You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@roller.apache.org by sn...@apache.org on 2019/05/11 21:13:29 UTC

[roller] branch ROL-2137 created (now 344677c)

This is an automated email from the ASF dual-hosted git repository.

snoopdave pushed a change to branch ROL-2137
in repository https://gitbox.apache.org/repos/asf/roller.git.


      at 344677c  [ROL-2137] if you're going to enable remember me then you must set a unqiue key. And not the well known springRocks that was the default.

This branch includes the following new commits:

     new 344677c  [ROL-2137] if you're going to enable remember me then you must set a unqiue key. And not the well known springRocks that was the default.

The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.

[roller] 01/01: [ROL-2137] if you're going to enable remember me then you must set a unqiue key. And not the well known springRocks that was the default.

Posted by sn...@apache.org.

This is an automated email from the ASF dual-hosted git repository.

snoopdave pushed a commit to branch ROL-2137
in repository https://gitbox.apache.org/repos/asf/roller.git

commit 344677ce9de7f26526a76ff84524e82f59e1bde0
Author: snoopdave@gmail.com <sn...@gmail.com>
AuthorDate: Sat May 11 17:13:20 2019 -0400

    [ROL-2137] if you're going to enable remember me then you must set a unqiue key.
    And not the well known springRocks that was the default.
---
 .../RollerRememberMeAuthenticationProvider.java    | 44 ++++++++++++++++++++++
 .../ui/core/security/RollerRememberMeServices.java | 20 +++++++++-
 .../roller/weblogger/config/roller.properties      |  6 ++-
 app/src/main/webapp/WEB-INF/security.xml           |  2 +-
 4 files changed, 68 insertions(+), 4 deletions(-)

diff --git a/app/src/main/java/org/apache/roller/weblogger/ui/core/security/RollerRememberMeAuthenticationProvider.java b/app/src/main/java/org/apache/roller/weblogger/ui/core/security/RollerRememberMeAuthenticationProvider.java
new file mode 100644
index 0000000..d805c58
--- /dev/null
+++ b/app/src/main/java/org/apache/roller/weblogger/ui/core/security/RollerRememberMeAuthenticationProvider.java
@@ -0,0 +1,44 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ *  contributor license agreements.  The ASF licenses this file to You
+ * under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.  For additional information regarding
+ * copyright in this work, please see the NOTICE file in the top level
+ * directory of this distribution.
+ */
+
+package org.apache.roller.weblogger.ui.core.security;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.roller.weblogger.config.WebloggerConfig;
+import org.springframework.security.authentication.RememberMeAuthenticationProvider;
+
+
+public class RollerRememberMeAuthenticationProvider extends RememberMeAuthenticationProvider {
+    private static final Log log = LogFactory.getLog(RollerRememberMeServices.class);
+
+
+    public RollerRememberMeAuthenticationProvider(String ignored) {
+
+        String key = WebloggerConfig.getProperty("rememberme.key", "springRocks");
+
+        if ("springRocks".equals(key)) {
+            throw new RuntimeException(
+                "If remember-me is to be enabled, rememberme.key must be specified in the roller " +
+                "properties file. Make sure it is a secret and make sure it is NOT be springRocks");
+        }
+        setKey(key);
+    }
+}
+
+
diff --git a/app/src/main/java/org/apache/roller/weblogger/ui/core/security/RollerRememberMeServices.java b/app/src/main/java/org/apache/roller/weblogger/ui/core/security/RollerRememberMeServices.java
index 5aa7d51..72cfee4 100644
--- a/app/src/main/java/org/apache/roller/weblogger/ui/core/security/RollerRememberMeServices.java
+++ b/app/src/main/java/org/apache/roller/weblogger/ui/core/security/RollerRememberMeServices.java
@@ -1,3 +1,21 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ *  contributor license agreements.  The ASF licenses this file to You
+ * under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.  For additional information regarding
+ * copyright in this work, please see the NOTICE file in the top level
+ * directory of this distribution.
+ */
+
 package org.apache.roller.weblogger.ui.core.security;
 
 import org.apache.commons.logging.Log;
@@ -13,7 +31,7 @@ import java.security.NoSuchAlgorithmException;
 
 
 public class RollerRememberMeServices extends TokenBasedRememberMeServices {
-    private static final Log log = LogFactory.getLog(CustomUserRegistry.class);
+    private static final Log log = LogFactory.getLog(RollerRememberMeServices.class);
 
 
     public RollerRememberMeServices() {
diff --git a/app/src/main/resources/org/apache/roller/weblogger/config/roller.properties b/app/src/main/resources/org/apache/roller/weblogger/config/roller.properties
index 785a893..125520c 100644
--- a/app/src/main/resources/org/apache/roller/weblogger/config/roller.properties
+++ b/app/src/main/resources/org/apache/roller/weblogger/config/roller.properties
@@ -604,8 +604,10 @@ config.expandedProperties=uploads.dir,search.index.dir,mediafiles.storage.dir
 # True to enable history in Atom feeds with next/prev links
 site.newsfeeds.history.enabled=false
 
-# Some folks consider remember-me type functionality to be a security
-rememberme.enabled=true
+# Some folks consider remember-me type functionality to be a security risk
+# If you enable remember me you MUST define a unique secret key that is not 'springRocks'
+rememberme.enabled=false
+rememberme.key=
 
 # You might want to disable GZIP if your app server already supports it
 compression.gzipResponse.enabled=true
diff --git a/app/src/main/webapp/WEB-INF/security.xml b/app/src/main/webapp/WEB-INF/security.xml
index 33f80a2..1e20338 100644
--- a/app/src/main/webapp/WEB-INF/security.xml
+++ b/app/src/main/webapp/WEB-INF/security.xml
@@ -83,7 +83,7 @@
     </beans:bean>
 
     <beans:bean id="rememberMeAuthenticationProvider"
-                class="org.springframework.security.authentication.RememberMeAuthenticationProvider">
+                class="org.apache.roller.weblogger.ui.core.security.RollerRememberMeAuthenticationProvider">
         <beans:property name="key" value="springRocks"/>
     </beans:bean>