Index: lams_build/lib/lams/lams.jar =================================================================== diff -u -ra4102d6aaf60f794f067e12b10bfafdadf26a703 -r567018f37ff59abaa5c6acf8a50209543857542f Binary files differ Index: lams_central/src/java/org/lamsfoundation/lams/web/LoginRequestServlet.java =================================================================== diff -u -ra4102d6aaf60f794f067e12b10bfafdadf26a703 -r567018f37ff59abaa5c6acf8a50209543857542f --- lams_central/src/java/org/lamsfoundation/lams/web/LoginRequestServlet.java (.../LoginRequestServlet.java) (revision a4102d6aaf60f794f067e12b10bfafdadf26a703) +++ lams_central/src/java/org/lamsfoundation/lams/web/LoginRequestServlet.java (.../LoginRequestServlet.java) (revision 567018f37ff59abaa5c6acf8a50209543857542f) @@ -134,7 +134,19 @@ langIsoCode, countryIsoCode, email, prefix, isUpdateUserDetails); } - Authenticator.authenticate(serverMap, timestamp, extUsername, method, hash); + //in case of request for learner with strict authentication check cache should also contain lsid + if (LoginRequestDispatcher.METHOD_LEARNER_STRICT_AUTHENTICATION.equals(method)) { + String lsId = request.getParameter(LoginRequestDispatcher.PARAM_LESSON_ID); + if (lsId == null) { + response.sendError(HttpServletResponse.SC_BAD_REQUEST, "Login Failed - lsId parameter missing"); + return; + } + Authenticator.authenticate(serverMap, timestamp, extUsername, method, lsId, hash); + + } else { + Authenticator.authenticate(serverMap, timestamp, extUsername, method, hash); + } + User user = userMap.getUser(); String login = user.getLogin(); // The "extUser" attribute works as a flag to indicate if the user has logged in Index: lams_common/src/java/org/lamsfoundation/lams/integration/security/Authenticator.java =================================================================== diff -u -r9d9f6831591a5a8253ccb65c59e4df7e9d9761ac -r567018f37ff59abaa5c6acf8a50209543857542f --- lams_common/src/java/org/lamsfoundation/lams/integration/security/Authenticator.java (.../Authenticator.java) (revision 9d9f6831591a5a8253ccb65c59e4df7e9d9761ac) +++ lams_common/src/java/org/lamsfoundation/lams/integration/security/Authenticator.java (.../Authenticator.java) (revision 567018f37ff59abaa5c6acf8a50209543857542f) @@ -30,39 +30,94 @@ *

* View Source *

- * + * * @author Fei Yang */ public class Authenticator { - public static void authenticate(ExtServerOrgMap map, String datetime, String username, String method, String hashValue) throws AuthenticationException{ - if(map==null) throw new AuthenticationException("The third party server is not configured on LAMS server"); - if(map.getDisabled()) throw new AuthenticationException("The third party server is disabled"); - String plaintext = datetime.toLowerCase().trim() + - username.toLowerCase().trim() + - method.toLowerCase().trim() + - map.getServerid().toLowerCase().trim() + - map.getServerkey().toLowerCase().trim(); - checkHash(plaintext, hashValue); + /** + * Checks hash. Hash is expected to be constructed using the following formula [ts + uid + method + serverID + + * serverKey]. (Note: all lower case before hashing) + * + * @param map + * @param datetime + * @param username + * @param method + * @param hashValue + * @throws AuthenticationException + */ + public static void authenticate(ExtServerOrgMap map, String datetime, String username, String method, + String hashValue) throws AuthenticationException { + if (map == null) { + throw new AuthenticationException("The third party server is not configured on LAMS server"); } - - public static void authenticate(ExtServerOrgMap map, String datetime, String username, String hashValue) throws AuthenticationException{ - if(map==null) throw new AuthenticationException("The third party server is not configured on LAMS server"); - if(map.getDisabled()) throw new AuthenticationException("The third party server is disabled"); - String plaintext = datetime.toLowerCase().trim()+username.toLowerCase().trim()+map.getServerid().toLowerCase().trim()+map.getServerkey().toLowerCase().trim(); - checkHash(plaintext, hashValue); + if (map.getDisabled()) { + throw new AuthenticationException("The third party server is disabled"); } - public static void authenticate(ExtServerOrgMap map, String datetime, String hashValue) throws AuthenticationException{ - if(map==null) throw new AuthenticationException("The third party server is not configured on LAMS server"); - if(map.getDisabled()) throw new AuthenticationException("The third party server is disabled"); - String plaintext = datetime.toLowerCase().trim()+map.getServerid().toLowerCase().trim()+map.getServerkey().toLowerCase().trim(); - checkHash(plaintext, hashValue); + String plaintext = datetime.toLowerCase().trim() + username.toLowerCase().trim() + method.toLowerCase().trim() + + map.getServerid().toLowerCase().trim() + map.getServerkey().toLowerCase().trim(); + checkHash(plaintext, hashValue); + } + + /** + * Checks hash. Differs from the method above (the one without lsid parameter) in a way that hash is expected to also + * contain lsidx: [ts + uid + method + lsid + serverID + serverKey] + * + * @param map + * @param datetime + * @param username + * @param method + * @param lsid + * @param hashValue + * @throws AuthenticationException + */ + public static void authenticate(ExtServerOrgMap map, String datetime, String username, String method, String lsid, + String hashValue) throws AuthenticationException { + if (map == null) { + throw new AuthenticationException("The third party server is not configured on LAMS server"); } + if (map.getDisabled()) { + throw new AuthenticationException("The third party server is disabled"); + } + + String plaintext = datetime.toLowerCase().trim() + username.toLowerCase().trim() + method.toLowerCase().trim() + + lsid.toLowerCase().trim() + map.getServerid().toLowerCase().trim() + + map.getServerkey().toLowerCase().trim(); + checkHash(plaintext, hashValue); + } + + public static void authenticate(ExtServerOrgMap map, String datetime, String username, String hashValue) + throws AuthenticationException { + if (map == null) { + throw new AuthenticationException("The third party server is not configured on LAMS server"); + } + if (map.getDisabled()) { + throw new AuthenticationException("The third party server is disabled"); + } - private static void checkHash(String plaintext, String hashValue) throws AuthenticationException { - if(!hashValue.equals(HashUtil.sha1(plaintext))){ - throw new AuthenticationException("Authentication failed!"); - } + String plaintext = datetime.toLowerCase().trim() + username.toLowerCase().trim() + + map.getServerid().toLowerCase().trim() + map.getServerkey().toLowerCase().trim(); + checkHash(plaintext, hashValue); + } + + public static void authenticate(ExtServerOrgMap map, String datetime, String hashValue) + throws AuthenticationException { + if (map == null) { + throw new AuthenticationException("The third party server is not configured on LAMS server"); } + if (map.getDisabled()) { + throw new AuthenticationException("The third party server is disabled"); + } + + String plaintext = datetime.toLowerCase().trim() + map.getServerid().toLowerCase().trim() + + map.getServerkey().toLowerCase().trim(); + checkHash(plaintext, hashValue); + } + private static void checkHash(String plaintext, String hashValue) throws AuthenticationException { + if (!hashValue.equals(HashUtil.sha1(plaintext))) { + throw new AuthenticationException("Authentication failed!"); + } + } + } Index: lams_common/src/java/org/lamsfoundation/lams/integration/security/LoginRequestValve.java =================================================================== diff -u -rf34ad61132d7a8c888a0839f89fc334c5c8487cc -r567018f37ff59abaa5c6acf8a50209543857542f --- lams_common/src/java/org/lamsfoundation/lams/integration/security/LoginRequestValve.java (.../LoginRequestValve.java) (revision f34ad61132d7a8c888a0839f89fc334c5c8487cc) +++ lams_common/src/java/org/lamsfoundation/lams/integration/security/LoginRequestValve.java (.../LoginRequestValve.java) (revision 567018f37ff59abaa5c6acf8a50209543857542f) @@ -49,8 +49,6 @@ // Declare the constants private static final String PARAM_USERID = "uid"; - private static final String PARAM_OPENID_URL = "openid_url"; - private static final String LOGIN_REQUEST = "LoginRequest"; @Override Index: lams_common/src/java/org/lamsfoundation/lams/integration/util/LoginRequestDispatcher.java =================================================================== diff -u -ra4102d6aaf60f794f067e12b10bfafdadf26a703 -r567018f37ff59abaa5c6acf8a50209543857542f --- lams_common/src/java/org/lamsfoundation/lams/integration/util/LoginRequestDispatcher.java (.../LoginRequestDispatcher.java) (revision a4102d6aaf60f794f067e12b10bfafdadf26a703) +++ lams_common/src/java/org/lamsfoundation/lams/integration/util/LoginRequestDispatcher.java (.../LoginRequestDispatcher.java) (revision 567018f37ff59abaa5c6acf8a50209543857542f) @@ -86,6 +86,10 @@ public static final String METHOD_MONITOR = "monitor"; public static final String METHOD_LEARNER = "learner"; + + // the same as METHOD_LEARNER but additionally requires hash to contain lsId in order to prevent users tampering + // with lesson id parameter + public static final String METHOD_LEARNER_STRICT_AUTHENTICATION = "learnerStrictAuth"; public static final String PARAM_LESSON_ID = "lsid"; @@ -162,7 +166,7 @@ return request.getContextPath() + URL_MONITOR + lessonId; } /** LEARNER * */ - else if (METHOD_LEARNER.equals(method) && lessonId != null) { + else if ((METHOD_LEARNER.equals(method) || METHOD_LEARNER_STRICT_AUTHENTICATION.equals(method)) && lessonId != null) { String url = request.getContextPath() + URL_LEARNER + lessonId; if (mode != null) { url += "&" + PARAM_MODE + "=" + mode; @@ -194,7 +198,7 @@ throw new UserInfoFetchException(error); } - if (METHOD_LEARNER.equals(method)) + if (METHOD_LEARNER.equals(method) || METHOD_LEARNER_STRICT_AUTHENTICATION.equals(method)) lessonService.addLearner(Long.parseLong(lessonId), user.getUserId()); else if (METHOD_MONITOR.equals(method)) lessonService.addStaffMember(Long.parseLong(lessonId), user.getUserId());