SuperX
/
kern
6
0
Fork 0
Code Issues 8 Pull Requests Projects Releases Wiki Activity

Compare commits

base: SuperX:101760c314c17ed39fcae58db201c3e54857c2e0
Branches Tags
SuperX:RELEASE_kern5.0
SuperX:RELEASE_kern5.1
SuperX:freiburg_nutzungsstatistik
SuperX:master
SuperX:userinfo_gueltigkeit
..
compare: SuperX:4eba45de27c3e11fca02428fe709a2b6630d21ae
Branches Tags
SuperX:RELEASE_kern5.0
SuperX:RELEASE_kern5.1
SuperX:freiburg_nutzungsstatistik
SuperX:master
SuperX:userinfo_gueltigkeit

No commits in common. '101760c314c17ed39fcae58db201c3e54857c2e0' and '4eba45de27c3e11fca02428fe709a2b6630d21ae' have entirely different histories.
101760c314 ... 4eba45de27

5 changed files with 22 additions and 161 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats
  1. 69
      src/de/superx/bin/LdapLockout.java
  2. 73
      src/de/superx/servlet/LdapPasswordChecker.java
  3. 31
      src/de/superx/servlet/UserInitializer.java
  4. 6
      superx/WEB-INF/conf/edustore/db/bin/sx_ldap_lockout.x
  5. 4
      superx/WEB-INF/conf/edustore/db/install/conf/kern.xml

69
src/de/superx/bin/LdapLockout.java
Unescape View File

@ -1,69 +0,0 @@
package de.superx.bin;
import java.io.BufferedWriter;
import java.io.File;
import java.io.FileWriter;
import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.Statement;
import de.memtext.util.GetOpts;
import de.superx.servlet.LdapPasswordChecker;
/**
* Klasse zum Sperren von Benutzern, die in LDAP gesperrt sind
* Erwartet Eintrag LdapLockoutFilter in superx_standalone_ldap.properties
*
*
*/
public class LdapLockout {
private static String usage = "Gebrauch: java de.superx.bin.LdapLockout -dbproperties=<<Pfad zu db.properties>> -ldapconfig=<<Pfad zu superx_standalone_ldap.properties>>";
public static void main(String[] args) {
GetOpts.setOpts(args);
String isdrin = GetOpts.isAllRequiredOptionsPresent("-dbproperties,-ldapconfig");
if (isdrin != null) {
System.err.println("Folgende Optionen fehlen: " + isdrin);
System.err.println(usage);
System.exit(1);
}
try {
File f = new File("LdapLockout.log");
if (f.exists())
{
f.delete();
}
LdapPasswordChecker.setup(new File(GetOpts.getValue("-ldapconfig")));
checkUsers(GetOpts.getValue("-dbproperties"));
} catch (Exception e) {
e.printStackTrace();
}
}
private static void checkUsers(String dbpropfile) throws Exception {
SxConnection myConnection = new SxConnection();
myConnection.setPropfile(dbpropfile);
Connection con = myConnection.getConnection();
Statement stm = con.createStatement();
ResultSet rs = stm.executeQuery("select benutzer from userinfo order by 1");
PreparedStatement pst = con.prepareStatement(
"update userinfo set max_versuch=0,passwd_sha=null, gueltig_bis=today()-1, info='deaktiviert am '||today() where benutzer=? and max_versuch>0");
LdapPasswordChecker ldappwc = new LdapPasswordChecker();
while (rs.next()) {
String benutzer = rs.getString("benutzer");
System.out.println("Pruefe Nutzer " + benutzer);
if (ldappwc.isUserLocked(benutzer)) {
System.out.println(" - Benutzer " + benutzer + " wird gesperrt");
pst.clearParameters();
pst.setString(1, benutzer);
pst.executeUpdate();
}
}
rs.close();
stm.close();
pst.close();
myConnection.close();
ldappwc.closeServiceCtxForLockout();
}
}

73
src/de/superx/servlet/LdapPasswordChecker.java
Unescape View File

@ -37,8 +37,6 @@ public class LdapPasswordChecker {
private static boolean hasLdapServiceUserDN = false; private static boolean hasLdapServiceUserDN = false;
private static boolean wasSetupTestOK = false; private static boolean wasSetupTestOK = false;
private static boolean isStandaloneTest = false; private static boolean isStandaloneTest = false;
//wird nur für Lockout-Funktion benötigt
private DirContext serviceCtxForLockout = null;
public static void main(String[] args) { public static void main(String[] args) {
isStandaloneTest = true; isStandaloneTest = true;
@ -49,8 +47,8 @@ public class LdapPasswordChecker {
try { try {
setup(new File(args[0])); setup(new File(args[0]));
LdapPasswordChecker lpc = new LdapPasswordChecker(); LdapPasswordChecker lpc=new LdapPasswordChecker();
lpc.isLdapPasswordOK(false, "default", args[1], args[2]); lpc.isLdapPasswordOK(false, "default", args[1], args[2]);
} catch (Exception e) { } catch (Exception e) {
e.printStackTrace(); e.printStackTrace();
} }
@ -65,13 +63,12 @@ public class LdapPasswordChecker {
checkProperty(superxStandaloneLdapConfigFile, "LdapIdentifyingAttribute"); checkProperty(superxStandaloneLdapConfigFile, "LdapIdentifyingAttribute");
if (!StringUtils.isNullOrEmpty(props.getProperty("LdapServiceUserDN"))) { if (!StringUtils.isNullOrEmpty(props.getProperty("LdapServiceUserDN"))) {
hasLdapServiceUserDN = true; hasLdapServiceUserDN = true;
System.out.println( System.out.println(" LDAP Passwortkontrolle ServiceUser "+props.getProperty("LdapServiceUserDN")+" aktiviert");
" LDAP Passwortkontrolle ServiceUser " + props.getProperty("LdapServiceUserDN") + " aktiviert");
// momentan keine Prüfung ob LdapServiceUserPassword null oder Leerstring // momentan keine Prüfung ob LdapServiceUserPassword null oder Leerstring
} }
// we don't need all attributes, just let it get the identifying one // we don't need all attributes, just let it get the identifying one
LdapPasswordChecker.attributeFilter[0] = props.getProperty("LdapIdentifyingAttribute"); LdapPasswordChecker.attributeFilter[0] = props.getProperty("LdapIdentifyingAttribute");
// Verbindungstest wirft Exception bei Fehler // Verbindungstest wirft Exception bei Fehler
boolean isJustSetupTest = true; boolean isJustSetupTest = true;
String mandantenIDNichtRelevant = "default"; String mandantenIDNichtRelevant = "default";
@ -95,27 +92,6 @@ public class LdapPasswordChecker {
" Property \"" + name + "\" ist in Datei " + superxStandaloneLdapConfigFile + " nicht konfiguiert"); " Property \"" + name + "\" ist in Datei " + superxStandaloneLdapConfigFile + " nicht konfiguiert");
} }
public boolean isUserLocked(String benutzer) throws Exception {
if (props.size() == 0)
throw new IllegalStateException(
"LDAP Passwordchecker nicht konfiguiert, setup Methode muss vorher aufgerufen werden");
boolean result = false;
//lazy init, da viele User abgefragt werden
if (serviceCtxForLockout == null) {
serviceCtxForLockout = initContext();
}
NamingEnumeration<SearchResult> searchResults = searchForUserLockedStatus(serviceCtxForLockout, benutzer);
if (searchResults.hasMoreElements()) {
result = true;
}
return result;
}
public void closeServiceCtxForLockout() throws NamingException {
serviceCtxForLockout.close();
}
/** /**
* Prüft via LDAP ob ein Passwort OK ist * Prüft via LDAP ob ein Passwort OK ist
* *
@ -137,7 +113,7 @@ public class LdapPasswordChecker {
try { try {
serviceCtx = initContext(); serviceCtx = initContext();
if (isStandaloneTest) { if (isStandaloneTest) {
System.out.println("Reine Kontrolle, ob User " + username + " existiert"); System.out.println("Reine Kontrolle, ob User "+username+ " existiert");
} }
NamingEnumeration<SearchResult> searchResults = searchForUser(serviceCtx, username); NamingEnumeration<SearchResult> searchResults = searchForUser(serviceCtx, username);
if (!isJustSetupTest) { if (!isJustSetupTest) {
@ -163,27 +139,11 @@ public class LdapPasswordChecker {
} }
} }
// System.out.println(new Date().getTime() - start.getTime()); //System.out.println(new Date().getTime() - start.getTime());
} }
return false; return false;
} }
private NamingEnumeration<SearchResult> searchForUserLockedStatus(DirContext serviceCtx, String username)
throws NamingException {
SearchControls sc = new SearchControls();
sc.setReturningAttributes(attributeFilter);
sc.setSearchScope(SearchControls.SUBTREE_SCOPE);
// use a search filter to find only the user we want to authenticate
if (StringUtils.isNullOrEmpty(props.getProperty("LdapLockoutFilter")))
{
throw new NamingException("LdapLockoutFilter ist nicht definiert");
}
String searchFilter = StringUtils.replace(props.getProperty("LdapLockoutFilter"), "${0}", username);
return serviceCtx.search(props.getProperty("LdapBase"), searchFilter, sc);
}
private NamingEnumeration<SearchResult> searchForUser(DirContext serviceCtx, String username) private NamingEnumeration<SearchResult> searchForUser(DirContext serviceCtx, String username)
throws NamingException { throws NamingException {
SearchControls sc = new SearchControls(); SearchControls sc = new SearchControls();
@ -192,13 +152,16 @@ public class LdapPasswordChecker {
// use a search filter to find only the user we want to authenticate // use a search filter to find only the user we want to authenticate
String searchFilter = ""; String searchFilter = "";
if (props.getProperty("LdapSearchFilter") != null) { if (props.getProperty("LdapSearchFilter")!=null)
searchFilter = StringUtils.replace(props.getProperty("LdapSearchFilter"), "${0}", username); {
} else { searchFilter=StringUtils.replace(props.getProperty("LdapSearchFilter"),"${0}", username );
searchFilter = "(" + props.getProperty("LdapIdentifyingAttribute") + "=" + username + ")";
} }
// searchFilter="(&(uid="+username+")(mail=boyle@ldap.forumsys.com))"; else
{
searchFilter="(" + props.getProperty("LdapIdentifyingAttribute") + "=" + username + ")";
}
//searchFilter="(&(uid="+username+")(mail=boyle@ldap.forumsys.com))";
return serviceCtx.search(props.getProperty("LdapBase"), searchFilter, sc); return serviceCtx.search(props.getProperty("LdapBase"), searchFilter, sc);
} }
@ -218,10 +181,8 @@ public class LdapPasswordChecker {
SearchResult result = searchResults.next(); SearchResult result = searchResults.next();
String distinguishedName = result.getNameInNamespace(); String distinguishedName = result.getNameInNamespace();
if (isStandaloneTest) { if (isStandaloneTest) {
System.out.println( System.out.println(" User "+username +" gefunden - distingushedName(DN/nameInNamespace):"+distinguishedName);
" User " + username + " gefunden - distingushedName(DN/nameInNamespace):" + distinguishedName); System.out.println(" versuche Authentifizierung für "+distinguishedName+" mit eingegebenen Passwort");
System.out
.println(" versuche Authentifizierung für " + distinguishedName + " mit eingegebenen Passwort");
} }
// attempt another authentication, now with the user, throws exception if // attempt another authentication, now with the user, throws exception if
// problem // problem

31
src/de/superx/servlet/UserInitializer.java
Unescape View File

@ -3,7 +3,6 @@ package de.superx.servlet;
import java.io.IOException; import java.io.IOException;
import java.lang.reflect.InvocationTargetException; import java.lang.reflect.InvocationTargetException;
import java.sql.Connection; import java.sql.Connection;
import java.sql.DatabaseMetaData;
import java.sql.Date; import java.sql.Date;
import java.sql.PreparedStatement; import java.sql.PreparedStatement;
import java.sql.ResultSet; import java.sql.ResultSet;
@ -509,7 +508,6 @@ public class UserInitializer {
String client_ip = request.getRemoteAddr(); String client_ip = request.getRemoteAddr();
String client_dns = request.getRemoteHost(); String client_dns = request.getRemoteHost();
String protend = ""; String protend = "";
userid = null; userid = null;
// System.out.println("c1"); // System.out.println("c1");
if (SxPools.get(mandantenID).getSqlDialect().equals("Postgres")) { if (SxPools.get(mandantenID).getSqlDialect().equals("Postgres")) {
@ -520,14 +518,10 @@ public class UserInitializer {
Connection myConnection = null; Connection myConnection = null;
try { try {
myConnection = SxPools.getConnection(mandantenID); myConnection = SxPools.getConnection(mandantenID);
boolean isUserinfoMitGueltigkeit=checkUserinfoMitGueltigkeit(myConnection);
String select="select tid, passwd_sha, administration, kennwort,akt_versuch,max_versuch from userinfo where benutzer = ? ";
if (isUserinfoMitGueltigkeit) {
select+= "and ( (gueltig_von is null or gueltig_von<=today()) and (gueltig_bis is null or gueltig_bis>=today()) )";
}
Statement stm = myConnection.createStatement(); Statement stm = myConnection.createStatement();
PreparedStatement pst = myConnection PreparedStatement pst = myConnection
.prepareStatement(select); .prepareStatement("select tid, passwd_sha, administration, kennwort,akt_versuch,max_versuch"
+ " from userinfo where benutzer = ?");
pst.setString(1, user); pst.setString(1, user);
ResultSet rs = pst.executeQuery(); ResultSet rs = pst.executeQuery();
while (rs.next()) { while (rs.next()) {
@ -549,7 +543,7 @@ public class UserInitializer {
int akt_versuch = rs.getInt(5); int akt_versuch = rs.getInt(5);
int max_versuch = rs.getInt(6); int max_versuch = rs.getInt(6);
if (akt_versuch > max_versuch|| max_versuch==0) { if (akt_versuch > max_versuch) {
rs.close(); rs.close();
pst.close(); pst.close();
stm.close(); stm.close();
@ -567,7 +561,7 @@ public class UserInitializer {
+ "'" + protend); + "'" + protend);
stm.close(); stm.close();
myConnection.close(); myConnection.close();
throw new NichtAngemeldetException("Kein gültiger Benutzer " + user + " in Datenbank vorhanden"); throw new NichtAngemeldetException("Kein Benutzer " + user + " in Datenbank vorhanden");
} }
if (passwort == null) if (passwort == null)
passwort = "dummy"; // bei LDAP oder so passwort = "dummy"; // bei LDAP oder so
@ -624,22 +618,7 @@ public class UserInitializer {
} }
} }
private boolean checkUserinfoMitGueltigkeit(Connection dbConnection) throws SQLException
{
boolean result=false;
Statement stm = dbConnection.createStatement();
DatabaseMetaData md = dbConnection.getMetaData();
ResultSet rs = md.getColumns(null, null, "userinfo", null);
while (rs.next()) {
if (rs.getString(4).equals("gueltig_von")) {
result=true;
}
}
rs.close();
return result;
}
private void updateLastLogin(Connection myConnection) throws SQLException { private void updateLastLogin(Connection myConnection) throws SQLException {
PreparedStatement pst3 = myConnection.prepareStatement("select count(*) from user_pw where userinfo_id=?"); PreparedStatement pst3 = myConnection.prepareStatement("select count(*) from user_pw where userinfo_id=?");
pst3.setInt(1, userid.intValue()); pst3.setInt(1, userid.intValue());

6
superx/WEB-INF/conf/edustore/db/bin/sx_ldap_lockout.x
Unescape View File

@ -1,6 +0,0 @@
#!/bin/bash
if [ "$1" = "" ]
then echo "Aufruf: sx_ldap_lockout.x Pfad/zu/db.properties pfad/zu/superx_standalone_ldap.properties"
exit 0
fi
java -cp "$JDBC_CLASSPATH" de.superx.bin.LdapLockout -dbproperties:$1 -ldapconfig:$2

4
superx/WEB-INF/conf/edustore/db/install/conf/kern.xml
Unescape View File

@ -1728,8 +1728,6 @@
default ="0" notnull ="false" description="Darf der User Projekte sehen" /> default ="0" notnull ="false" description="Darf der User Projekte sehen" />
<column name="extern_role_id" type="INTEGER" size="9" <column name="extern_role_id" type="INTEGER" size="9"
default="" notnull="false" /> default="" notnull="false" />
<column name="gueltig_von" type="date" description="Beginn Gültigkeit"/>
<column name="gueltig_bis" type="date" description="Ende Gültigkeit"/>
</columns> </columns>
<indexes> <indexes>
<index name="i_userinfo" type="unique"> <index name="i_userinfo" type="unique">
@ -10541,8 +10539,6 @@ Außerdem können Sie hier dem Benutzer Berechtigungen über Gruppen, Sachgebiet
<customfield name="name" nullFieldValue=""/> <customfield name="name" nullFieldValue=""/>
<customfield name="email" nullFieldValue=""/> <customfield name="email" nullFieldValue=""/>
<customfield name="admin" type="include" path="/edit/kern/userinfo_edit_admin.inc"/> <customfield name="admin" type="include" path="/edit/kern/userinfo_edit_admin.inc"/>
<customfield name="gueltig_von" nullFieldValue=""/>
<customfield name="gueltig_bis" nullFieldValue=""/>
<customfield name="max_versuch" nullFieldValue=""/> <customfield name="max_versuch" nullFieldValue=""/>
<customfield name="akt_versuch" nullFieldValue=""/> <customfield name="akt_versuch" nullFieldValue=""/>
<customfield name="password" type="include" path="/edit/kern/userinfo_edit_pw.inc"/> <customfield name="password" type="include" path="/edit/kern/userinfo_edit_pw.inc"/>

Write Preview
Loading…
Cancel
Save