roller-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From snoopd...@apache.org
Subject [roller] 01/01: [ROL-2137] if you're going to enable remember me then you must set a unqiue key. And not the well known springRocks that was the default.
Date Sat, 11 May 2019 21:13:30 GMT
This is an automated email from the ASF dual-hosted git repository.

snoopdave pushed a commit to branch ROL-2137
in repository https://gitbox.apache.org/repos/asf/roller.git

commit 344677ce9de7f26526a76ff84524e82f59e1bde0
Author: snoopdave@gmail.com <snoopdave@gmail.com>
AuthorDate: Sat May 11 17:13:20 2019 -0400

    [ROL-2137] if you're going to enable remember me then you must set a unqiue key.
    And not the well known springRocks that was the default.
---
 .../RollerRememberMeAuthenticationProvider.java    | 44 ++++++++++++++++++++++
 .../ui/core/security/RollerRememberMeServices.java | 20 +++++++++-
 .../roller/weblogger/config/roller.properties      |  6 ++-
 app/src/main/webapp/WEB-INF/security.xml           |  2 +-
 4 files changed, 68 insertions(+), 4 deletions(-)

diff --git a/app/src/main/java/org/apache/roller/weblogger/ui/core/security/RollerRememberMeAuthenticationProvider.java
b/app/src/main/java/org/apache/roller/weblogger/ui/core/security/RollerRememberMeAuthenticationProvider.java
new file mode 100644
index 0000000..d805c58
--- /dev/null
+++ b/app/src/main/java/org/apache/roller/weblogger/ui/core/security/RollerRememberMeAuthenticationProvider.java
@@ -0,0 +1,44 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ *  contributor license agreements.  The ASF licenses this file to You
+ * under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.  For additional information regarding
+ * copyright in this work, please see the NOTICE file in the top level
+ * directory of this distribution.
+ */
+
+package org.apache.roller.weblogger.ui.core.security;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.roller.weblogger.config.WebloggerConfig;
+import org.springframework.security.authentication.RememberMeAuthenticationProvider;
+
+
+public class RollerRememberMeAuthenticationProvider extends RememberMeAuthenticationProvider
{
+    private static final Log log = LogFactory.getLog(RollerRememberMeServices.class);
+
+
+    public RollerRememberMeAuthenticationProvider(String ignored) {
+
+        String key = WebloggerConfig.getProperty("rememberme.key", "springRocks");
+
+        if ("springRocks".equals(key)) {
+            throw new RuntimeException(
+                "If remember-me is to be enabled, rememberme.key must be specified in the
roller " +
+                "properties file. Make sure it is a secret and make sure it is NOT be springRocks");
+        }
+        setKey(key);
+    }
+}
+
+
diff --git a/app/src/main/java/org/apache/roller/weblogger/ui/core/security/RollerRememberMeServices.java
b/app/src/main/java/org/apache/roller/weblogger/ui/core/security/RollerRememberMeServices.java
index 5aa7d51..72cfee4 100644
--- a/app/src/main/java/org/apache/roller/weblogger/ui/core/security/RollerRememberMeServices.java
+++ b/app/src/main/java/org/apache/roller/weblogger/ui/core/security/RollerRememberMeServices.java
@@ -1,3 +1,21 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ *  contributor license agreements.  The ASF licenses this file to You
+ * under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.  For additional information regarding
+ * copyright in this work, please see the NOTICE file in the top level
+ * directory of this distribution.
+ */
+
 package org.apache.roller.weblogger.ui.core.security;
 
 import org.apache.commons.logging.Log;
@@ -13,7 +31,7 @@ import java.security.NoSuchAlgorithmException;
 
 
 public class RollerRememberMeServices extends TokenBasedRememberMeServices {
-    private static final Log log = LogFactory.getLog(CustomUserRegistry.class);
+    private static final Log log = LogFactory.getLog(RollerRememberMeServices.class);
 
 
     public RollerRememberMeServices() {
diff --git a/app/src/main/resources/org/apache/roller/weblogger/config/roller.properties b/app/src/main/resources/org/apache/roller/weblogger/config/roller.properties
index 785a893..125520c 100644
--- a/app/src/main/resources/org/apache/roller/weblogger/config/roller.properties
+++ b/app/src/main/resources/org/apache/roller/weblogger/config/roller.properties
@@ -604,8 +604,10 @@ config.expandedProperties=uploads.dir,search.index.dir,mediafiles.storage.dir
 # True to enable history in Atom feeds with next/prev links
 site.newsfeeds.history.enabled=false
 
-# Some folks consider remember-me type functionality to be a security
-rememberme.enabled=true
+# Some folks consider remember-me type functionality to be a security risk
+# If you enable remember me you MUST define a unique secret key that is not 'springRocks'
+rememberme.enabled=false
+rememberme.key=
 
 # You might want to disable GZIP if your app server already supports it
 compression.gzipResponse.enabled=true
diff --git a/app/src/main/webapp/WEB-INF/security.xml b/app/src/main/webapp/WEB-INF/security.xml
index 33f80a2..1e20338 100644
--- a/app/src/main/webapp/WEB-INF/security.xml
+++ b/app/src/main/webapp/WEB-INF/security.xml
@@ -83,7 +83,7 @@
     </beans:bean>
 
     <beans:bean id="rememberMeAuthenticationProvider"
-                class="org.springframework.security.authentication.RememberMeAuthenticationProvider">
+                class="org.apache.roller.weblogger.ui.core.security.RollerRememberMeAuthenticationProvider">
         <beans:property name="key" value="springRocks"/>
     </beans:bean>
 


Mime
View raw message