Projekt

Obecné

Profil

« Předchozí | Další » 

Revize 4ab7f824

Přidáno uživatelem Tomáš Šimandl před více než 6 roky(ů)

#5 Replace MD5 password encryption by some secure algo

- BCrypt password encryption is used instead of MD5.
- Algorithm is from springframework.security package

Zobrazit rozdíly:

sources/create_table.sql
17 17 
  `id` int(11) NOT NULL AUTO_INCREMENT,
18 18 
  `nick` varchar(50) COLLATE utf8_czech_ci NOT NULL,
19 19 
  `name` varchar(255) COLLATE utf8_czech_ci NOT NULL DEFAULT '',
20 
  `psw` varchar(32) COLLATE utf8_czech_ci NOT NULL,
20 
  `psw` varchar(60) COLLATE utf8_czech_ci NOT NULL,
21 21 
  `session` varchar(50) COLLATE utf8_czech_ci NOT NULL,
22 22 
  `active` tinyint(1) NOT NULL,
23 23 
  `created` datetime NOT NULL,
sources/pom.xml
74 74 

  		




  75
  75
  
    

  		




  76
  76
  
    

  		




  
  77
  
    
        <!-- https://mvnrepository.com/artifact/org.springframework.security/spring-security-core -->


  		




  
  78
  
    
        <dependency>


  		




  
  79
  
    
            <groupId>org.springframework.security</groupId>


  		




  
  80
  
    
            <artifactId>spring-security-core</artifactId>


  		




  
  81
  
    
            <version>5.1.2.RELEASE</version>


  		




  
  82
  
    
        </dependency>


  		




  77
  83
  
    
        <!-- https://mvnrepository.com/artifact/commons-fileupload/commons-fileupload -->


  		




  78
  84
  
    
        <dependency>


  		




  79
  85
  
    
            <groupId>commons-fileupload</groupId>


  		












  

    
      sources/src/main/java/cz/zcu/kiv/offscreen/user/User.java
    
  





  1
  1
  
    
package cz.zcu.kiv.offscreen.user;


  		




  2
  2
  
    
import org.apache.logging.log4j.LogManager;


  		




  3
  3
  
    
import org.apache.logging.log4j.Logger;


  		




  
  4
  
    
import org.springframework.security.crypto.bcrypt.BCrypt;


  		




  4
  5
  
    

  		




  5
  6
  
    
import java.sql.PreparedStatement;


  		




  6
  7
  
    
import java.sql.ResultSet;


  		




  ......




  46
  47
  
    
	 * 		   false - login failed


  		




  47
  48
  
    
	 */


  		




  48
  49
  
    
	public boolean login(String nick, String psw){


  		




  49
  
  
    
		String qy = "SELECT * FROM user WHERE nick LIKE ? AND psw LIKE ? AND active = '1' LIMIT 1";


  		




  
  50
  
    
		String qy = "SELECT * FROM user WHERE nick LIKE ? AND active = '1' LIMIT 1";


  		




  50
  51
  
    

  		




  51
  52
  
    
		try{


  		




  52
  53
  
    
			PreparedStatement pst = db.getPreparedStatement(qy, false);


  		




  53
  54
  
    
			pst.setString(1, nick);


  		




  54
  
  
    
			pst.setString(2, Util.MD5(psw));


  		




  55
  55
  
    
			ResultSet rs = db.executeQuery(pst);


  		




  56
  56
  
    

  		




  57
  57
  
    
			if ( rs != null && rs.next() ) {


  		




  58
  
  
    
				if(rs.getInt("id") > 0){


  		




  
  58
  
    
				if(rs.getInt("id") > 0 && BCrypt.checkpw(psw, rs.getString("psw"))){


  		




  59
  59
  
    
					this.id = rs.getInt("id");


  		




  60
  60
  
    
					return true;


  		




  61
  61
  
    
				}


  		




  62
  62
  
    
			}


  		




  63
  
  
    
		} catch (SQLException e) {


  		




  
  63
  
    
		} catch (SQLException | IllegalArgumentException e) {


  		




  64
  64
  
    
			logger.error("Can not login user: ", e);


  		




  65
  65
  
    
		}


  		




  66
  66
  
    

  		




  ......




  85
  85
  
    
				pst.setInt(2, 1);


  		




  86
  86
  
    
				pst.setString(3, param.get("nick"));


  		




  87
  87
  
    
				pst.setString(4, param.get("name"));


  		




  88
  
  
    
				pst.setString(5, Util.MD5(param.get("password")));


  		




  
  88
  
    
				pst.setString(5, BCrypt.hashpw(param.get("password"), BCrypt.gensalt()));


  		




  89
  89
  
    
				pst.setString(6, param.get("session"));


  		




  90
  90
  
    
				pst.setString(7, param.get("email"));


  		




  91
  91
  
    

  		












  

    
      sources/src/main/java/cz/zcu/kiv/offscreen/user/Util.java
    
  





  5
  5
  
    

  		




  6
  6
  
    
class Util {


  		




  7
  7
  
    

  		




  8
  
  
    
	/**


  		




  9
  
  
    
	 *	Method do a hash code from string.


  		




  10
  
  
    
	 *


  		




  11
  
  
    
	 * @param md5 - String to hash


  		




  12
  
  
    
	 * @return String - hashcode 


  		




  13
  
  
    
	 */


  		




  14
  
  
    
	static String MD5(String md5) {


  		




  15
  
  
    
		   try {


  		




  16
  
  
    
		        java.security.MessageDigest md = java.security.MessageDigest.getInstance("MD5");


  		




  17
  
  
    
		        byte[] array = md.digest(md5.getBytes());


  		




  18
  
  
    
		        StringBuffer sb = new StringBuffer();


  		




  19
  
  
    
		        for (int i = 0; i < array.length; ++i) {


  		




  20
  
  
    
		          sb.append(Integer.toHexString((array[i] & 0xFF) | 0x100).substring(1,3));


  		




  21
  
  
    
		       }


  		




  22
  
  
    
		        return sb.toString();


  		




  23
  
  
    
		    } catch (java.security.NoSuchAlgorithmException e) {


  		




  24
  
  
    
		    }


  		




  25
  
  
    
		    return null;


  		




  26
  
  
    
	}


  		




  27
  8
  
    

  		




  28
  9
  
    
	static String formatDate(String date){


  		




  29
  10
  
    
		String pattern = "(\\d{4})-(\\d{2})-(\\d{2}) (\\d{2}):(\\d{2}):(\\d{2}).*";


  		












Také k dispozici:  Unified diff