Switched to PBKDF2 password hash
This commit is contained in:
parent
f339582025
commit
cbf6ef31f2
5 changed files with 33 additions and 27 deletions
|
|
@ -60,10 +60,11 @@ CREATE TABLE `User` (
|
||||||
`name` varchar(40) NOT NULL,
|
`name` varchar(40) NOT NULL,
|
||||||
`email` varchar(50) DEFAULT NULL,
|
`email` varchar(50) DEFAULT NULL,
|
||||||
`emailVerified` tinyint(1) NOT NULL,
|
`emailVerified` tinyint(1) NOT NULL,
|
||||||
`password` varchar(32) DEFAULT NULL,
|
`passwordHash` varchar(64) DEFAULT NULL,
|
||||||
|
`passwordSalt` varchar(5) DEFAULT NULL,
|
||||||
`ipHost` varchar(20) DEFAULT NULL,
|
`ipHost` varchar(20) DEFAULT NULL,
|
||||||
`loginDate` datetime DEFAULT NULL,
|
`loginDate` datetime DEFAULT NULL,
|
||||||
`sessionHash` varchar(32) DEFAULT NULL,
|
`cookieHash` varchar(32) DEFAULT NULL,
|
||||||
`superUser` tinyint(1) NOT NULL,
|
`superUser` tinyint(1) NOT NULL,
|
||||||
`enabled` tinyint(1) NOT NULL
|
`enabled` tinyint(1) NOT NULL
|
||||||
) ENGINE=InnoDB DEFAULT CHARSET=latin1;
|
) ENGINE=InnoDB DEFAULT CHARSET=latin1;
|
||||||
|
|
@ -72,8 +73,8 @@ CREATE TABLE `User` (
|
||||||
-- Dumping data for table `User`
|
-- Dumping data for table `User`
|
||||||
--
|
--
|
||||||
|
|
||||||
INSERT INTO `User` (`id`, `name`, `email`, `emailVerified`, `password`, `facebookUid`, `sessionId`, `ipHost`, `loginDate`, `sessionHash`, `superUser`, `enabled`) VALUES
|
INSERT INTO `User` (`id`, `name`, `email`, `emailVerified`, `passwordHash`, `passwordSalt`, `ipHost`, `loginDate`, `cookieHash`, `superUser`, `enabled`) VALUES
|
||||||
(1, 'Admin Admin', 'admin@example.com', 1, '', NULL, '', '', '1970-01-01 01:00:0', '', 1, 1);
|
(1, 'Admin Admin', 'admin', 1, '6e88be8bad7eae9d9e10aa061224034fed48d03fcbad968b56006784539d5214', 'salt', '', '1970-01-01 01:00:0', '', 1, 1);
|
||||||
|
|
||||||
-- --------------------------------------------------------
|
-- --------------------------------------------------------
|
||||||
|
|
||||||
|
|
@ -120,8 +121,7 @@ ALTER TABLE `Image`
|
||||||
ALTER TABLE `User`
|
ALTER TABLE `User`
|
||||||
ADD PRIMARY KEY (`id`),
|
ADD PRIMARY KEY (`id`),
|
||||||
ADD KEY `email` (`email`),
|
ADD KEY `email` (`email`),
|
||||||
ADD KEY `sessionHash` (`sessionHash`),
|
ADD KEY `cookieHash` (`cookieHash`);
|
||||||
ADD KEY `facebookUid` (`facebookUid`);
|
|
||||||
|
|
||||||
--
|
--
|
||||||
-- Indexes for table `Video`
|
-- Indexes for table `Video`
|
||||||
|
|
|
||||||
|
|
@ -1640,18 +1640,18 @@ INSERT INTO `Image` (`id`, `folder`, `filename`, `user`, `title`, `description`,
|
||||||
-- Dumping data for table `User`
|
-- Dumping data for table `User`
|
||||||
--
|
--
|
||||||
|
|
||||||
INSERT INTO `User` (`id`, `name`, `email`, `emailVerified`, `password`, `facebookUid`, `sessionId`, `ipHost`, `loginDate`, `sessionHash`, `superUser`, `enabled`) VALUES
|
INSERT INTO `User` (`id`, `name`, `email`, `emailVerified`, `passwordHash`, `passwordSalt`, `ipHost`, `loginDate`, `cookieHash`, `superUser`, `enabled`) VALUES
|
||||||
(6, 'User 01', 'test@koc.se', 1, '6b8186c16808026b6f1dc60b148ced42', NULL, '95784E87A1640E85C37D7F1639E5F78C', '192.176.1.81', '2017-11-29 16:38:50', 'a0e09c1108fc5b004fcef94c6e0bb542', 1, 1),
|
(6, 'User 01', 'test@koc.se', 1, '6e88be8bad7eae9d9e10aa061224034fed48d03fcbad968b56006784539d5214', 'salt', '192.176.1.81', '2017-11-29 16:38:50', 'a0e09c1108fc5b004fcef94c6e0bb542', 1, 1),
|
||||||
(23, 'User 02', 'test@example.com', 1, '4580389f38088ec92c5eae50d9a2403b', NULL, '73522EA6720A8B612DB183016D1AB718', '91.7.201.37', '2017-10-23 16:38:25', '0ea7b083e0ac6db2b07d907913e190fd', 0, 1),
|
(23, 'User 02', 'test@example.com', 1, '6e88be8bad7eae9d9e10aa061224034fed48d03fcbad968b56006784539d5214', 'salt', '91.7.201.37', '2017-10-23 16:38:25', '0ea7b083e0ac6db2b07d907913e190fd', 0, 1),
|
||||||
(25, 'User 03', 'test@example.com', 1, NULL, NULL, '6B8A79652F84DF3CCA7381D693478FD1', 'koc.se', '2011-09-30 09:33:12', '62a29eab987b7a3953111cb602766f09', 0, 1),
|
(25, 'User 03', 'test@example.com', 1, '6e88be8bad7eae9d9e10aa061224034fed48d03fcbad968b56006784539d5214', 'salt', 'koc.se', '2011-09-30 09:33:12', '62a29eab987b7a3953111cb602766f09', 0, 1),
|
||||||
(27, 'User 05', 'test@example.com', 1, '20cca4a3c87f8b8ffaa9e1754cee8bdf', NULL, 'F186D18D72B80EE5A7C15F2BF2ED144D', '86.84.84.192', '2017-09-17 14:32:29', 'be3286ac15e5c93f6104642fb50c23ff', 0, 1),
|
(27, 'User 05', 'test@example.com', 1, '6e88be8bad7eae9d9e10aa061224034fed48d03fcbad968b56006784539d5214', 'salt', '86.84.84.192', '2017-09-17 14:32:29', 'be3286ac15e5c93f6104642fb50c23ff', 0, 1),
|
||||||
(28, 'User 06', 'test@example.com', 1, 'c2087d8beea7df99d23292a0f805e34e', NULL, '3BA5AB8B39C12EA6F7D86529F189180B', 'koc.se', '2012-05-09 15:43:13', '1e74987a3d3ccc1dfdce1bb35c95dbee', 0, 1),
|
(28, 'User 06', 'test@example.com', 1, '6e88be8bad7eae9d9e10aa061224034fed48d03fcbad968b56006784539d5214', 'salt', 'koc.se', '2012-05-09 15:43:13', '1e74987a3d3ccc1dfdce1bb35c95dbee', 0, 1),
|
||||||
(29, 'User 07', 'test@example.com', 1, 'f88910b4a83f7d074889aa02982e1eab', NULL, '402511A763FF4872B8D886C658C6EEFB', 'koc.se', '2012-10-31 18:52:15', '859f403053d7925731f611e5f8a1534b', 0, 1),
|
(29, 'User 07', 'test@example.com', 1, '6e88be8bad7eae9d9e10aa061224034fed48d03fcbad968b56006784539d5214', 'salt', 'koc.se', '2012-10-31 18:52:15', '859f403053d7925731f611e5f8a1534b', 0, 1),
|
||||||
(30, 'User 08', 'test@example.com', 1, '709e024ac8980bca06c0ec32ddcc1870', NULL, '48B523CD2A5B3F4185B756102448A9D4', 'koc.se', '2012-08-02 12:30:52', 'c2af6f2e738b67d5422e99f4ee6322cf', 0, 1),
|
(30, 'User 08', 'test@example.com', 1, '6e88be8bad7eae9d9e10aa061224034fed48d03fcbad968b56006784539d5214', 'salt', 'koc.se', '2012-08-02 12:30:52', 'c2af6f2e738b67d5422e99f4ee6322cf', 0, 1),
|
||||||
(33, 'User 09', 'test@example.com', 1, '755134b80c4f2f809314999da089742e', NULL, '730149420D78026FBC3DF33303CFD637', 'koc.se', '2012-11-20 20:56:22', 'e264557b8ee2dc6cb30686b1e4b49545', 0, 1),
|
(33, 'User 09', 'test@example.com', 1, '6e88be8bad7eae9d9e10aa061224034fed48d03fcbad968b56006784539d5214', 'salt', 'koc.se', '2012-11-20 20:56:22', 'e264557b8ee2dc6cb30686b1e4b49545', 0, 1),
|
||||||
(35, 'User 10', 'test@example.com', 1, '6e010025868ff207d098954324849e89', NULL, '6017712D1C325EEC1F3AFB693A93ED31', 'www.koc.se', '2014-09-18 21:17:25', '152d20d7d48df05bafef1fe32023d085', 0, 1),
|
(35, 'User 10', 'test@example.com', 1, '6e88be8bad7eae9d9e10aa061224034fed48d03fcbad968b56006784539d5214', 'salt', 'www.koc.se', '2014-09-18 21:17:25', '152d20d7d48df05bafef1fe32023d085', 0, 1),
|
||||||
(36, 'User 11', 'test@example.com', 1, '25d55ad283aa400af464c76d713c07ad', NULL, '70489CE7358FDFD6279D70EF20916FE6', 'koc.se', '2013-09-04 23:35:59', '0929202e64e78bab7d787873723ec979', 0, 1),
|
(36, 'User 11', 'test@example.com', 1, '6e88be8bad7eae9d9e10aa061224034fed48d03fcbad968b56006784539d5214', 'salt', 'koc.se', '2013-09-04 23:35:59', '0929202e64e78bab7d787873723ec979', 0, 1),
|
||||||
(37, 'User 12', 'test@example.com', 0, '8cd18c951d9964343131aeb65b1dfaca', NULL, 'C38C6D0D49AFF8E625AFE4E726BAF5CE', 'koc.se', '2015-01-09 15:34:36', '6c74b9abd564b34313af7c5161557a80', 0, 1),
|
(37, 'User 12', 'test@example.com', 0, '6e88be8bad7eae9d9e10aa061224034fed48d03fcbad968b56006784539d5214', 'salt', 'koc.se', '2015-01-09 15:34:36', '6c74b9abd564b34313af7c5161557a80', 0, 1),
|
||||||
(43, 'User 13', 'test@example.com', 0, '465860201c448343cf8a146bdd6868dd', NULL, 'A0DC6C15A921B653059D42BCD3F5EEBF', '91.7.239.138', '2017-08-01 23:48:15', '20a8626ffec27e2f90dc4bbaace4f995', 0, 1);
|
(43, 'User 13', 'test@example.com', 0, '6e88be8bad7eae9d9e10aa061224034fed48d03fcbad968b56006784539d5214', 'salt', '91.7.239.138', '2017-08-01 23:48:15', '20a8626ffec27e2f90dc4bbaace4f995', 0, 1);
|
||||||
|
|
||||||
-- --------------------------------------------------------
|
-- --------------------------------------------------------
|
||||||
|
|
|
||||||
|
|
@ -37,10 +37,10 @@ public class ModifyUserStatusAction extends ZalleryAction {
|
||||||
if (request.getParameter("email") != null)
|
if (request.getParameter("email") != null)
|
||||||
target_user.setEmail(request.getParameter("email"));
|
target_user.setEmail(request.getParameter("email"));
|
||||||
if (request.getParameter("password") != null) {
|
if (request.getParameter("password") != null) {
|
||||||
if (target_user.getPassword() == null)
|
if (target_user.getPasswordHash() == null)
|
||||||
target_user.setPassword(request.getParameter("password"));
|
target_user.setPassword(request.getParameter("password"));
|
||||||
else if (request.getParameter("oldPassword") != null)
|
else if (request.getParameter("oldPassword") != null)
|
||||||
if (target_user.getPassword().equals(request.getParameter("oldPassword")))
|
if (target_user.getPasswordHash().equals(request.getParameter("oldPassword")))
|
||||||
target_user.setPassword(request.getParameter("password"));
|
target_user.setPassword(request.getParameter("password"));
|
||||||
else {
|
else {
|
||||||
msgs.add(new UserMessage(MessageLevel.ERROR, "Wrong password!"));
|
msgs.add(new UserMessage(MessageLevel.ERROR, "Wrong password!"));
|
||||||
|
|
|
||||||
|
|
@ -20,7 +20,8 @@ public class User extends DBBean {
|
||||||
protected String name;
|
protected String name;
|
||||||
protected String email;
|
protected String email;
|
||||||
protected boolean emailVerified;
|
protected boolean emailVerified;
|
||||||
protected String password;
|
protected String passwordHash;
|
||||||
|
protected String passwordSalt;
|
||||||
// Date
|
// Date
|
||||||
protected Timestamp loginDate;
|
protected Timestamp loginDate;
|
||||||
// security
|
// security
|
||||||
|
|
@ -89,7 +90,7 @@ public class User extends DBBean {
|
||||||
}
|
}
|
||||||
|
|
||||||
public String generateEmailVerificationHash() {
|
public String generateEmailVerificationHash() {
|
||||||
return Hasher.MD5("##helloWorld-->2011" + email + name + password);
|
return Hasher.MD5("##helloWorld-->2011" + email + name + passwordHash);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
@ -138,12 +139,17 @@ public class User extends DBBean {
|
||||||
this.emailVerified = verified;
|
this.emailVerified = verified;
|
||||||
}
|
}
|
||||||
|
|
||||||
public String getPassword() {
|
public String getPasswordHash() {
|
||||||
return password;
|
return passwordHash;
|
||||||
}
|
}
|
||||||
|
|
||||||
public void setPassword(String password) {
|
public void setPassword(String password) {
|
||||||
this.password = Hasher.MD5(password);
|
String newPasswordSalt = Hasher.SHA1(Math.random()).substring(0, 5);
|
||||||
|
String newPasswordHash = Hasher.PBKDF2(password, newPasswordSalt, 1000);
|
||||||
|
|
||||||
|
// We wait with setting the actual fields if there is an exception
|
||||||
|
this.passwordSalt = newPasswordSalt;
|
||||||
|
this.passwordHash = newPasswordHash;
|
||||||
}
|
}
|
||||||
|
|
||||||
public String getCookieHash() {
|
public String getCookieHash() {
|
||||||
|
|
|
||||||
|
|
@ -35,7 +35,7 @@ public class AuthenticationManager {
|
||||||
|
|
||||||
// Valid email?
|
// Valid email?
|
||||||
if( user != null ){
|
if( user != null ){
|
||||||
if (user.getPassword().equals(Hasher.MD5(password))) {
|
if (user.getPasswordHash().equals(Hasher.MD5(password))) {
|
||||||
setUserAuthenticated(db, user, User.AuthType.USER_INPUT, request, response);
|
setUserAuthenticated(db, user, User.AuthType.USER_INPUT, request, response);
|
||||||
return user;
|
return user;
|
||||||
} else {
|
} else {
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue