lams-github / lams_central / src / java / org / lamsfoundation / lams

security

Clone Tools

Stats

Commits this week: 0
Total Committers: 12
Last Commit:
Commits this week: 0

Lines of code count not available

Commit Activity

Commits By Day In Week
52 week commits volume
Commits By Day In Week
Commits by day
Commits By Day In Week
Commits by hour
Commits By Hour In Day
Commit calendar
 

Most active committers (90 days)

loading
loading
  • last updated a few seconds ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
Wednesday 21 Sep 2022
4:57 pm

Marcin Cieslak

Merge remote-tracking branch 'origin/LDEV-5302' into v4.7

Conflicts:

lams_admin/conf/language/lams/ApplicationResources_zh_CN.properties

lams_admin/src/java/org/lamsfoundation/lams/admin/web/controller/UserController.java

lams_admin/src/java/org/lamsfoundation/lams/admin/web/controller/UserOrgRoleSaveController.java

lams_admin/src/java/org/lamsfoundation/lams/admin/web/controller/UserRolesSaveController.java

lams_admin/web/user.jsp

lams_central/conf/language/lams/ApplicationResources_zh_CN.properties

lams_central/src/java/org/lamsfoundation/lams/web/DisplayGroupController.java

lams_common/src/java/org/lamsfoundation/lams/usermanagement/service/UserManagementService.java

Options
    • -6
    • +12
    ./UniversalLoginModule.java
  2. … 58 more files in changeset.
Monday 04 Jul 2022
8:06 am

Ernie Ghiglione

LDEV-5320 Initial commits for audits

These are some initial commits that might change via Marcin's aspect approach.

Options
    • -2
    • +2
    ./UniversalLoginModule.java
  2. … 6 more files in changeset.
Monday 21 Mar 2022
6:23 pm

Marcin Cieslak

LDEV-5302 Sysadmin is always appadmin

Options
    • -3
    • +9
    ./UniversalLoginModule.java
  2. … 2 more files in changeset.
5:09 pm

Marcin Cieslak

LDEV-5302 Rename sysadmin role to appadmin

Options
    • -4
    • +4
    ./UniversalLoginModule.java
  2. … 181 more files in changeset.
Sunday 17 Jan 2021
11:42 pm

Marcin Cieslak

LDEV-3578 Increase auth token life time for long auth delays

Options
    • -1
    • +1
    ./UniversalLoginModule.java
Tuesday 05 Nov 2019
6:52 pm

Marcin Cieslak

LDEV-4901 Rewrite session invalidation mechanism

On WildFly 8 session invalidation mechanism had some bugs. Marek

introduced a workaround in LDEV-3413. The mechanism was adjusted in

LDEV-4293, especially in this commit

https://code.lamsfoundation.org/fisheye/changelog/lams-github?cs=131ce42e64069f574a2a4a9bc1e5c4be4918e5bb

Newer WildFly versions do not seem to have this bug. A part of

workaround was removed in LDEV-4696, but invalidation mechanism stayed

as if the bugs were still present. The mechanism introduced the problem

with timeouts. Now that the bugs seems to be gone, the invalidation

mechanism was rewritten to a more straightforward version which should

have been used from the start.

It is worth keeping in mind that when one user session is present and

another is being created (another browser, integration call, sysadmin's

LoginAs feature), then user gets authenticated, then old session gets

invalidated and the user gets authenticated AGAIN by WildFly using

cached credentials. Caching is so useful that we can not turn it off. It

means that, though, we need to keep login token generated by

LoginRequestServlet for longer than just first authentication, as we get

authentication call twice. Now we keep it until it is timed out.

Options
    • -7
    • +12
    ./UniversalLoginModule.java
  2. … 3 more files in changeset.
Saturday 09 Sep 2017
4:42 pm

Marcin Cieslak

LDEV-4293 Skip isSysAdmin check when there is no session

The code that checks if user is sysadmin depends on HTTP session being

present in SessionManager. It is normally present as the authentication

request goes through SsoHandler which initiates the session. It is not

the case, though, when session gets replicated and UniversalLoginModule

is accessed directly.

The fix skips the check in no session is present, which means that

sysadmin will need to authenticate same as regular user, which is OK for

this edge situation. Session failover still works.

Options
    • -6
    • +10
    ./UniversalLoginModule.java
Thursday 01 Dec 2016
11:08 am

SanjanaPabsetti <Sanjana.pabsetti@gmail.com>

LDEV-4030 :Disable login for a few minutes after X number of attempts

Options
    • -1
    • +1
    ./UniversalLoginModule.java
  2. … 5 more files in changeset.
Wednesday 11 May 2016
3:08 pm

Marcin Cieslak

LDEV-3776: Remove $Id CVS keyword.

Options
    • -1
    • +1
    ./DatabaseAuthenticator.java
    • -1
    • +1
    ./LDAPAuthenticator.java
    • -1
    • +1
    ./SimpleGroup.java
    • -1
    • +1
    ./SimplePrincipal.java
  5. … 779 more files in changeset.
Thursday 05 May 2016
4:11 pm

Marcin Cieslak

LDEV-3776: Clean up and format all LAMS Java code.

Options
    • -6
    • +6
    ./DatabaseAuthenticator.java
    • -6
    • +5
    ./LDAPAuthenticator.java
    • -9
    • +9
    ./SimpleGroup.java
    • -7
    • +7
    ./SimplePrincipal.java
    • -13
    • +14
    ./UniversalLoginModule.java
  6. … 1856 more files in changeset.
Wednesday 16 Mar 2016
8:14 pm

Marcin Cieslak

LDEV-3674: Remove multiple Flash elements: Authoring, icons, themes, i18n files, WDDX libraries and classes, methods, servlets etc. Rename/rewrite methods for Flashless use.

Options
    • -24
    • +6
    ./UniversalLoginModule.java
  2. … 420 more files in changeset.
Friday 23 Oct 2015
4:42 pm

Marcin Cieslak

LDEV-3578: Use single-use passwords for internal authentication in LoginRequestServlet and LoginAsAction.

Options
    • -7
    • +18
    ./UniversalLoginModule.java
  2. … 3 more files in changeset.
Wednesday 21 Oct 2015
7:44 pm

Marcin Cieslak

LDEV-3578: Convert passwords from sha1 to sha256 with salt after successful authentication and on password change. Remove password hashing in browser. Change internal authentication mechanism for LoginRequestServlet and LoginAsAction.

Options
    • -41
    • +93
    ./DatabaseAuthenticator.java
    • -23
    • +33
    ./UniversalLoginModule.java
  3. … 22 more files in changeset.
Monday 19 Oct 2015
8:21 pm

Marcin Cieslak

LDEV-3591: Flatten UniversalLoginModule hierarchy - it was just a single leaf anyway. Format code. Clean up logs, errors and comments. Move queries from config files to code.

Options
    • -307
    • +0
    ./AbstractServerLoginModule.java
    • -76
    • +65
    ./DatabaseAuthenticator.java
    • -56
    • +39
    ./LDAPAuthenticator.java
    • -139
    • +0
    ./NestableGroup.java
    • -96
    • +68
    ./SimpleGroup.java
    • -29
    • +33
    ./SimplePrincipal.java
    • -204
    • +332
    ./UniversalLoginModule.java
    • -340
    • +0
    ./UsernamePasswordLoginModule.java
  9. … 5 more files in changeset.
Friday 28 Nov 2014
8:27 pm

Marcin Cieslak

LDEV-3383: Remove Web authentication method.

Options
    • -3
    • +0
    ./UniversalLoginModule.java
    • -42
    • +0
    ./WebAuthAuthenticator.java
    • -86
    • +0
    ./WebAuthServlet.java
  4. … 3 more files in changeset.
Tuesday 25 Nov 2014
5:39 pm

Marcin Cieslak

LDEV-3335, LDEV-3340: Make SessionManager a storage for servlet context, so it can be accesses by other classes at any time. Remove obsolete SSO classes.

Options
    • -2
    • +2
    ./LDAPAuthenticator.java
    • -2
    • +1
    ./UniversalLoginModule.java
    • -1
    • +1
    ./WebAuthServlet.java
  4. … 13 more files in changeset.
4:43 pm

Marcin Cieslak

LDEV-3335, LDEV-3340: Remove or simplify SSO components. Fix sysadmin LoginAs functionality.

Options
    • -116
    • +0
    ./JspRedirectStrategy.java
    • -29
    • +30
    ./LDAPAuthenticator.java
    • -2
    • +3
    ./UniversalLoginModule.java
  4. … 15 more files in changeset.
Wednesday 19 Nov 2014
12:21 am

Marcin Cieslak

LDEV-3335, LDEV-3334: Use SSO mechanism introduced in WildFly 9. Do not create web.xml files with XDoclet as it can not produce them based on 3.1 schema. Use static ones instead. Make SessionManager just a proxy to webserver's HTTP session. Remov custom shared sessions and JSESSIONIDSSO cookie as they are obsolete. Remove own session monitoring as the container should take care of invalidation. Move injecting UserDTO into session to SsoHandler intead of UniversalLoginModule as an authentication request may not reach the latter due to WildFly credentials caching.

Options
    • -308
    • +282
    ./UniversalLoginModule.java
  2. … 226 more files in changeset.
Wednesday 15 Oct 2014
12:43 am

Marcin Cieslak

LDEV-3275: Remove duplicate error log.

Options
    • -1
    • +0
    ./UniversalLoginModule.java
Tuesday 14 Oct 2014
8:49 pm

Marcin Cieslak

LDEV-3275: Add SsoConsumer in LAMS Central as requests (index.jsp, index.do) immediate after j_security_check are also being authenticated. They also are considered an authentication attempt, but they bypass shared session creation in SsoProducer and it causes errors. This was addressed by a simple check - no shared session in UniversalLoginModule, no authentication attempt.

Options
    • -2
    • +2
    ./UniversalLoginModule.java
  2. … 2 more files in changeset.
Tuesday 30 Sep 2014
9:11 pm

Marcin Cieslak

LDEV-3315: Clean up roles and paths to secured resources in all modules. Remove AUTHOR ADMIN role.

Options
    • -287
    • +307
    ./UniversalLoginModule.java
  2. … 72 more files in changeset.
Friday 19 Sep 2014
6:55 pm

Marcin Cieslak

LDEV-3275: Introduce SSO using Undertow mechanisms.

Valves do not exist in Undertow. Another approach had to be used.

In each WAR there is a file in META-INF/service dir which adds a class in request processing chaing.

For Central it is SsoProducer which put the authenticated account into shared session.

All other modules use SsoConsumer which takes the account and puts it into its security context.

In standalone.xml caching of credentials was switched off as it would prevent UniversalLoginModule from putting UserDTO into shared session.

TODO: use a simple pass-all authentication mechanism for static files like images and JS files.

Options
    • -308
    • +287
    ./UniversalLoginModule.java
  2. … 12 more files in changeset.
Thursday 18 Feb 2010
1:43 pm

lfoxton

SIF-4 Making single-signon capabilities for openid

Options
    • -282
    • +313
    ./UniversalLoginModule.java
  2. … 31 more files in changeset.
Thursday 20 Aug 2009
12:40 pm

lfoxton

LDEV-2420 Removing uneccessary data structures and tables from the db, as well as implementing the same theme settings for flash themes

Options
    • -7
    • +23
    ./UniversalLoginModule.java
  2. … 49 more files in changeset.
Wednesday 19 Aug 2009
2:45 pm

lfoxton

LDEV-2420 Adding functionality to add new themes to the database. All that is left now is to remove the defunct tables that are not used

Options
    • -4
    • +38
    ./UniversalLoginModule.java
  2. … 21 more files in changeset.
Wednesday 15 Jul 2009
10:01 am

jliew

immediately return false if login blank

Options
    • -1
    • +3
    ./LDAPAuthenticator.java
Tuesday 18 Nov 2008
3:19 pm

jliew

LDEV-2029 implement initial bind user for ldap

Options
    • -9
    • +15
    ./LDAPAuthenticator.java
  2. … 10 more files in changeset.
1:21 pm

jliew

LDEV-2028 ldap authentication now uses a general search filter instead of manually setting tree paths.

Options
    • -63
    • +89
    ./LDAPAuthenticator.java
  2. … 11 more files in changeset.
Thursday 13 Nov 2008
9:20 am

jliew

use Sun 120 formatting standard

Options
    • -226
    • +239
    ./UniversalLoginModule.java
9:18 am

jliew

LDEV-1937 try another method of getting spring bean when NoSuchBeanDefinitionException encountered

Options
    • -3
    • +15
    ./UniversalLoginModule.java