Commit 7f1f8e6b authored by Matija Obreza's avatar Matija Obreza
Browse files

Password change: protect brute-forcing with lockoutManager

parent 38f28d3e
/*
* Copyright 2017 Global Crop Diversity Trust
* Copyright 2018 Global Crop Diversity Trust
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
......@@ -15,10 +15,12 @@
*/
package org.genesys.catalog.server.config;
import org.genesys.blocks.security.lockout.AccountLockoutConfig;
import org.genesys.catalog.service.UserService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Import;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
......@@ -31,12 +33,18 @@ import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, proxyTargetClass = true /*, securedEnabled = true */)
@EnableGlobalMethodSecurity(prePostEnabled = true, proxyTargetClass = true /* , securedEnabled = true */)
@Import({ AccountLockoutConfig.class })
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private UserService userDetailsService;
/**
* Password encoder.
*
* @return the password encoder
*/
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
......
......@@ -19,6 +19,7 @@ import java.util.UUID;
import org.genesys.blocks.security.SecurityContextUtil;
import org.genesys.blocks.security.UserException;
import org.genesys.blocks.security.lockout.AccountLockoutManager;
import org.genesys.catalog.model.dataset.Dataset;
import org.genesys.catalog.model.traits.Descriptor;
import org.genesys.catalog.model.traits.DescriptorList;
......@@ -39,6 +40,7 @@ import org.springframework.data.domain.Page;
import org.springframework.data.domain.PageRequest;
import org.springframework.data.domain.Sort;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.security.authentication.LockedException;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.oauth2.provider.token.DefaultTokenServices;
import org.springframework.web.bind.annotation.GetMapping;
......@@ -77,6 +79,9 @@ public class MeController {
@Autowired
private PasswordEncoder passwordEncoder;
@Autowired
private AccountLockoutManager lockoutManager;
@Autowired
private UserService userService;
......@@ -93,15 +98,23 @@ public class MeController {
}
@PostMapping(value = "/password")
public String changePassword(@RequestParam(name = "old", required = true) final String oldPassword,
@RequestParam(name = "new", required = true) final String newPassword) throws UserException {
public String changePassword(@RequestParam(name = "old", required = true) final String oldPassword, @RequestParam(name = "new", required = true) final String newPassword)
throws UserException {
final User currentUser = userService.getUser(UUID.fromString(SecurityContextUtil.getMe().getUuid()));
if (currentUser.isAccountLocked()) {
throw new LockedException("Too many failed login attempts.");
}
final User currentUser = SecurityContextUtil.getMe();
if (passwordEncoder.matches(oldPassword, currentUser.getPassword())) {
lockoutManager.handleSuccessfulLogin(currentUser.getUsername());
userService.changePassword(currentUser, newPassword);
return "OK";
} else {
lockoutManager.handleFailedLogin(currentUser.getUsername());
throw new UserException("Your old password was entered incorrectly. Please enter it again.");
}
throw new UserException("Your old password was entered incorrectly. Please enter it again.");
}
@PostMapping(value = "/partners")
......@@ -131,7 +144,6 @@ public class MeController {
return descriptorService.listDescriptorsForCurrentUser(descriptorFilter, new PageRequest(page, Integer.min(pageSize, 100), direction, sort));
}
@PostMapping(value = "/descriptorlists")
public Page<DescriptorList> myDescriptorLists(@RequestParam(name = "p", required = false, defaultValue = "0") final int page,
@RequestParam(name = "l", required = false, defaultValue = "50") final int pageSize,
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment