From e0ec318eaf4c6f6129f57174bcb5873763541c13 Mon Sep 17 00:00:00 2001
From: ulrich <not disclosed>
Date: Fri, 06 Jan 2017 18:28:37 +0000
Subject: [PATCH] Digester auf SHA-256 umgestellt

---
 web/WEB-INF/web.xml                     |   23 +++++++
 src/java/de/uhilger/um/Digester.java    |    3 
 src/java/de/uhilger/um/api/UserMgr.java |    6 +
 web/login_error.jsp                     |   25 ++++++++
 web/login_form.html                     |   87 +++++++++++++++++++++++++++++
 web/WEB-INF/create_database.sql         |    2 
 web/META-INF/context.xml                |    2 
 7 files changed, 144 insertions(+), 4 deletions(-)

diff --git a/src/java/de/uhilger/um/Digester.java b/src/java/de/uhilger/um/Digester.java
index a7cd346..fe1579d 100644
--- a/src/java/de/uhilger/um/Digester.java
+++ b/src/java/de/uhilger/um/Digester.java
@@ -34,7 +34,8 @@
   
   /** Name des MD5-Algorithmus zum Verschl&uuml;sseln */
   public static final String MD5 = "MD5";
-
+  public static final String SHA256 = "sha-256";
+  
   /**
    * Einen Ausdruck verschl&uuml;sseln
    * 
diff --git a/src/java/de/uhilger/um/api/UserMgr.java b/src/java/de/uhilger/um/api/UserMgr.java
index 6626665..dcffb9c 100644
--- a/src/java/de/uhilger/um/api/UserMgr.java
+++ b/src/java/de/uhilger/um/api/UserMgr.java
@@ -94,7 +94,11 @@
     String kw = user.getPw();
     String digesterClassName = ctx.getInitParameter(P_DIGESTER);
     Digester digester = (Digester) Class.forName(digesterClassName).newInstance();
-    String digestedPw = digester.digest(kw, Digester.MD5, null);
+    /*
+      MD5 geht nicht mehr,
+      vgl. http://stackoverflow.com/questions/39967289/how-to-use-digest-authentication-in-tomcat-8-5
+    */
+    String digestedPw = digester.digest(kw, Digester.SHA256, null);
     user.setPw(digestedPw);
     getDb().insert(user, UserMapper);
     return user;
diff --git a/web/META-INF/context.xml b/web/META-INF/context.xml
index 061f6b4..4c75112 100644
--- a/web/META-INF/context.xml
+++ b/web/META-INF/context.xml
@@ -6,7 +6,7 @@
       username="dbadmin"
       password="changeit"
       driverClassName="org.apache.derby.jdbc.ClientDriver"
-      url="jdbc:derby://127.0.0.1:1527/udb_test;create=true"
+      url="jdbc:derby://127.0.0.1:1528/udb;create=true"
       maxActive="60"
       maxIdle="30"
       maxWait="5000"
diff --git a/web/WEB-INF/create_database.sql b/web/WEB-INF/create_database.sql
index 596df1f..a568dfb 100644
--- a/web/WEB-INF/create_database.sql
+++ b/web/WEB-INF/create_database.sql
@@ -3,7 +3,7 @@
 CREATE TABLE APP.USERS
 (
    USER_NAME     VARCHAR(250)   NOT NULL,
-   USER_PASS     VARCHAR(250)   NOT NULL,
+   USER_PASS     VARCHAR(1024)   NOT NULL,
    USER_FIRST    VARCHAR(250),
    USER_LAST     VARCHAR(250),
    USER_EMAIL    VARCHAR(250),
diff --git a/web/WEB-INF/web.xml b/web/WEB-INF/web.xml
index 475e952..b9bd9d8 100644
--- a/web/WEB-INF/web.xml
+++ b/web/WEB-INF/web.xml
@@ -37,4 +37,27 @@
             30
         </session-timeout>
     </session-config>
+    <security-constraint>
+        <display-name>nutzerAdminConstraint</display-name>
+        <web-resource-collection>
+            <web-resource-name>nutzerAdmin</web-resource-name>
+            <description>Nutzer-Administration</description>
+            <url-pattern>/ui/*</url-pattern>
+        </web-resource-collection>
+        <auth-constraint>
+            <description>nutzerAdminAuthContraint</description>
+            <role-name>nutzerAdmin</role-name>
+        </auth-constraint>
+    </security-constraint>
+    <login-config>
+        <auth-method>FORM</auth-method>
+        <form-login-config>
+            <form-login-page>/login_form.html</form-login-page>
+            <form-error-page>/login_error.jsp</form-error-page>
+        </form-login-config>
+    </login-config>
+    <security-role>
+        <description/>
+        <role-name>nutzerAdmin</role-name>
+    </security-role>
 </web-app>
diff --git a/web/login_error.jsp b/web/login_error.jsp
new file mode 100644
index 0000000..720fe3f
--- /dev/null
+++ b/web/login_error.jsp
@@ -0,0 +1,25 @@
+<%@page contentType="text/html" pageEncoding="ISO-8859-1"%>
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
+   "http://www.w3.org/TR/html4/loose.dtd">
+
+<html>
+<head>
+  <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
+  <style>
+    body {
+      font-family:Arial,Helvetica,sans-serif;
+      font-size:10pt;
+    }
+  </style>
+  <title>Fehler</title>
+  <%
+    String url = request.getRequestURL().toString();
+    url = url.substring(0, url.lastIndexOf("/"));
+  %>
+</head>
+<body>
+<p>Hoppla! Die Anmeldung hat nicht geklappt.</p>
+
+<p>Klicken Sie <a href="<%=url%>">hier</a> um zur Hauptseite zu gelangen.</p>
+</body>
+</html>
diff --git a/web/login_form.html b/web/login_form.html
new file mode 100644
index 0000000..b812836
--- /dev/null
+++ b/web/login_form.html
@@ -0,0 +1,87 @@
+<!DOCTYPE html>
+<html lang="en">
+  <head>
+    <meta charset="utf-8">
+    <meta http-equiv="X-UA-Compatible" content="IE=edge">
+    <meta name="viewport" content="width=device-width, initial-scale=1">
+    <meta name="description" content="">
+    <meta name="author" content="">
+    <!--<link rel="icon" href="../../favicon.ico">-->
+
+    <title>Anmeldung Nutzerverwaltung</title>
+
+    <!-- Bootstrap core CSS -->
+    <link rel="stylesheet" href="/jslib/bootstrap-3.3.2/css/bootstrap.min.css">
+
+    <!-- Custom styles for this template -->
+    <!--<link href="signin.css" rel="stylesheet">-->
+    <style type="text/css">
+      body {
+        padding-top: 40px;
+        padding-bottom: 40px;
+        background-color: #eee;
+      }
+      
+      .form-signin {
+        max-width: 330px;
+        padding: 15px;
+        margin: 0 auto;
+      }
+      .form-signin .form-signin-heading,
+      .form-signin .checkbox {
+        margin-bottom: 10px;
+      }
+      .form-signin .checkbox {
+        font-weight: normal;
+      }
+      .form-signin .form-control {
+        position: relative;
+        height: auto;
+        -webkit-box-sizing: border-box;
+           -moz-box-sizing: border-box;
+                box-sizing: border-box;
+        padding: 10px;
+        font-size: 16px;
+      }
+      .form-signin .form-control:focus {
+        z-index: 2;
+      }
+      .form-signin input[type="text"] {
+        margin-bottom: -1px;
+        border-bottom-right-radius: 0;
+        border-bottom-left-radius: 0;
+      }
+      .form-signin input[type="password"] {
+        margin-bottom: 10px;
+        border-top-left-radius: 0;
+        border-top-right-radius: 0;
+      }
+    </style>
+
+    <!-- HTML5 shim and Respond.js IE8 support of HTML5 elements and media queries -->
+    <!--[if lt IE 9]>
+      <script src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script>
+      <script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>
+    <![endif]-->
+  </head>
+
+  <body>
+
+    <div class="container">
+
+      <form class="form-signin" role="form" method="POST" action="j_security_check" name="loginform">
+        <h2 class="form-signin-heading">Anmeldung Nutzerverwaltung</h2>
+        <input  name="j_username" type="text" class="form-control" placeholder="Benutzerkennung" required autofocus>
+        <input name="j_password" type="password" class="form-control" placeholder="Kennwort" required>
+        <!--
+        <label class="checkbox">
+          <input type="checkbox" value="remember-me"> Remember me
+        </label>
+        -->
+        <button class="btn btn-lg btn-primary btn-block" type="submit">Senden</button>
+      </form>
+
+    </div> <!-- /container -->
+
+  </body>
+</html>

--
Gitblit v1.9.3