HH24:MI:SS'),100)
;
-- 29/06/2011 5:00:28 PM
-- -
INSERT INTO AD_Menu_Trl (AD_Language,AD_Menu_ID, Description,Name, IsTranslated,AD_Client_ID,AD_Org_ID,Created,Createdby,Updated,UpdatedBy) SELECT l.AD_Language,t.AD_Menu_ID, t.Description,t.Name, 'N',t.AD_Client_ID,t.AD_Org_ID,t.Created,t.Createdby,t.Updated,t.UpdatedBy FROM AD_Language l, AD_Menu t WHERE l.IsActive='Y' AND l.IsSystemLanguage='Y' AND l.IsBaseLanguage='N' AND t.AD_Menu_ID=53348 AND NOT EXISTS (SELECT * FROM AD_Menu_Trl tt WHERE tt.AD_Language=l.AD_Language AND tt.AD_Menu_ID=t.AD_Menu_ID)
;
-- 29/06/2011 5:00:28 PM
-- -
INSERT INTO AD_TreeNodeMM (AD_Client_ID,AD_Org_ID, IsActive,Created,CreatedBy,Updated,UpdatedBy, AD_Tree_ID, Node_ID, Parent_ID, SeqNo) SELECT t.AD_Client_ID, 0, 'Y', CURRENT_TIMESTAMP, 100, CURRENT_TIMESTAMP, 100,t.AD_Tree_ID, 53348, 0, 999 FROM AD_Tree t WHERE t.AD_Client_ID=0 AND t.IsActive='Y' AND t.IsAllNodes='Y' AND t.TreeType='MM' AND NOT EXISTS (SELECT * FROM AD_TreeNodeMM e WHERE e.AD_Tree_ID=t.AD_Tree_ID AND Node_ID=53348)
;
-- 29/06/2011 5:00:53 PM
-- -
UPDATE AD_TreeNodeMM SET Parent_ID=367, SeqNo=999, Updated=CURRENT_TIMESTAMP WHERE AD_Tree_ID=10 AND Node_ID=53348
;
-- Jul 24, 2012 5:50:06 PM COT
INSERT INTO AD_SysConfig (AD_SysConfig_ID,EntityType,ConfigurationLevel,Value,Description,AD_SysConfig_UU,Created,Updated,AD_Client_ID,AD_Org_ID,CreatedBy,IsActive,UpdatedBy,Name) VALUES (200013,'D','S','N','Enable hash passwords, please use Hash Password process to enable','569577c3-3bfa-4d0f-a2e3-d98752164667',TO_TIMESTAMP('2012-07-24 17:50:04','YYYY-MM-DD HH24:MI:SS'),TO_TIMESTAMP('2012-07-24 17:50:04','YYYY-MM-DD HH24:MI:SS'),0,0,0,'Y',0,'USER_PASSWORD_HASH')
;
UPDATE AD_System
SET LastMigrationScriptApplied='854_PasswordHash_IDEMPIERE-347.sql'
WHERE LastMigrationScriptApplied<'854_PasswordHash_IDEMPIERE-347.sql'
OR LastMigrationScriptApplied IS NULL
;

View File

@ -0,0 +1,78 @@
/******************************************************************************
* Product: Adempiere ERP & CRM Smart Business Solution *
* Copyright (C) 1999-2006 ComPiere, Inc. All Rights Reserved. *
* This program is free software; you can redistribute it and/or modify it *
* under the terms version 2 of the GNU General Public License as published *
* by the Free Software Foundation. This program is distributed in the hope *
* that it will be useful, but WITHOUT ANY WARRANTY; without even the implied *
* warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. *
* See the GNU General Public License for more details. *
* You should have received a copy of the GNU General Public License along *
* with this program; if not, write to the Free Software Foundation, Inc., *
* 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. *
* For the text or an alternative of this public license, you may reach us *
* ComPiere, Inc., 2620 Augustine Dr. #245, Santa Clara, CA 95054, USA *
* or via info@compiere.org or http://www.compiere.org/license.html *
*****************************************************************************/
package org.compiere.process;
import java.util.List;
import org.adempiere.exceptions.AdempiereException;
import org.compiere.model.MSysConfig;
import org.compiere.model.MTable;
import org.compiere.model.MUser;
import org.compiere.model.SystemIDs;
/**
* Hash existing passwords
*
*/
public class HashPasswords extends SvrProcess
{
/**
* Prepare - e.g., get Parameters.
*/
protected void prepare()
{
} // prepare
/**
* Perform process.
* @return Message
* @throws Exception if not successful
*/
protected String doIt() throws Exception
{
boolean hash_password = MSysConfig.getBooleanValue("USER_PASSWORD_HASH", false);
if (hash_password)
throw new AdempiereException("Passwords already hashed");
String where = " Password IS NOT NULL AND Salt IS NULL ";
// update the sysconfig key to Y out of trx and reset the cache
MSysConfig conf = new MSysConfig(getCtx(), SystemIDs.SYSCONFIG_USER_HASH_PASSWORD, null);
conf.setValue("Y");
conf.saveEx();
MSysConfig.resetCache();
int count = 0;
try {
List<MUser> users = MTable.get(getCtx(), MUser.Table_ID).createQuery( where, get_TrxName()).list();
for ( MUser user : users )
{
user.setPassword(user.getPassword());
count++;
user.saveEx();
}
} catch (Exception e) {
// reset to N on exception
conf.setValue("N");
conf.saveEx();
throw e;
}
return "@Updated@ " + count;
} // doIt
} // HashPasswords

View File

@ -18,8 +18,8 @@ package org.compiere.process;
import java.util.logging.Level; import java.util.logging.Level;
import org.compiere.model.MSysConfig;
import org.compiere.model.MUser; import org.compiere.model.MUser;
import org.compiere.util.DB;
import org.compiere.util.Util; import org.compiere.util.Util;
/** /**
@ -77,57 +77,39 @@ public class UserPassword extends SvrProcess
MUser user = MUser.get(getCtx(), p_AD_User_ID); MUser user = MUser.get(getCtx(), p_AD_User_ID);
MUser operator = MUser.get(getCtx(), getAD_User_ID()); MUser operator = MUser.get(getCtx(), getAD_User_ID());
log.fine("User=" + user + ", Operator=" + operator); log.fine("User=" + user + ", Operator=" + operator);
boolean hash_password = MSysConfig.getBooleanValue("USER_PASSWORD_HASH", false);
// Do we need a password ? // Do we need a password ?
if (Util.isEmpty(p_OldPassword)) // Password required if (Util.isEmpty(p_OldPassword)) // Password required
{ {
if (p_AD_User_ID == 0 // change of System if (p_AD_User_ID == 0 // change of System
|| p_AD_User_ID == 100 // change of SuperUser || p_AD_User_ID == 100 // change of SuperUser
|| !operator.isAdministrator()) || !operator.isAdministrator())
throw new IllegalArgumentException("@OldPasswordMandatory@"); throw new IllegalArgumentException("@OldPasswordMandatory@");
} }
// is entered Password correct ? // is entered Password correct ?
else if (!p_OldPassword.equals(user.getPassword())) else {
throw new IllegalArgumentException("@OldPasswordNoMatch@"); if (hash_password){
if (!user.authenticateHash(p_OldPassword) )
throw new IllegalArgumentException("@OldPasswordNoMatch@");
} else{
if (!p_OldPassword.equals(user.getPassword()))
throw new IllegalArgumentException("@OldPasswordNoMatch@");
}
}
// Change Super User if (!Util.isEmpty(p_NewPassword))
if (p_AD_User_ID == 0) user.setPassword(p_NewPassword);
{ if (!Util.isEmpty(p_NewEMail))
String sql = "UPDATE AD_User SET Updated=SysDate, UpdatedBy=" + getAD_User_ID(); user.setEMail(p_NewEMail);
if (!Util.isEmpty(p_NewPassword)) if (!Util.isEmpty(p_NewEMailUser))
sql += ", Password=" + DB.TO_STRING(p_NewPassword); user.setEMailUser(p_NewEMailUser);
if (!Util.isEmpty(p_NewEMail)) if (!Util.isEmpty(p_NewEMailUserPW))
sql += ", Email=" + DB.TO_STRING(p_NewEMail); user.setEMailUserPW(p_NewEMailUserPW);
if (!Util.isEmpty(p_NewEMailUser)) user.saveEx();
sql += ", EmailUser=" + DB.TO_STRING(p_NewEMailUser);
if (!Util.isEmpty(p_NewEMailUserPW)) return "OK";
sql += ", EmailUserPW=" + DB.TO_STRING(p_NewEMailUserPW);
sql += " WHERE AD_User_ID=0";
if (DB.executeUpdate(sql, get_TrxName()) == 1)
return "OK";
else
return "@Error@";
}
else
{
if (!Util.isEmpty(p_NewPassword))
user.setPassword(p_NewPassword);
if (!Util.isEmpty(p_NewEMail))
user.setEMail(p_NewEMail);
if (!Util.isEmpty(p_NewEMailUser))
user.setEMailUser(p_NewEMailUser);
if (!Util.isEmpty(p_NewEMailUserPW))
user.setEMailUserPW(p_NewEMailUserPW);
//
if (user.save())
return "OK";
else
return "@Error@";
}
} // doIt } // doIt
} // UserPassword } // UserPassword

View File

@ -1443,17 +1443,8 @@ public class GridTable extends AbstractTableModel
&& (Env.getAD_User_ID(m_ctx) == USER_SYSTEM || Env.getAD_User_ID(m_ctx) == USER_SUPERUSER) // user must know what is doing -> just allowed to System or SuperUser (Hardcoded) && (Env.getAD_User_ID(m_ctx) == USER_SYSTEM || Env.getAD_User_ID(m_ctx) == USER_SUPERUSER) // user must know what is doing -> just allowed to System or SuperUser (Hardcoded)
&& getKeyID(m_rowChanged) == 0) { // the record being changed has ID = 0 && getKeyID(m_rowChanged) == 0) { // the record being changed has ID = 0
String tablename = getTableName(); // just the allowed tables (HardCoded) String tablename = getTableName(); // just the allowed tables (HardCoded)
if (tablename.equals("AD_Org") || if (MTable.isZeroIDTable(tablename))
tablename.equals("AD_ReportView") ||
tablename.equals("AD_Role") ||
tablename.equals("AD_System") ||
tablename.equals("AD_User") ||
tablename.equals("C_DocType") ||
tablename.equals("GL_Category") ||
tablename.equals("M_AttributeSet") ||
tablename.equals("M_AttributeSetInstance")) {
specialZeroUpdate = true; specialZeroUpdate = true;
}
} }
// Check Mandatory // Check Mandatory

View File

@ -458,6 +458,19 @@ public interface I_AD_User
/** Get Process Now */ /** Get Process Now */
public boolean isProcessing(); public boolean isProcessing();
/** Column name Salt */
public static final String COLUMNNAME_Salt = "Salt";
/** Set Salt.
* Random data added to improve password hash effectiveness
*/
public void setSalt (String Salt);
/** Get Salt.
* Random data added to improve password hash effectiveness
*/
public String getSalt();
/** Column name Supervisor_ID */ /** Column name Supervisor_ID */
public static final String COLUMNNAME_Supervisor_ID = "Supervisor_ID"; public static final String COLUMNNAME_Supervisor_ID = "Supervisor_ID";

View File

@ -50,11 +50,10 @@ import org.compiere.util.DB;
*/ */
public class MTable extends X_AD_Table public class MTable extends X_AD_Table
{ {
/** /**
* *
*/ */
private static final long serialVersionUID = -2367316254623142732L; private static final long serialVersionUID = 8264472455498363565L;
public final static int MAX_OFFICIAL_ID = 999999; public final static int MAX_OFFICIAL_ID = 999999;
@ -587,4 +586,20 @@ public class MTable extends X_AD_Table
return sb.toString (); return sb.toString ();
} // toString } // toString
/**
* Verify if the table contains ID=0
* @return true if table has zero ID
*/
public static boolean isZeroIDTable(String tablename) {
return (tablename.equals("AD_Org") ||
tablename.equals("AD_ReportView") ||
tablename.equals("AD_Role") ||
tablename.equals("AD_System") ||
tablename.equals("AD_User") ||
tablename.equals("C_DocType") ||
tablename.equals("GL_Category") ||
tablename.equals("M_AttributeSet") ||
tablename.equals("M_AttributeSetInstance"));
}
} // MTable } // MTable

View File

@ -16,6 +16,9 @@
*****************************************************************************/ *****************************************************************************/
package org.compiere.model; package org.compiere.model;
import java.io.UnsupportedEncodingException;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.sql.PreparedStatement; import java.sql.PreparedStatement;
import java.sql.ResultSet; import java.sql.ResultSet;
import java.sql.SQLException; import java.sql.SQLException;
@ -33,6 +36,7 @@ import org.compiere.util.CCache;
import org.compiere.util.CLogger; import org.compiere.util.CLogger;
import org.compiere.util.DB; import org.compiere.util.DB;
import org.compiere.util.Env; import org.compiere.util.Env;
import org.compiere.util.Secure;
import org.compiere.util.SecureEngine; import org.compiere.util.SecureEngine;
/** /**
@ -50,7 +54,7 @@ public class MUser extends X_AD_User
/** /**
* *
*/ */
private static final long serialVersionUID = -5845477151929518375L; private static final long serialVersionUID = -5343496366428193731L;
/** /**
* Get active Users of BPartner * Get active Users of BPartner
@ -167,44 +171,82 @@ public class MUser extends X_AD_User
s_log.warning ("Invalid Name/Password = " + name + "/" + password); s_log.warning ("Invalid Name/Password = " + name + "/" + password);
return null; return null;
} }
int AD_Client_ID = Env.getAD_Client_ID(ctx); boolean hash_password = MSysConfig.getBooleanValue("USER_PASSWORD_HASH", false);
MUser retValue = null; MUser retValue = null;
String sql = "SELECT * FROM AD_User " if (!hash_password)
+ "WHERE COALESCE(LDAPUser, Name)=? " // #1
+ " AND ((Password=? AND (SELECT IsEncrypted FROM AD_Column WHERE AD_Column_ID=417)='N') " // #2
+ "OR (Password=? AND (SELECT IsEncrypted FROM AD_Column WHERE AD_Column_ID=417)='Y'))" // #3
+ " AND IsActive='Y' AND AD_Client_ID=?" // #4
;
PreparedStatement pstmt = null;
ResultSet rs = null;
try
{ {
pstmt = DB.prepareStatement (sql, null); int AD_Client_ID = Env.getAD_Client_ID(ctx);
pstmt.setString (1, name);
pstmt.setString (2, password);
pstmt.setString (3, SecureEngine.encrypt(password)); String sql = "SELECT * FROM AD_User "
pstmt.setInt(4, AD_Client_ID); + "WHERE COALESCE(LDAPUser, Name)=? " // #1
rs = pstmt.executeQuery (); + " AND ((Password=? AND (SELECT IsEncrypted FROM AD_Column WHERE AD_Column_ID=417)='N') " // #2
if (rs.next ()) + "OR (Password=? AND (SELECT IsEncrypted FROM AD_Column WHERE AD_Column_ID=417)='Y'))" // #3
+ " AND IsActive='Y' AND AD_Client_ID=?" // #4
;
PreparedStatement pstmt = null;
ResultSet rs = null;
try
{ {
retValue = new MUser (ctx, rs, null); pstmt = DB.prepareStatement (sql, null);
if (rs.next()) pstmt.setString (1, name);
s_log.warning ("More then one user with Name/Password = " + name); pstmt.setString (2, password);
pstmt.setString (3, SecureEngine.encrypt(password));
pstmt.setInt(4, AD_Client_ID);
rs = pstmt.executeQuery ();
if (rs.next ())
{
retValue = new MUser (ctx, rs, null);
if (rs.next())
s_log.warning ("More then one user with Name/Password = " + name);
}
else
s_log.fine("No record");
}
catch (Exception e)
{
s_log.log(Level.SEVERE, sql, e);
}
finally
{
DB.close(rs, pstmt);
rs = null; pstmt = null;
}
} else {
String where = " COALESCE(LDAPUser,Name) = ? AND" +
" EXISTS (SELECT * FROM AD_User_Roles ur" +
" INNER JOIN AD_Role r ON (ur.AD_Role_ID=r.AD_Role_ID)" +
" WHERE ur.AD_User_ID=AD_User.AD_User_ID AND ur.IsActive='Y' AND r.IsActive='Y') AND " +
" EXISTS (SELECT * FROM AD_Client c" +
" WHERE c.AD_Client_ID=AD_User.AD_Client_ID" +
" AND c.IsActive='Y') AND " +
" AD_User.IsActive='Y'";
MUser user = MTable.get(ctx, MUser.Table_ID).createQuery( where, null).setParameters(name).firstOnly(); // throws error if username collision occurs
String hash = null;
String salt = null;
if (user != null )
{
hash = user.getPassword();
salt = user.getSalt();
}
// always do calculation to confuse timing based attacks
if ( user == null )
user = MUser.get(ctx, 0);
if ( hash == null )
hash = "0000000000000000";
if ( salt == null )
salt = "0000000000000000";
if ( user.authenticateHash(password) )
{
retValue=user;
} }
else
s_log.fine("No record");
}
catch (Exception e)
{
s_log.log(Level.SEVERE, sql, e);
} }
finally return retValue;
{
DB.close(rs, pstmt);
rs = null; pstmt = null;
}
return retValue;
} // get } // get
/** /**
@ -308,6 +350,8 @@ public class MUser extends X_AD_User
private Boolean m_isAdministrator = null; private Boolean m_isAdministrator = null;
/** User Access Rights */ /** User Access Rights */
private X_AD_UserBPAccess[] m_bpAccess = null; private X_AD_UserBPAccess[] m_bpAccess = null;
/** Password Hashed **/
private boolean hashed = false;
/** /**
@ -376,6 +420,77 @@ public class MUser extends X_AD_User
return sb.toString (); return sb.toString ();
} // cleanValue } // cleanValue
/**
* Convert Password to SHA-512 hash with salt * 1000 iterations https://www.owasp.org/index.php/Hashing_Java
* @param password -- plain text password
*/
@Override
public void setPassword(String password) {
if ( password == null )
{
super.setPassword(password);
return;
}
boolean hash_password = MSysConfig.getBooleanValue("USER_PASSWORD_HASH", false);
if(!hash_password){
super.setPassword(password);
return;
}
if ( hashed )
return;
hashed = true; // prevents double call from beforeSave
// Uses a secure Random not a simple Random
SecureRandom random;
try {
random = SecureRandom.getInstance("SHA1PRNG");
// Salt generation 64 bits long
byte[] bSalt = new byte[8];
random.nextBytes(bSalt);
// Digest computation
String hash;
hash = SecureEngine.getSHA512Hash(1000,password,bSalt);
String sSalt = Secure.convertToHexString(bSalt);
super.setPassword(hash);
setSalt(sSalt);
} catch (NoSuchAlgorithmException e) {
super.setPassword(password);
} catch (UnsupportedEncodingException e) {
super.setPassword(password);
}
}
/**
* check if hashed password matches
*/
public boolean authenticateHash (String password) {
String hash = null;
String salt = null;
hash = getPassword();
salt = getSalt();
// always do calculation to prevent timing based attacks
if ( hash == null )
hash = "0000000000000000";
if ( salt == null )
salt = "0000000000000000";
try {
return SecureEngine.getSHA512Hash(1000, password, Secure.convertHexString(salt)).equals(hash);
} catch (NoSuchAlgorithmException ignored) {
log.log(Level.WARNING, "Password hashing not supported by JVM");
} catch (UnsupportedEncodingException ignored) {
log.log(Level.WARNING, "Password hashing not supported by JVM");
}
return false;
}
/** /**
* Get First Name * Get First Name
* @return first name * @return first name
@ -801,6 +916,13 @@ public class MUser extends X_AD_User
setEMailVerifyDate(null); setEMailVerifyDate(null);
if (newRecord || super.getValue() == null || is_ValueChanged("Value")) if (newRecord || super.getValue() == null || is_ValueChanged("Value"))
setValue(super.getValue()); setValue(super.getValue());
if (newRecord || is_ValueChanged("Password")) {
boolean hash_password = MSysConfig.getBooleanValue("USER_PASSWORD_HASH", false);
if (hash_password)
setPassword(getPassword());
}
return true; return true;
} // beforeSave } // beforeSave

View File

@ -1921,6 +1921,8 @@ public abstract class PO
continue; continue;
return false; // one value is non-zero return false; // one value is non-zero
} }
if (MTable.isZeroIDTable(get_TableName()))
return false;
return true; return true;
} // is_new } // is_new

View File

@ -145,4 +145,6 @@ public interface SystemIDs
public final static int WINDOW_SHIPMENT_CUSTOMER = 169; public final static int WINDOW_SHIPMENT_CUSTOMER = 169;
public final static int WINDOW_WAREHOUSE_LOCATOR = 139; public final static int WINDOW_WAREHOUSE_LOCATOR = 139;
public final static int WINDOW_WINDOW_TAB_FIELD = 102; public final static int WINDOW_WINDOW_TAB_FIELD = 102;
public final static int SYSCONFIG_USER_HASH_PASSWORD = 200013;
} }

View File

@ -664,6 +664,25 @@ public class X_AD_User extends PO implements I_AD_User, I_Persistent
} }
return false; return false;
} }
/**
* Set Salt.
*
* @param Salt
* Random data added to improve password hash effectiveness
*/
public void setSalt(String Salt) {
set_ValueNoCheck(COLUMNNAME_Salt, Salt);
}
/**
* Get Salt.
*
* @return Random data added to improve password hash effectiveness
*/
public String getSalt() {
return (String) get_Value(COLUMNNAME_Salt);
}
public I_AD_User getSupervisor() throws RuntimeException public I_AD_User getSupervisor() throws RuntimeException
{ {

View File

@ -15,7 +15,9 @@
* or via info@compiere.org or http://www.compiere.org/license.html * * or via info@compiere.org or http://www.compiere.org/license.html *
*****************************************************************************/ *****************************************************************************/
package org.compiere.util; package org.compiere.util;
import java.io.UnsupportedEncodingException;
import java.security.NoSuchAlgorithmException;
import java.security.Principal; import java.security.Principal;
import java.sql.Connection; import java.sql.Connection;
import java.sql.PreparedStatement; import java.sql.PreparedStatement;
@ -35,8 +37,11 @@ import org.compiere.model.MAcctSchema;
import org.compiere.model.MClientInfo; import org.compiere.model.MClientInfo;
import org.compiere.model.MCountry; import org.compiere.model.MCountry;
import org.compiere.model.MRole; import org.compiere.model.MRole;
import org.compiere.model.MSysConfig;
import org.compiere.model.MSystem; import org.compiere.model.MSystem;
import org.compiere.model.MTable;
import org.compiere.model.MTree_Base; import org.compiere.model.MTree_Base;
import org.compiere.model.MUser;
import org.compiere.model.ModelValidationEngine; import org.compiere.model.ModelValidationEngine;
@ -232,7 +237,8 @@ public class Login
*/ */
private KeyNamePair[] getRoles (String app_user, String app_pwd, boolean force) private KeyNamePair[] getRoles (String app_user, String app_pwd, boolean force)
{ {
log.info("User=" + app_user); log.info("User=" + app_user);
long start = System.currentTimeMillis(); long start = System.currentTimeMillis();
if (app_user == null) if (app_user == null)
{ {
@ -240,7 +246,7 @@ public class Login
return null; return null;
} }
// Authentification // Authentication
boolean authenticated = false; boolean authenticated = false;
MSystem system = MSystem.get(m_ctx); MSystem system = MSystem.get(m_ctx);
if (system == null) if (system == null)
@ -251,69 +257,159 @@ public class Login
log.warning("No Apps Password"); log.warning("No Apps Password");
return null; return null;
} }
if (system.isLDAP()) if (system.isLDAP())
{ {
authenticated = system.isLDAP(app_user, app_pwd); authenticated = system.isLDAP(app_user, app_pwd);
if (authenticated) if (authenticated){
app_pwd = null; app_pwd = null;
authenticated=true;
}
// if not authenticated, use AD_User as backup // if not authenticated, use AD_User as backup
} }
KeyNamePair[] retValue = null; boolean hash_password=MSysConfig.getBooleanValue("USER_PASSWORD_HASH", false);
ArrayList<KeyNamePair> list = new ArrayList<KeyNamePair>(); KeyNamePair[] retValue = null;
// ArrayList<KeyNamePair> list = new ArrayList<KeyNamePair>();
if(hash_password){
// adaxa-pb: try to authenticate using hashed password -- falls back to plain text/encrypted
String where = " COALESCE(LDAPUser,Name) = ? AND" +
" EXISTS (SELECT * FROM AD_User_Roles ur" +
" INNER JOIN AD_Role r ON (ur.AD_Role_ID=r.AD_Role_ID)" +
" WHERE ur.AD_User_ID=AD_User.AD_User_ID AND ur.IsActive='Y' AND r.IsActive='Y') AND " +
" EXISTS (SELECT * FROM AD_Client c" +
" WHERE c.AD_Client_ID=AD_User.AD_Client_ID" +
" AND c.IsActive='Y') AND " +
" AD_User.IsActive='Y'";
MUser user = MTable.get(m_ctx, MUser.Table_ID).createQuery( where, null).setParameters(app_user).firstOnly(); // throws error if username collision occurs
String hash = null;
String salt = null;
int AD_User_ID = -1;
if (user != null )
{
hash = user.getPassword();
salt = user.getSalt();
}
// always do calculation to confuse timing based attacks
if ( user == null )
user = MUser.get(m_ctx, 0);
if ( hash == null )
hash = "0000000000000000";
if ( salt == null )
salt = "0000000000000000";
if ( user.authenticateHash(app_pwd) )
{
authenticated = true;
AD_User_ID = user.getAD_User_ID();
app_pwd = null;
}
}
else{
StringBuffer sql = new StringBuffer("SELECT u.AD_User_ID,")
.append(" u.ConnectionProfile ")
.append(" FROM AD_User u");
sql.append(" WHERE COALESCE(u.LDAPUser,u.Name)=?");
sql.append(" AND u.IsActive='Y'").append(" AND EXISTS (SELECT * FROM AD_Client c WHERE u.AD_Client_ID=c.AD_Client_ID AND c.IsActive='Y')");
if (app_pwd != null)
sql.append(" AND ((u.Password=? AND (SELECT IsEncrypted FROM AD_Column WHERE AD_Column_ID=417)='N') "
+ "OR (u.Password=? AND (SELECT IsEncrypted FROM AD_Column WHERE AD_Column_ID=417)='Y'))"); // #2/3
PreparedStatement pstmt1=null;
ResultSet rs1=null;
try{
pstmt1 = DB.prepareStatement(sql.toString(), null);
pstmt1.setString(1, app_user);
if (app_pwd != null)
{
pstmt1.setString(2, app_pwd);
pstmt1.setString(3, SecureEngine.encrypt(app_pwd));
}
rs1 = pstmt1.executeQuery();
while(rs1.next()){
authenticated=true;
}
}catch (Exception ex) {
// TODO: handle exception
log.log(Level.SEVERE, sql.toString(), ex);
log.saveError("DBLogin", ex);
retValue = null;
}
finally
{
DB.close(rs1, pstmt1);
rs1 = null; pstmt1 = null;
}
}
if(authenticated){
StringBuffer sql = new StringBuffer("SELECT u.AD_User_ID, r.AD_Role_ID,r.Name,") StringBuffer sql = new StringBuffer("SELECT u.AD_User_ID, r.AD_Role_ID,r.Name,")
.append(" u.ConnectionProfile ") .append(" u.ConnectionProfile ")
.append("FROM AD_User u") .append("FROM AD_User u")
.append(" INNER JOIN AD_User_Roles ur ON (u.AD_User_ID=ur.AD_User_ID AND ur.IsActive='Y')") .append(" INNER JOIN AD_User_Roles ur ON (u.AD_User_ID=ur.AD_User_ID AND ur.IsActive='Y')")
.append(" INNER JOIN AD_Role r ON (ur.AD_Role_ID=r.AD_Role_ID AND r.IsActive='Y') ") .append(" INNER JOIN AD_Role r ON (ur.AD_Role_ID=r.AD_Role_ID AND r.IsActive='Y') ");
.append("WHERE COALESCE(u.LDAPUser,u.Name)=?") // #1
.append(" AND u.IsActive='Y'") sql.append("WHERE COALESCE(u.LDAPUser,u.Name)=?"); // #1
.append(" AND EXISTS (SELECT * FROM AD_Client c WHERE u.AD_Client_ID=c.AD_Client_ID AND c.IsActive='Y')");
if (app_pwd != null) sql.append(" AND u.IsActive='Y'").append(" AND EXISTS (SELECT * FROM AD_Client c WHERE u.AD_Client_ID=c.AD_Client_ID AND c.IsActive='Y')");
sql.append(" AND ((u.Password=? AND (SELECT IsEncrypted FROM AD_Column WHERE AD_Column_ID=417)='N') "
+ "OR (u.Password=? AND (SELECT IsEncrypted FROM AD_Column WHERE AD_Column_ID=417)='Y'))"); // #2/3 /* if (app_pwd != null && !hash_password)
sql.append(" ORDER BY r.Name"); sql.append(" AND ((u.Password=? AND (SELECT IsEncrypted FROM AD_Column WHERE AD_Column_ID=417)='N') "
+ "OR (u.Password=? AND (SELECT IsEncrypted FROM AD_Column WHERE AD_Column_ID=417)='Y'))"); // #2/3*/
sql.append(" ORDER BY r.Name");
PreparedStatement pstmt = null; PreparedStatement pstmt = null;
ResultSet rs = null; ResultSet rs = null;
try try
{ {
pstmt = DB.prepareStatement(sql.toString(), null); pstmt = DB.prepareStatement(sql.toString(), null);
pstmt.setString(1, app_user); pstmt.setString(1, app_user);
if (app_pwd != null)
/*if (app_pwd != null && !hash_password)
{ {
pstmt.setString(2, app_pwd); pstmt.setString(2, app_pwd);
pstmt.setString(3, SecureEngine.encrypt(app_pwd)); pstmt.setString(3, SecureEngine.encrypt(app_pwd));
} }*/
// execute a query // execute a query
rs = pstmt.executeQuery(); rs = pstmt.executeQuery();
if (!rs.next()) // no record found if (!rs.next()) // no record found
if (force) if (force)
{ {
Env.setContext(m_ctx, "#AD_User_Name", "System"); Env.setContext(m_ctx, "#AD_User_Name", "System");
Env.setContext(m_ctx, "#AD_User_ID", "0"); Env.setContext(m_ctx, "#AD_User_ID", "0");
Env.setContext(m_ctx, "#AD_User_Description", "System Forced Login"); Env.setContext(m_ctx, "#AD_User_Description", "System Forced Login");
Env.setContext(m_ctx, "#User_Level", "S "); // Format 'SCO' Env.setContext(m_ctx, "#User_Level", "S "); // Format 'SCO'
Env.setContext(m_ctx, "#User_Client", "0"); // Format c1, c2, ... Env.setContext(m_ctx, "#User_Client", "0"); // Format c1, c2, ...
Env.setContext(m_ctx, "#User_Org", "0"); // Format o1, o2, ... Env.setContext(m_ctx, "#User_Org", "0"); // Format o1, o2, ...
rs.close(); rs.close();
pstmt.close(); pstmt.close();
retValue = new KeyNamePair[] {new KeyNamePair(0, "System Administrator")}; retValue = new KeyNamePair[] {new KeyNamePair(0, "System Administrator")};
return retValue; return retValue;
} }
else else
{ {
rs.close(); rs.close();
pstmt.close(); pstmt.close();
log.saveError("UserPwdError", app_user, false); log.saveError("UserPwdError", app_user, false);
return null; return null;
} }
Env.setContext(m_ctx, "#AD_User_Name", app_user); Env.setContext(m_ctx, "#AD_User_Name", app_user);
Env.setContext(m_ctx, "#AD_User_ID", rs.getInt(1)); Env.setContext(m_ctx, "#AD_User_ID", rs.getInt(1));
Env.setContext(m_ctx, "#SalesRep_ID", rs.getInt(1)); Env.setContext(m_ctx, "#SalesRep_ID", rs.getInt(1));
//
if (Ini.isClient()) if (Ini.isClient())
{ {
if (MSystem.isSwingRememberUserAllowed()) if (MSystem.isSwingRememberUserAllowed())
@ -335,7 +431,7 @@ public class Login
} }
} }
} }
do // read all roles do // read all roles
{ {
int AD_Role_ID = rs.getInt(2); int AD_Role_ID = rs.getInt(2);
@ -349,8 +445,10 @@ public class Login
// //
retValue = new KeyNamePair[list.size()]; retValue = new KeyNamePair[list.size()];
list.toArray(retValue); list.toArray(retValue);
log.fine("User=" + app_user + " - roles #" + retValue.length); log.fine("User=" + app_user + " - roles #" + retValue.length);
}
}
catch (Exception ex) catch (Exception ex)
{ {
log.log(Level.SEVERE, sql.toString(), ex); log.log(Level.SEVERE, sql.toString(), ex);
@ -363,6 +461,7 @@ public class Login
DB.close(rs, pstmt); DB.close(rs, pstmt);
rs = null; pstmt = null; rs = null; pstmt = null;
} }
}
long ms = System.currentTimeMillis () - start; long ms = System.currentTimeMillis () - start;
return retValue; return retValue;
} // getRoles } // getRoles

View File

@ -16,6 +16,7 @@
*****************************************************************************/ *****************************************************************************/
package org.compiere.util; package org.compiere.util;
import java.io.UnsupportedEncodingException;
import java.math.BigDecimal; import java.math.BigDecimal;
import java.security.AlgorithmParameters; import java.security.AlgorithmParameters;
import java.security.MessageDigest; import java.security.MessageDigest;
@ -378,6 +379,30 @@ public class Secure implements SecureInterface
return (convertHexString(value) != null); return (convertHexString(value) != null);
} // isDigest } // isDigest
/**
* Convert String and salt to SHA-512 hash with iterations
* https://www.owasp.org/index.php/Hashing_Java
*
* @param value message
* @return HexString of message (length = 128 characters)
* @throws NoSuchAlgorithmException
* @throws UnsupportedEncodingException
*/
public String getSHA512Hash (int iterations, String value, byte[] salt) throws NoSuchAlgorithmException, UnsupportedEncodingException
{
MessageDigest digest = MessageDigest.getInstance("SHA-512");
digest.reset();
digest.update(salt);
byte[] input = digest.digest(value.getBytes("UTF-8"));
for (int i = 0; i < iterations; i++) {
digest.reset();
input = digest.digest(input);
}
digest.reset();
//
return convertToHexString(input);
} // getSHA512Hash
/** /**
* String Representation * String Representation
* @return info * @return info

View File

@ -16,6 +16,8 @@
*****************************************************************************/ *****************************************************************************/
package org.compiere.util; package org.compiere.util;
import java.io.UnsupportedEncodingException;
import java.security.NoSuchAlgorithmException;
import java.util.Properties; import java.util.Properties;
import java.util.logging.Logger; import java.util.logging.Logger;
@ -70,6 +72,22 @@ public class SecureEngine
return s_engine.implementation.getClass().getName(); return s_engine.implementation.getClass().getName();
} // getClassName } // getClassName
/**
* Convert String and salt to SHA-512 hash with iterations
* https://www.owasp.org/index.php/Hashing_Java
*
* @param value message
* @return HexString of message (length = 128 characters)
* @throws UnsupportedEncodingException
* @throws NoSuchAlgorithmException
*/
public static String getSHA512Hash (int iterations, String value, byte[] salt) throws NoSuchAlgorithmException, UnsupportedEncodingException
{
if (s_engine == null)
init(System.getProperties());
return s_engine.implementation.getSHA512Hash(iterations, value, salt);
} // getDigest
/** /**
* Convert String to Digest. * Convert String to Digest.
* JavaScript version see - http://pajhome.org.uk/crypt/md5/index.html * JavaScript version see - http://pajhome.org.uk/crypt/md5/index.html

View File

@ -16,7 +16,9 @@
*****************************************************************************/ *****************************************************************************/
package org.compiere.util; package org.compiere.util;
import java.io.UnsupportedEncodingException;
import java.math.BigDecimal; import java.math.BigDecimal;
import java.security.NoSuchAlgorithmException;
import java.sql.Timestamp; import java.sql.Timestamp;
/** /**
@ -126,4 +128,15 @@ public interface SecureInterface
*/ */
public boolean isDigest (String value); public boolean isDigest (String value);
/**
* Convert String and salt to SHA-512 hash with iterations
* https://www.owasp.org/index.php/Hashing_Java
*
* @param value message
* @return HexString of message (length = 128 characters)
* @throws NoSuchAlgorithmException
* @throws UnsupportedEncodingException
*/
public String getSHA512Hash (int iterations, String value, byte[] salt) throws NoSuchAlgorithmException, UnsupportedEncodingException;
} // SecureInterface } // SecureInterface

View File

@ -30,6 +30,8 @@ import org.compiere.model.MBPartner;
import org.compiere.model.MBPartnerLocation; import org.compiere.model.MBPartnerLocation;
import org.compiere.model.MLocation; import org.compiere.model.MLocation;
import org.compiere.model.MRefList; import org.compiere.model.MRefList;
import org.compiere.model.MSysConfig;
import org.compiere.model.MTable;
import org.compiere.model.MUser; import org.compiere.model.MUser;
/** /**
@ -367,6 +369,7 @@ public class WebUser
m_loc = new MLocation (m_ctx, 0, null); m_loc = new MLocation (m_ctx, 0, null);
// //
log.info("= " + m_bp + " - " + m_bpc); log.info("= " + m_bp + " - " + m_bpc);
} // load } // load
/** /**
@ -669,8 +672,84 @@ public class WebUser
public boolean login (String password) public boolean login (String password)
{ {
m_loggedIn = isValid () // we have a contact m_loggedIn = isValid () // we have a contact
&& WebUtil.exists (password) // we have a password && WebUtil.exists (password); // we have a password
&& password.equals (getPassword ()); //&& password.equals (getPassword ());
boolean retValue = false;
if(m_loggedIn)
{
boolean hash_password=MSysConfig.getBooleanValue("USER_PASSWORD_HASH", false);
if(!hash_password)
{
String sql = "SELECT * FROM AD_User "
+ "WHERE COALESCE(LDAPUser, Name)=? " // #1
+ " AND ((Password=? AND (SELECT IsEncrypted FROM AD_Column WHERE AD_Column_ID=417)='N') " // #2
+ "OR (Password=? AND (SELECT IsEncrypted FROM AD_Column WHERE AD_Column_ID=417)='Y'))" // #3
+ " AND IsActive='Y' " // #4
;
PreparedStatement pstmt = null;
ResultSet rs = null;
try
{
pstmt = DB.prepareStatement (sql, null);
pstmt.setString (1, m_bpc.getName());
pstmt.setString (2, password);
pstmt.setString (3, SecureEngine.encrypt(password));
rs = pstmt.executeQuery ();
if (rs.next ())
{
retValue = true;
if (rs.next())
log.warning ("More then one user with Name/Password = " + m_bpc.getName());
}
else
log.fine("No record");
}
catch (Exception e)
{
log.log(Level.SEVERE, sql, e);
}
finally
{
DB.close(rs, pstmt);
rs = null; pstmt = null;
}
}
else{
String where = " COALESCE(LDAPUser,Name) = ? AND" +
" EXISTS (SELECT * FROM AD_User_Roles ur" +
" INNER JOIN AD_Role r ON (ur.AD_Role_ID=r.AD_Role_ID)" +
" WHERE ur.AD_User_ID=AD_User.AD_User_ID AND ur.IsActive='Y' AND r.IsActive='Y') AND " +
" EXISTS (SELECT * FROM AD_Client c" +
" WHERE c.AD_Client_ID=AD_User.AD_Client_ID" +
" AND c.IsActive='Y') AND " +
" AD_User.IsActive='Y'";
MUser user = MTable.get(m_ctx, MUser.Table_ID).createQuery( where, null).setParameters(m_bpc.getName()).firstOnly(); // throws error if username collision occurs
String hash = null;
String salt = null;
if (user != null )
{
hash = user.getPassword();
salt = user.getSalt();
}
// always do calculation to confuse timing based attacks
if ( user == null )
user = MUser.get(null, 0);
if ( hash == null )
hash = "0000000000000000";
if ( salt == null )
salt = "0000000000000000";
if ( user.authenticateHash(password) )
{
retValue=true;
}
}
}
m_loggedIn=m_loggedIn && retValue;
setPasswordOK (m_loggedIn, password); setPasswordOK (m_loggedIn, password);
log.fine("success=" + m_loggedIn); log.fine("success=" + m_loggedIn);
if (m_loggedIn) if (m_loggedIn)