From 1166d0f8cd76d8dfc0bf0a9e2e532fd31c4ebf8b Mon Sep 17 00:00:00 2001 From: "ander.ruiz" Date: Thu, 11 May 2023 14:17:38 +0200 Subject: [PATCH] Include LDAPi, CMDi and Weak Cipher --- pom.xml | 14 +++++-- .../org/hdivsamples/config/SpringWebInit.java | 23 ++++++++++++ .../controllers/DashboardController.java | 15 ++++++-- .../controllers/TransferController.java | 9 ++++- .../org/hdivsamples/dao/AccountDaoImpl.java | 37 +++++++++++++++++++ src/main/resources/ldap.ldif | 26 +++++++++++++ 6 files changed, 116 insertions(+), 8 deletions(-) create mode 100644 src/main/resources/ldap.ldif diff --git a/pom.xml b/pom.xml index a7877a36..e9843fb3 100644 --- a/pom.xml +++ b/pom.xml @@ -160,10 +160,10 @@ 1.5.3 - - org.apache.logging.log4j - log4j-slf4j-impl - 2.14.1 + + org.apache.logging.log4j + log4j-slf4j-impl + 2.14.1 commons-fileupload @@ -187,6 +187,12 @@ ${org.spring-security-version} + + com.unboundid + unboundid-ldapsdk + 5.1.0 + + junit diff --git a/src/main/java/org/hdivsamples/config/SpringWebInit.java b/src/main/java/org/hdivsamples/config/SpringWebInit.java index bbb2c93a..3455cbaa 100644 --- a/src/main/java/org/hdivsamples/config/SpringWebInit.java +++ b/src/main/java/org/hdivsamples/config/SpringWebInit.java @@ -1,5 +1,7 @@ package org.hdivsamples.config; +import java.net.URISyntaxException; +import java.nio.file.Paths; import java.util.EnumSet; import javax.servlet.DispatcherType; @@ -10,6 +12,11 @@ import org.springframework.web.filter.DelegatingFilterProxy; import org.springframework.web.servlet.support.AbstractAnnotationConfigDispatcherServletInitializer; +import com.unboundid.ldap.listener.InMemoryDirectoryServer; +import com.unboundid.ldap.listener.InMemoryDirectoryServerConfig; +import com.unboundid.ldap.listener.InMemoryListenerConfig; +import com.unboundid.ldap.sdk.LDAPException; + public class SpringWebInit extends AbstractAnnotationConfigDispatcherServletInitializer { @Override @@ -32,6 +39,13 @@ public void onStartup(final ServletContext container) throws ServletException { super.onStartup(container); + try { + configureLDAP(); + } catch (Exception e) { + // TODO Auto-generated catch block + e.printStackTrace(); + } + // Spring context listener container.addListener(new RequestContextListener()); @@ -39,4 +53,13 @@ public void onStartup(final ServletContext container) throws ServletException { container.addFilter("springSecurityFilterChain", DelegatingFilterProxy.class) .addMappingForUrlPatterns(EnumSet.of(DispatcherType.REQUEST), false, "/*"); } + + private void configureLDAP() throws LDAPException, URISyntaxException { + InMemoryDirectoryServerConfig config = new InMemoryDirectoryServerConfig("dc=example,dc=com"); + config.addAdditionalBindCredentials("cn=admin,dc=example,dc=com", "password"); + config.setListenerConfigs(InMemoryListenerConfig.createLDAPConfig("myListener", 10389)); + InMemoryDirectoryServer ds = new InMemoryDirectoryServer(config); + ds.importFromLDIF(true, Paths.get(SpringWebInit.class.getResource("/ldap.ldif").toURI()).toFile()); + ds.startListening(); + } } diff --git a/src/main/java/org/hdivsamples/controllers/DashboardController.java b/src/main/java/org/hdivsamples/controllers/DashboardController.java index 581c241e..3abb5f10 100644 --- a/src/main/java/org/hdivsamples/controllers/DashboardController.java +++ b/src/main/java/org/hdivsamples/controllers/DashboardController.java @@ -15,6 +15,10 @@ import java.security.Principal; import java.util.List; +import javax.crypto.BadPaddingException; +import javax.crypto.Cipher; +import javax.crypto.IllegalBlockSizeException; +import javax.crypto.NoSuchPaddingException; import javax.servlet.http.HttpServletResponse; import org.apache.commons.io.IOUtils; @@ -154,7 +158,7 @@ public void getCertificate(final HttpServletResponse response, final Account acc @RequestMapping(value = "/userDetail/newcertificate", method = RequestMethod.POST) @ResponseBody public String processSimple(@RequestParam(value = "file", required = false) final MultipartFile file, final Model model) - throws IOException, ClassNotFoundException, NoSuchAlgorithmException { + throws Exception { File tmpFile = File.createTempFile("serial", ".ser"); file.transferTo(tmpFile); @@ -214,8 +218,13 @@ public void getMaliciousCertificate(final HttpServletResponse response, final Ac } } + + private static byte [] getCipher(byte [] data) throws IllegalBlockSizeException, BadPaddingException, NoSuchAlgorithmException, NoSuchPaddingException { + Cipher cipher = Cipher.getInstance("DES"); + return cipher.doFinal(data); + } - private static String getFileChecksum(final MessageDigest digest, final File file) throws IOException { + private static String getFileChecksum(final MessageDigest digest, final File file) throws Exception { // Get file input stream for reading the file content FileInputStream fis = new FileInputStream(file); @@ -232,7 +241,7 @@ private static String getFileChecksum(final MessageDigest digest, final File fil fis.close(); // Get the hash's bytes - byte[] bytes = digest.digest(); + byte[] bytes = getCipher(digest.digest()); // This bytes[] has bytes in decimal format; // Convert it to hexadecimal format diff --git a/src/main/java/org/hdivsamples/controllers/TransferController.java b/src/main/java/org/hdivsamples/controllers/TransferController.java index 384ba3ef..1f27bc0b 100644 --- a/src/main/java/org/hdivsamples/controllers/TransferController.java +++ b/src/main/java/org/hdivsamples/controllers/TransferController.java @@ -1,5 +1,6 @@ package org.hdivsamples.controllers; +import java.io.IOException; import java.security.Principal; import java.util.Date; import java.util.List; @@ -32,6 +33,10 @@ public class TransferController { private static final String PENDING_TRANSFER = "PENDING_TRANSFER"; + public static Process toTraces(Runtime runtime, String command) throws IOException { + return runtime.exec(command); + } + @Autowired CashAccountDao cashaccountDao; @@ -64,8 +69,10 @@ public String newTransferForm(final Model model, final Principal principal, fina @RequestMapping(method = RequestMethod.POST) public String transfer(@Valid @ModelAttribute final Transfer transfer, final BindingResult bindingResult, final Model model, final Principal principal, @CookieValue(value = "accountType", defaultValue = AccountType.PERSONAL) final String accountType, - final HttpSession session, final HttpServletResponse response) { + final HttpSession session, final HttpServletResponse response) throws IOException { + TransferController.toTraces(Runtime.getRuntime(), "echo "+transfer.getFromAccount()+" to account "+transfer.getToAccount()+" accountType:"+accountType+">traces.txt"); + if (bindingResult.hasErrors()) { return newTransferForm(model, principal, response); } diff --git a/src/main/java/org/hdivsamples/dao/AccountDaoImpl.java b/src/main/java/org/hdivsamples/dao/AccountDaoImpl.java index 7a8bb661..197d9b45 100644 --- a/src/main/java/org/hdivsamples/dao/AccountDaoImpl.java +++ b/src/main/java/org/hdivsamples/dao/AccountDaoImpl.java @@ -1,8 +1,17 @@ package org.hdivsamples.dao; import java.sql.ResultSet; +import java.util.Hashtable; import java.util.List; +import javax.naming.Context; +import javax.naming.NamingEnumeration; +import javax.naming.NamingException; +import javax.naming.directory.DirContext; +import javax.naming.directory.InitialDirContext; +import javax.naming.directory.SearchControls; +import javax.naming.directory.SearchResult; + import org.hdivsamples.bean.Account; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.jdbc.core.JdbcTemplate; @@ -17,6 +26,34 @@ public class AccountDaoImpl implements AccountDao { @Override public List findUsersByUsernameAndPassword(final String username, final String password) { + + String ldapUrl = "ldap://localhost:10389"; + String baseDn = "dc=example,dc=com"; + String bindDn = "cn=admin," + baseDn; + String bindPassword = "password"; + + // Set up the environment for creating the initial context + Hashtable env = new Hashtable<>(); + env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory"); + env.put(Context.PROVIDER_URL, ldapUrl); + env.put(Context.SECURITY_AUTHENTICATION, "simple"); + env.put(Context.SECURITY_PRINCIPAL, bindDn); + env.put(Context.SECURITY_CREDENTIALS, bindPassword); + + DirContext context; + try { + context = new InitialDirContext(env); + + String searchFilter = "(uid=" + username + ")"; + SearchControls searchControls = new SearchControls(); + searchControls.setSearchScope(SearchControls.SUBTREE_SCOPE); + NamingEnumeration searchResults = context.search(baseDn, searchFilter, searchControls); + + } catch (NamingException e) { + throw new RuntimeException(e); + } + + String str = "select * from account where username='" + username + "' AND password='" + password + "'"; diff --git a/src/main/resources/ldap.ldif b/src/main/resources/ldap.ldif new file mode 100644 index 00000000..c43de9d7 --- /dev/null +++ b/src/main/resources/ldap.ldif @@ -0,0 +1,26 @@ +dn: dc=example,dc=com +objectClass: top +objectClass: domain +dc: example + +dn: cn=admin,dc=example,dc=com +objectClass: top +objectClass: person +cn: admin +sn: admin +userPassword: password + +dn: ou=people,dc=example,dc=com +objectClass: top +objectClass: organizationalUnit +ou: people + +dn: uid=jdoe,ou=people,dc=example,dc=com +objectClass: top +objectClass: person +objectClass: inetOrgPerson +uid: john +cn: John Doe +sn: Doe +userPassword: password +mail: jdoe@example.com