You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@roller.apache.org by sn...@apache.org on 2019/05/11 21:13:30 UTC
[roller] 01/01: [ROL-2137] if you're going to enable remember me
then you must set a unqiue key. And not the well known springRocks that was
the default.
This is an automated email from the ASF dual-hosted git repository.
snoopdave pushed a commit to branch ROL-2137
in repository https://gitbox.apache.org/repos/asf/roller.git
commit 344677ce9de7f26526a76ff84524e82f59e1bde0
Author: snoopdave@gmail.com <sn...@gmail.com>
AuthorDate: Sat May 11 17:13:20 2019 -0400
[ROL-2137] if you're going to enable remember me then you must set a unqiue key.
And not the well known springRocks that was the default.
---
.../RollerRememberMeAuthenticationProvider.java | 44 ++++++++++++++++++++++
.../ui/core/security/RollerRememberMeServices.java | 20 +++++++++-
.../roller/weblogger/config/roller.properties | 6 ++-
app/src/main/webapp/WEB-INF/security.xml | 2 +-
4 files changed, 68 insertions(+), 4 deletions(-)
diff --git a/app/src/main/java/org/apache/roller/weblogger/ui/core/security/RollerRememberMeAuthenticationProvider.java b/app/src/main/java/org/apache/roller/weblogger/ui/core/security/RollerRememberMeAuthenticationProvider.java
new file mode 100644
index 0000000..d805c58
--- /dev/null
+++ b/app/src/main/java/org/apache/roller/weblogger/ui/core/security/RollerRememberMeAuthenticationProvider.java
@@ -0,0 +1,44 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. The ASF licenses this file to You
+ * under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License. For additional information regarding
+ * copyright in this work, please see the NOTICE file in the top level
+ * directory of this distribution.
+ */
+
+package org.apache.roller.weblogger.ui.core.security;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.roller.weblogger.config.WebloggerConfig;
+import org.springframework.security.authentication.RememberMeAuthenticationProvider;
+
+
+public class RollerRememberMeAuthenticationProvider extends RememberMeAuthenticationProvider {
+ private static final Log log = LogFactory.getLog(RollerRememberMeServices.class);
+
+
+ public RollerRememberMeAuthenticationProvider(String ignored) {
+
+ String key = WebloggerConfig.getProperty("rememberme.key", "springRocks");
+
+ if ("springRocks".equals(key)) {
+ throw new RuntimeException(
+ "If remember-me is to be enabled, rememberme.key must be specified in the roller " +
+ "properties file. Make sure it is a secret and make sure it is NOT be springRocks");
+ }
+ setKey(key);
+ }
+}
+
+
diff --git a/app/src/main/java/org/apache/roller/weblogger/ui/core/security/RollerRememberMeServices.java b/app/src/main/java/org/apache/roller/weblogger/ui/core/security/RollerRememberMeServices.java
index 5aa7d51..72cfee4 100644
--- a/app/src/main/java/org/apache/roller/weblogger/ui/core/security/RollerRememberMeServices.java
+++ b/app/src/main/java/org/apache/roller/weblogger/ui/core/security/RollerRememberMeServices.java
@@ -1,3 +1,21 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. The ASF licenses this file to You
+ * under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License. For additional information regarding
+ * copyright in this work, please see the NOTICE file in the top level
+ * directory of this distribution.
+ */
+
package org.apache.roller.weblogger.ui.core.security;
import org.apache.commons.logging.Log;
@@ -13,7 +31,7 @@ import java.security.NoSuchAlgorithmException;
public class RollerRememberMeServices extends TokenBasedRememberMeServices {
- private static final Log log = LogFactory.getLog(CustomUserRegistry.class);
+ private static final Log log = LogFactory.getLog(RollerRememberMeServices.class);
public RollerRememberMeServices() {
diff --git a/app/src/main/resources/org/apache/roller/weblogger/config/roller.properties b/app/src/main/resources/org/apache/roller/weblogger/config/roller.properties
index 785a893..125520c 100644
--- a/app/src/main/resources/org/apache/roller/weblogger/config/roller.properties
+++ b/app/src/main/resources/org/apache/roller/weblogger/config/roller.properties
@@ -604,8 +604,10 @@ config.expandedProperties=uploads.dir,search.index.dir,mediafiles.storage.dir
# True to enable history in Atom feeds with next/prev links
site.newsfeeds.history.enabled=false
-# Some folks consider remember-me type functionality to be a security
-rememberme.enabled=true
+# Some folks consider remember-me type functionality to be a security risk
+# If you enable remember me you MUST define a unique secret key that is not 'springRocks'
+rememberme.enabled=false
+rememberme.key=
# You might want to disable GZIP if your app server already supports it
compression.gzipResponse.enabled=true
diff --git a/app/src/main/webapp/WEB-INF/security.xml b/app/src/main/webapp/WEB-INF/security.xml
index 33f80a2..1e20338 100644
--- a/app/src/main/webapp/WEB-INF/security.xml
+++ b/app/src/main/webapp/WEB-INF/security.xml
@@ -83,7 +83,7 @@
</beans:bean>
<beans:bean id="rememberMeAuthenticationProvider"
- class="org.springframework.security.authentication.RememberMeAuthenticationProvider">
+ class="org.apache.roller.weblogger.ui.core.security.RollerRememberMeAuthenticationProvider">
<beans:property name="key" value="springRocks"/>
</beans:bean>