You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jetspeed-dev@portals.apache.org by ta...@apache.org on 2014/07/13 02:05:49 UTC
svn commit: r1610090 - in /portals/jetspeed-2/portal/trunk:
components/jetspeed-portal/src/main/java/org/apache/jetspeed/administration/
components/jetspeed-portal/src/test/java/org/apache/jetspeed/administration/
jetspeed-portal-resources/src/main/res...
Author: taylor
Date: Sun Jul 13 00:05:48 2014
New Revision: 1610090
URL: http://svn.apache.org/r1610090
Log:
JS2-1296: fix for infinite loop of password generator. Contribution from David Dyer
Modified:
portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/administration/SimplePasswordGeneratorImpl.java
portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/test/java/org/apache/jetspeed/administration/TestPortalAdministrationImpl.java
portals/jetspeed-2/portal/trunk/jetspeed-portal-resources/src/main/resources/assembly/administration.xml
portals/jetspeed-2/portal/trunk/jetspeed-portal-resources/src/main/resources/assembly/security-spi-atn.xml
Modified: portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/administration/SimplePasswordGeneratorImpl.java
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/administration/SimplePasswordGeneratorImpl.java?rev=1610090&r1=1610089&r2=1610090&view=diff
==============================================================================
--- portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/administration/SimplePasswordGeneratorImpl.java (original)
+++ portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/administration/SimplePasswordGeneratorImpl.java Sun Jul 13 00:05:48 2014
@@ -16,40 +16,51 @@
*/
package org.apache.jetspeed.administration;
-import java.util.ArrayList;
-
import org.apache.jetspeed.security.CredentialPasswordValidator;
import org.apache.jetspeed.security.SecurityException;
import org.apache.taglibs.random.RandomStrg;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.util.ArrayList;
+import java.util.Arrays;
+
/**
* @version $Id$
*/
-public class SimplePasswordGeneratorImpl implements PasswordGenerator
-{
- /** the list of characters from which a password can be generatored. */
- protected static final char[] DEFAULT_PASS_CHARS = { 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's',
- 't', 'u', 'v', 'w', 'x', 'y', 'z', 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U',
- 'V', 'W', 'X', 'Y', 'Z', '1', '2', '3', '4', '5', '6', '7', '8', '9', '0' };
+public class SimplePasswordGeneratorImpl implements PasswordGenerator {
+ Logger log = LoggerFactory.getLogger(SimplePasswordGeneratorImpl.class);
+
+ /**
+ * the list of characters from which a password can be generatored.
+ */
+ protected static final char[] DEFAULT_PASS_CHARS = {'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's',
+ 't', 'u', 'v', 'w', 'x', 'y', 'z', 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U',
+ 'V', 'W', 'X', 'Y', 'Z', '1', '2', '3', '4', '5', '6', '7', '8', '9', '0'};
// removed these for aesthetic purposes
// '!', '&', '-', '_', '=',
// '*','@', '#', '$', '%', '^',
// '+',
- protected char[] passwordChars = SimplePasswordGeneratorImpl.DEFAULT_PASS_CHARS;
- protected ArrayList<Character> upper = new ArrayList<Character>();
- protected ArrayList<Character> lower = new ArrayList<Character>();
- protected Integer length = new Integer(12);
+ protected char[] passwordChars = SimplePasswordGeneratorImpl.DEFAULT_PASS_CHARS;
+ protected ArrayList<Character> upper = new ArrayList<Character>();
+ protected ArrayList<Character> lower = new ArrayList<Character>();
+ protected Integer length = new Integer(12);
protected CredentialPasswordValidator validator;
+ protected int maximumValidationAttempts = 1000;
+
+ public SimplePasswordGeneratorImpl() {
+ }
- protected RandomStrg newRandomStrg()
- {
+ public SimplePasswordGeneratorImpl(String defaultChars) {
+ this.passwordChars = defaultChars.toCharArray();
+ }
+
+ protected RandomStrg newRandomStrg() {
RandomStrg rs = new RandomStrg();
- try
- {
+ try {
rs.generateRandomObject();
- }
- catch (Exception e)
- {
+ } catch (Exception e) {
// this would only get thrown if we tried a secure random and the provider
// was not available.
e.printStackTrace();
@@ -57,58 +68,45 @@ public class SimplePasswordGeneratorImpl
return rs;
}
- protected void initRandomStrg(RandomStrg rs)
- {
+ protected void initRandomStrg(RandomStrg rs) {
rs.setLength(new Integer(12));
rs.setSingle(passwordChars, passwordChars.length);
rs.setRanges(upper, lower);
}
/**
- * @param length
- * the length to set
+ * @param length the length to set
*/
- public void setLength(Integer length)
- {
+ public void setLength(Integer length) {
this.length = length;
}
/**
- * @param validator
- * the validator to set
+ * @param validator the validator to set
*/
- public void setValidator(CredentialPasswordValidator validator)
- {
+ public void setValidator(CredentialPasswordValidator validator) {
this.validator = validator;
}
- public void setPasswordChars(String passwordChars)
- {
- if (passwordChars != null && passwordChars.length() > 1)
- {
+ public void setPasswordChars(String passwordChars) {
+ if (passwordChars != null && passwordChars.length() > 1) {
this.passwordChars = passwordChars.toCharArray();
}
}
- public void setLowerRange(String lowerChars)
- {
- if (lowerChars != null)
- {
+ public void setLowerRange(String lowerChars) {
+ if (lowerChars != null) {
lower.clear();
- for (char c : lowerChars.toCharArray())
- {
+ for (char c : lowerChars.toCharArray()) {
lower.add(new Character(c));
}
}
}
- public void setUpperRange(String upperChars)
- {
- if (upperChars != null)
- {
+ public void setUpperRange(String upperChars) {
+ if (upperChars != null) {
upper.clear();
- for (char c : upperChars.toCharArray())
- {
+ for (char c : upperChars.toCharArray()) {
upper.add(new Character(c));
}
}
@@ -118,26 +116,53 @@ public class SimplePasswordGeneratorImpl
* (non-Javadoc)
* @see org.apache.jetspeed.administration.PasswordGenerator#generatePassword()
*/
- public String generatePassword()
- {
+ public String generatePassword() {
String retval = null;
RandomStrg rs = newRandomStrg();
initRandomStrg(rs);
- while (retval == null)
- {
+ int validationAttemptCount = 0;
+ while (retval == null) {
retval = rs.getRandom();
- if (validator != null)
- {
- try
- {
+ if (validator != null) {
+ try {
+ if (log.isDebugEnabled()) {
+ log.debug("passing string " + retval + " to credential validator");
+ }
validator.validate(retval);
- }
- catch (SecurityException sex)
- {
+ } catch (SecurityException sex) {
+ if (validationAttemptCount >= maximumValidationAttempts) {
+ log.warn("Unable to validate generated password after " + maximumValidationAttempts +
+ " returning last generated password string unvalidated");
+ break;
+ }
retval = null;
}
}
+
+ validationAttemptCount++;
+ }
+ if (log.isDebugEnabled()) {
+ log.debug("returning string " + retval + " after " + validationAttemptCount + " validation attempts");
}
return retval;
}
+
+ public char[] getPasswordChars() {
+ return passwordChars;
+ }
+
+ public void setPasswordChars(char[] passwordChars) {
+ if (log.isDebugEnabled()) {
+ log.debug("setting up password character array " + Arrays.toString(passwordChars));
+ }
+ this.passwordChars = passwordChars;
+ }
+
+ public int getMaximumValidationAttempts() {
+ return maximumValidationAttempts;
+ }
+
+ public void setMaximumValidationAttempts(int maximumValidationAttempts) {
+ this.maximumValidationAttempts = maximumValidationAttempts;
+ }
}
Modified: portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/test/java/org/apache/jetspeed/administration/TestPortalAdministrationImpl.java
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/test/java/org/apache/jetspeed/administration/TestPortalAdministrationImpl.java?rev=1610090&r1=1610089&r2=1610090&view=diff
==============================================================================
--- portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/test/java/org/apache/jetspeed/administration/TestPortalAdministrationImpl.java (original)
+++ portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/test/java/org/apache/jetspeed/administration/TestPortalAdministrationImpl.java Sun Jul 13 00:05:48 2014
@@ -19,12 +19,16 @@ package org.apache.jetspeed.administrati
import junit.framework.Test;
import junit.framework.TestCase;
import junit.framework.TestSuite;
+
import org.apache.jetspeed.aggregator.TestWorkerMonitor;
+import org.apache.jetspeed.security.CredentialPasswordValidator;
+import org.apache.jetspeed.security.spi.impl.DefaultCredentialPasswordValidator;
import org.springframework.mail.javamail.JavaMailSenderImpl;
import javax.mail.*;
import javax.mail.internet.InternetAddress;
import javax.mail.internet.MimeMessage;
+
import java.io.ByteArrayOutputStream;
import java.net.URL;
import java.net.URLClassLoader;
@@ -77,17 +81,75 @@ public class TestPortalAdministrationImp
return new TestSuite(TestPortalAdministrationImpl.class);
}
- public void testPasswordGen() throws Exception
+ public void testBasicPasswordGen() throws Exception
{
+ System.out.println("*** testing basic (unvalidated) password generation");
PortalAdministrationImpl pai = new PortalAdministrationImpl(null,null,null,null,null,null,null,null);
String newPassword = pai.generatePassword();
+ System.out.println("new password is "+newPassword);
assertNotNull("new password was NULL!!!",newPassword);
assertTrue("password is not long enough",(newPassword.length() > 4) );
}
+ public void testPasswordGenWithValidationFailure() throws Exception
+ {
+ System.out.println("*** testing password generation with validator but unmatched character array and pattern");
+ PortalAdministrationImpl pai = new PortalAdministrationImpl(null,null,null,null,null,null,null,null);
+ SimplePasswordGeneratorImpl pg = new SimplePasswordGeneratorImpl();
+ CredentialPasswordValidator cpv = new DefaultCredentialPasswordValidator("^.*(?=.{6,})(?=.*\\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[@#$%^&+=]).*$");
+ pg.setValidator(cpv);
+ pg.setMaximumValidationAttempts(1500);
+ pai.setPasswordGenerator(pg);
+ String newPassword = pai.generatePassword();
+ System.out.println("new password is "+newPassword);
+ assertNotNull("new password was NULL!!!",newPassword);
+ assertTrue("password is not long enough",(newPassword.length() > 4) );
+
+ }
+
+ public void testFullPasswordGenWithValidation() throws Exception
+ {
+ System.out.println("*** testing password generation with matched character array and pattern");
+ PortalAdministrationImpl pai = new PortalAdministrationImpl(null,null,null,null,null,null,null,null);
+ SimplePasswordGeneratorImpl pg = new SimplePasswordGeneratorImpl();
+ CredentialPasswordValidator cpv = new DefaultCredentialPasswordValidator("^.*(?=.{6,})(?=.*\\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[@#$%^&+=]).*$");
+ pg.setValidator(cpv);
+ pg.setMaximumValidationAttempts(1500);
+ pai.setPasswordGenerator(pg);
+ //char array that matches the pattern above
+ char[] validChars = { 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's',
+ 't', 'u', 'v', 'w', 'x', 'y', 'z', 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U',
+ 'V', 'W', 'X', 'Y', 'Z', '1', '2', '3', '4', '5', '6', '7', '8', '9', '0','@','#','$','%','^','&','+','=' };
+ pg.setPasswordChars(validChars);
+ String newPassword = pai.generatePassword();
+
+ System.out.println("new password is "+newPassword);
+ assertNotNull("new password was NULL!!!",newPassword);
+ assertTrue("password is not long enough",(newPassword.length() > 4) );
+
+ }
+
+ public void testFullPasswordGenWithValidation2() throws Exception
+ {
+ System.out.println("*** testing password generation with matched character array and pattern");
+ PortalAdministrationImpl pai = new PortalAdministrationImpl(null,null,null,null,null,null,null,null);
+ SimplePasswordGeneratorImpl pg = new SimplePasswordGeneratorImpl("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890@#$%^+=");
+ CredentialPasswordValidator cpv = new DefaultCredentialPasswordValidator("^.*(?=.{6,})(?=.*\\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[@#$%^&+=]).*$");
+ pg.setValidator(cpv);
+ pg.setMaximumValidationAttempts(1500);
+ pai.setPasswordGenerator(pg);
+ String newPassword = pai.generatePassword();
+
+ System.out.println("new password is "+newPassword);
+ assertNotNull("new password was NULL!!!",newPassword);
+ assertTrue("password is not long enough",(newPassword.length() > 4) );
+
+ }
+
public void testSendEmail() throws Exception
{
+ System.out.println("*** testing sendEmail");
JavaMailSenderImpl javaMailSender = null;
if (smtpHost != null)
@@ -135,6 +197,7 @@ public class TestPortalAdministrationImp
}
public void testSendMailFromAnotherThread() throws Exception {
+ System.out.println("*** testing sendEmailFromAnotherThread");
final List<Exception> exceptions = new ArrayList<Exception>();
Thread t = new Thread(new Runnable() {
Modified: portals/jetspeed-2/portal/trunk/jetspeed-portal-resources/src/main/resources/assembly/administration.xml
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/portal/trunk/jetspeed-portal-resources/src/main/resources/assembly/administration.xml?rev=1610090&r1=1610089&r2=1610090&view=diff
==============================================================================
--- portals/jetspeed-2/portal/trunk/jetspeed-portal-resources/src/main/resources/assembly/administration.xml (original)
+++ portals/jetspeed-2/portal/trunk/jetspeed-portal-resources/src/main/resources/assembly/administration.xml Sun Jul 13 00:05:48 2014
@@ -59,12 +59,20 @@
<bean id="org.apache.jetspeed.administration.PasswordGenerator" class="org.apache.jetspeed.administration.SimplePasswordGeneratorImpl">
<meta key="j2:cat" value="default" />
+ <!-- sample character array that matches the regex pattern in the DefaultCredentialValidator defined in
+ security-spi-atn.xml -->
+ <constructor-arg index="0">
+ <value>abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890@#$%^+=</value>
+ </constructor-arg>
<property name="validator">
<!-- The default CredentialPasswordValidator configuration only checks against empty/null passwords.
If a more complex validation is enforced, make sure the PasswordGenerator matches the rules.
If a generated password fails validation, the SimplePasswordGeneratorImpl will simply regenerate a new one to test. -->
<ref bean="org.apache.jetspeed.security.spi.CredentialPasswordValidator"/>
</property>
+ <property name="maximumValidationAttempts">
+ <value>1500</value>
+ </property>
</bean>
<bean id='PortalAdministrationImpl' init-method="start"
Modified: portals/jetspeed-2/portal/trunk/jetspeed-portal-resources/src/main/resources/assembly/security-spi-atn.xml
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/portal/trunk/jetspeed-portal-resources/src/main/resources/assembly/security-spi-atn.xml?rev=1610090&r1=1610089&r2=1610090&view=diff
==============================================================================
--- portals/jetspeed-2/portal/trunk/jetspeed-portal-resources/src/main/resources/assembly/security-spi-atn.xml (original)
+++ portals/jetspeed-2/portal/trunk/jetspeed-portal-resources/src/main/resources/assembly/security-spi-atn.xml Sun Jul 13 00:05:48 2014
@@ -29,8 +29,8 @@
* Must be at least 6 characters
* Must contain at least one one lower case letter, one upper case letter, one digit and one special character
* Valid special characters are @#$%^&+=
- <constructor-arg index="1"><value><![CDATA[^.*(?=.{6,})(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[@#$%^&+=]).*$]]></value></constructor-arg>
- -->
+ <constructor-arg index="0"><value><![CDATA[^.*(?=.{6,})(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[@#$%^&+=]).*$]]></value></constructor-arg>
+ -->
</bean>
<!-- MessageDigest encode passwords using SHA-1 -->
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org