Repository: syncope Updated Branches: refs/heads/2_0_X b6dfd13e2 -> d9091cdbe refs/heads/master 59d6d4a37 -> d611e65aa
Removing deprecations Project: http://git-wip-us.apache.org/repos/asf/syncope/repo Commit: http://git-wip-us.apache.org/repos/asf/syncope/commit/d9091cdb Tree: http://git-wip-us.apache.org/repos/asf/syncope/tree/d9091cdb Diff: http://git-wip-us.apache.org/repos/asf/syncope/diff/d9091cdb Branch: refs/heads/2_0_X Commit: d9091cdbeee873a5663ccebfc30c67861aa9d768 Parents: b6dfd13 Author: Francesco Chicchiriccò <ilgro...@apache.org> Authored: Mon Jun 19 17:07:48 2017 +0200 Committer: Francesco Chicchiriccò <ilgro...@apache.org> Committed: Mon Jun 19 17:07:48 2017 +0200 ---------------------------------------------------------------------- .../enduser/resources/CaptchaResource.java | 11 ++++- common/lib/pom.xml | 4 ++ .../common/lib/SecureTextRandomProvider.java | 36 +++++++++++++++++ .../core/spring/security/SecureRandomUtils.java | 42 ++++++++++++++++---- .../syncope/installer/utilities/HttpUtils.java | 6 +-- pom.xml | 6 +++ 6 files changed, 92 insertions(+), 13 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/syncope/blob/d9091cdb/client/enduser/src/main/java/org/apache/syncope/client/enduser/resources/CaptchaResource.java ---------------------------------------------------------------------- diff --git a/client/enduser/src/main/java/org/apache/syncope/client/enduser/resources/CaptchaResource.java b/client/enduser/src/main/java/org/apache/syncope/client/enduser/resources/CaptchaResource.java index 528bc46..a514498 100644 --- a/client/enduser/src/main/java/org/apache/syncope/client/enduser/resources/CaptchaResource.java +++ b/client/enduser/src/main/java/org/apache/syncope/client/enduser/resources/CaptchaResource.java @@ -19,8 +19,10 @@ package org.apache.syncope.client.enduser.resources; import javax.servlet.http.HttpServletRequest; -import org.apache.commons.lang3.RandomStringUtils; +import org.apache.commons.text.CharacterPredicates; +import org.apache.commons.text.RandomStringGenerator; import org.apache.syncope.client.enduser.SyncopeEnduserConstants; +import org.apache.syncope.common.lib.SecureTextRandomProvider; import org.apache.wicket.extensions.markup.html.captcha.CaptchaImageResource; import org.apache.wicket.request.cycle.RequestCycle; import org.slf4j.Logger; @@ -32,11 +34,16 @@ public class CaptchaResource extends CaptchaImageResource { private static final Logger LOG = LoggerFactory.getLogger(CaptchaResource.class); + private static final RandomStringGenerator RANDOM_LETTERS = new RandomStringGenerator.Builder(). + usingRandom(new SecureTextRandomProvider()). + filteredBy(CharacterPredicates.LETTERS). + build(); + @Override protected byte[] render() { LOG.debug("Generate captcha"); - String captcha = RandomStringUtils.randomAlphabetic(6); + String captcha = RANDOM_LETTERS.generate(6); HttpServletRequest request = ((HttpServletRequest) RequestCycle.get().getRequest().getContainerRequest()); // store the captcha in the current session request.getSession().setAttribute(SyncopeEnduserConstants.CAPTCHA_SESSION_KEY, captcha); http://git-wip-us.apache.org/repos/asf/syncope/blob/d9091cdb/common/lib/pom.xml ---------------------------------------------------------------------- diff --git a/common/lib/pom.xml b/common/lib/pom.xml index f6650ff..8cfc677 100644 --- a/common/lib/pom.xml +++ b/common/lib/pom.xml @@ -67,6 +67,10 @@ under the License. </dependency> <dependency> <groupId>org.apache.commons</groupId> + <artifactId>commons-text</artifactId> + </dependency> + <dependency> + <groupId>org.apache.commons</groupId> <artifactId>commons-collections4</artifactId> </dependency> http://git-wip-us.apache.org/repos/asf/syncope/blob/d9091cdb/common/lib/src/main/java/org/apache/syncope/common/lib/SecureTextRandomProvider.java ---------------------------------------------------------------------- diff --git a/common/lib/src/main/java/org/apache/syncope/common/lib/SecureTextRandomProvider.java b/common/lib/src/main/java/org/apache/syncope/common/lib/SecureTextRandomProvider.java new file mode 100644 index 0000000..ee13bc4 --- /dev/null +++ b/common/lib/src/main/java/org/apache/syncope/common/lib/SecureTextRandomProvider.java @@ -0,0 +1,36 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.syncope.common.lib; + +import java.security.SecureRandom; +import org.apache.commons.text.TextRandomProvider; + +/** + * {@link TextRandomProvider} baking {@link SecureRandom}. + */ +public class SecureTextRandomProvider implements TextRandomProvider { + + private static final SecureRandom RANDOM = new SecureRandom(); + + @Override + public int nextInt(final int max) { + return RANDOM.nextInt(max); + } + +} http://git-wip-us.apache.org/repos/asf/syncope/blob/d9091cdb/core/spring/src/main/java/org/apache/syncope/core/spring/security/SecureRandomUtils.java ---------------------------------------------------------------------- diff --git a/core/spring/src/main/java/org/apache/syncope/core/spring/security/SecureRandomUtils.java b/core/spring/src/main/java/org/apache/syncope/core/spring/security/SecureRandomUtils.java index 04aad69..9fe8cb3 100644 --- a/core/spring/src/main/java/org/apache/syncope/core/spring/security/SecureRandomUtils.java +++ b/core/spring/src/main/java/org/apache/syncope/core/spring/security/SecureRandomUtils.java @@ -18,28 +18,54 @@ */ package org.apache.syncope.core.spring.security; -import java.security.SecureRandom; - -import org.apache.commons.lang3.RandomStringUtils; +import org.apache.commons.text.CharacterPredicate; +import org.apache.commons.text.CharacterPredicates; +import org.apache.commons.text.RandomStringGenerator; +import org.apache.syncope.common.lib.SecureTextRandomProvider; public final class SecureRandomUtils { - private static final SecureRandom RANDOM = new SecureRandom(); + private static final RandomStringGenerator FOR_PASSWORD = new RandomStringGenerator.Builder(). + usingRandom(new SecureTextRandomProvider()). + build(); + + private static final RandomStringGenerator FOR_LETTERS = new RandomStringGenerator.Builder(). + usingRandom(new SecureTextRandomProvider()). + filteredBy(CharacterPredicates.LETTERS). + build(); + + private static final RandomStringGenerator FOR_NUMBERS = new RandomStringGenerator.Builder(). + usingRandom(new SecureTextRandomProvider()). + filteredBy(CharacterPredicates.LETTERS). + build(); public static String generateRandomPassword(final int tokenLength) { - return RandomStringUtils.random(tokenLength, 0, 0, true, false, null, RANDOM); + return FOR_PASSWORD.generate(tokenLength); } public static String generateRandomLetter() { - return RandomStringUtils.random(1, 0, 0, true, false, null, RANDOM); + return FOR_LETTERS.generate(1); } public static String generateRandomNumber() { - return RandomStringUtils.random(1, 0, 0, false, true, null, RANDOM); + return FOR_NUMBERS.generate(1); } public static String generateRandomSpecialCharacter(final char[] characters) { - return RandomStringUtils.random(1, 0, 0, false, false, characters, RANDOM); + return new RandomStringGenerator.Builder(). + usingRandom(new SecureTextRandomProvider()). + filteredBy(new CharacterPredicate() { + + @Override + public boolean test(final int codePoint) { + boolean found = false; + for (int i = 0; i < characters.length && !found; i++) { + found = codePoint == Character.codePointAt(characters, i); + } + + return found; + } + }).build().generate(1); } private SecureRandomUtils() { http://git-wip-us.apache.org/repos/asf/syncope/blob/d9091cdb/installer/src/main/java/org/apache/syncope/installer/utilities/HttpUtils.java ---------------------------------------------------------------------- diff --git a/installer/src/main/java/org/apache/syncope/installer/utilities/HttpUtils.java b/installer/src/main/java/org/apache/syncope/installer/utilities/HttpUtils.java index 43443d3..3c121ca 100644 --- a/installer/src/main/java/org/apache/syncope/installer/utilities/HttpUtils.java +++ b/installer/src/main/java/org/apache/syncope/installer/utilities/HttpUtils.java @@ -34,8 +34,8 @@ import org.apache.http.client.methods.CloseableHttpResponse; import org.apache.http.client.methods.HttpGet; import org.apache.http.client.methods.HttpPost; import org.apache.http.client.protocol.HttpClientContext; +import org.apache.http.conn.ssl.NoopHostnameVerifier; import org.apache.http.conn.ssl.SSLConnectionSocketFactory; -import org.apache.http.conn.ssl.SSLContextBuilder; import org.apache.http.conn.ssl.TrustSelfSignedStrategy; import org.apache.http.entity.ContentType; import org.apache.http.entity.StringEntity; @@ -47,6 +47,7 @@ import org.apache.http.impl.client.BasicAuthCache; import org.apache.http.impl.client.BasicCredentialsProvider; import org.apache.http.impl.client.CloseableHttpClient; import org.apache.http.impl.client.HttpClients; +import org.apache.http.ssl.SSLContextBuilder; public class HttpUtils { @@ -200,8 +201,7 @@ public class HttpUtils { final SSLContextBuilder builder = new SSLContextBuilder(); builder.loadTrustMaterial(null, new TrustSelfSignedStrategy()); chc = HttpClients.custom().setSSLSocketFactory( - new SSLConnectionSocketFactory(builder.build(), - SSLConnectionSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER)).build(); + new SSLConnectionSocketFactory(builder.build(), NoopHostnameVerifier.INSTANCE)).build(); } catch (Exception ex) { // ignore } http://git-wip-us.apache.org/repos/asf/syncope/blob/d9091cdb/pom.xml ---------------------------------------------------------------------- diff --git a/pom.xml b/pom.xml index eaca35f..bcd8b69 100644 --- a/pom.xml +++ b/pom.xml @@ -390,6 +390,7 @@ under the License. <commons-codec.version>1.10</commons-codec.version> <commons-jexl.version>3.1</commons-jexl.version> <commons-lang.version>3.6</commons-lang.version> + <commons-text.version>1.1</commons-text.version> <commons-collection.version>4.1</commons-collection.version> <commons-logging.version>1.1.3</commons-logging.version> @@ -978,6 +979,11 @@ under the License. </dependency> <dependency> <groupId>org.apache.commons</groupId> + <artifactId>commons-text</artifactId> + <version>${commons-text.version}</version> + </dependency> + <dependency> + <groupId>org.apache.commons</groupId> <artifactId>commons-collections4</artifactId> <version>${commons-collection.version}</version> </dependency>