Index: lams_build/lib/lams/lams.jar =================================================================== diff -u -rff01a6c237cefc4a5186889bf46041152cfc37ae -rc6867c1780952042c1c587da64b3002b60b31c85 Binary files differ Index: lams_central/src/java/org/lamsfoundation/lams/web/LoginRequestServlet.java =================================================================== diff -u -r0d275bf753620ae71aeb4e7589c540c9777532cb -rc6867c1780952042c1c587da64b3002b60b31c85 --- lams_central/src/java/org/lamsfoundation/lams/web/LoginRequestServlet.java (.../LoginRequestServlet.java) (revision 0d275bf753620ae71aeb4e7589c540c9777532cb) +++ lams_central/src/java/org/lamsfoundation/lams/web/LoginRequestServlet.java (.../LoginRequestServlet.java) (revision c6867c1780952042c1c587da64b3002b60b31c85) @@ -131,7 +131,14 @@ langIsoCode, countryIsoCode, email, prefix); } - Authenticator.authenticate(serverMap, timestamp, extUsername, method, hash); + //in case of request for learner with strict authentication check cache should also contain lsid + if (LoginRequestDispatcher.METHOD_LEARNER_STRICT_AUTHENTICATION.equals(method)) { + String lsId = request.getParameter(LoginRequestDispatcher.PARAM_LESSON_ID); + Authenticator.authenticate(serverMap, timestamp, extUsername, method, lsId, hash); + } else { + Authenticator.authenticate(serverMap, timestamp, extUsername, method, hash); + } + User user = userMap.getUser(); String login = user.getLogin(); // The "extUser" attribute works as a flag to indicate if the user has logged in Index: lams_common/src/java/org/lamsfoundation/lams/integration/security/Authenticator.java =================================================================== diff -u -r9d9f6831591a5a8253ccb65c59e4df7e9d9761ac -rc6867c1780952042c1c587da64b3002b60b31c85 --- lams_common/src/java/org/lamsfoundation/lams/integration/security/Authenticator.java (.../Authenticator.java) (revision 9d9f6831591a5a8253ccb65c59e4df7e9d9761ac) +++ lams_common/src/java/org/lamsfoundation/lams/integration/security/Authenticator.java (.../Authenticator.java) (revision c6867c1780952042c1c587da64b3002b60b31c85) @@ -30,39 +30,94 @@ *

* View Source *

- * + * * @author Fei Yang */ public class Authenticator { - public static void authenticate(ExtServerOrgMap map, String datetime, String username, String method, String hashValue) throws AuthenticationException{ - if(map==null) throw new AuthenticationException("The third party server is not configured on LAMS server"); - if(map.getDisabled()) throw new AuthenticationException("The third party server is disabled"); - String plaintext = datetime.toLowerCase().trim() + - username.toLowerCase().trim() + - method.toLowerCase().trim() + - map.getServerid().toLowerCase().trim() + - map.getServerkey().toLowerCase().trim(); - checkHash(plaintext, hashValue); + /** + * Checks hash. Hash is expected to be constructed using the following formula [ts + uid + method + serverID + + * serverKey]. (Note: all lower case before hashing) + * + * @param map + * @param datetime + * @param username + * @param method + * @param hashValue + * @throws AuthenticationException + */ + public static void authenticate(ExtServerOrgMap map, String datetime, String username, String method, + String hashValue) throws AuthenticationException { + if (map == null) { + throw new AuthenticationException("The third party server is not configured on LAMS server"); } - - public static void authenticate(ExtServerOrgMap map, String datetime, String username, String hashValue) throws AuthenticationException{ - if(map==null) throw new AuthenticationException("The third party server is not configured on LAMS server"); - if(map.getDisabled()) throw new AuthenticationException("The third party server is disabled"); - String plaintext = datetime.toLowerCase().trim()+username.toLowerCase().trim()+map.getServerid().toLowerCase().trim()+map.getServerkey().toLowerCase().trim(); - checkHash(plaintext, hashValue); + if (map.getDisabled()) { + throw new AuthenticationException("The third party server is disabled"); } - public static void authenticate(ExtServerOrgMap map, String datetime, String hashValue) throws AuthenticationException{ - if(map==null) throw new AuthenticationException("The third party server is not configured on LAMS server"); - if(map.getDisabled()) throw new AuthenticationException("The third party server is disabled"); - String plaintext = datetime.toLowerCase().trim()+map.getServerid().toLowerCase().trim()+map.getServerkey().toLowerCase().trim(); - checkHash(plaintext, hashValue); + String plaintext = datetime.toLowerCase().trim() + username.toLowerCase().trim() + method.toLowerCase().trim() + + map.getServerid().toLowerCase().trim() + map.getServerkey().toLowerCase().trim(); + checkHash(plaintext, hashValue); + } + + /** + * Checks hash. Differs from the method above (the one without lsid parameter) in a way that hash is expected to also + * contain lsidx: [ts + uid + method + lsid + serverID + serverKey] + * + * @param map + * @param datetime + * @param username + * @param method + * @param lsid + * @param hashValue + * @throws AuthenticationException + */ + public static void authenticate(ExtServerOrgMap map, String datetime, String username, String method, String lsid, + String hashValue) throws AuthenticationException { + if (map == null) { + throw new AuthenticationException("The third party server is not configured on LAMS server"); } + if (map.getDisabled()) { + throw new AuthenticationException("The third party server is disabled"); + } + + String plaintext = datetime.toLowerCase().trim() + username.toLowerCase().trim() + method.toLowerCase().trim() + + lsid.toLowerCase().trim() + map.getServerid().toLowerCase().trim() + + map.getServerkey().toLowerCase().trim(); + checkHash(plaintext, hashValue); + } + + public static void authenticate(ExtServerOrgMap map, String datetime, String username, String hashValue) + throws AuthenticationException { + if (map == null) { + throw new AuthenticationException("The third party server is not configured on LAMS server"); + } + if (map.getDisabled()) { + throw new AuthenticationException("The third party server is disabled"); + } - private static void checkHash(String plaintext, String hashValue) throws AuthenticationException { - if(!hashValue.equals(HashUtil.sha1(plaintext))){ - throw new AuthenticationException("Authentication failed!"); - } + String plaintext = datetime.toLowerCase().trim() + username.toLowerCase().trim() + + map.getServerid().toLowerCase().trim() + map.getServerkey().toLowerCase().trim(); + checkHash(plaintext, hashValue); + } + + public static void authenticate(ExtServerOrgMap map, String datetime, String hashValue) + throws AuthenticationException { + if (map == null) { + throw new AuthenticationException("The third party server is not configured on LAMS server"); } + if (map.getDisabled()) { + throw new AuthenticationException("The third party server is disabled"); + } + + String plaintext = datetime.toLowerCase().trim() + map.getServerid().toLowerCase().trim() + + map.getServerkey().toLowerCase().trim(); + checkHash(plaintext, hashValue); + } + private static void checkHash(String plaintext, String hashValue) throws AuthenticationException { + if (!hashValue.equals(HashUtil.sha1(plaintext))) { + throw new AuthenticationException("Authentication failed!"); + } + } + } Index: lams_common/src/java/org/lamsfoundation/lams/integration/security/LoginRequestValve.java =================================================================== diff -u -rf34ad61132d7a8c888a0839f89fc334c5c8487cc -rc6867c1780952042c1c587da64b3002b60b31c85 --- lams_common/src/java/org/lamsfoundation/lams/integration/security/LoginRequestValve.java (.../LoginRequestValve.java) (revision f34ad61132d7a8c888a0839f89fc334c5c8487cc) +++ lams_common/src/java/org/lamsfoundation/lams/integration/security/LoginRequestValve.java (.../LoginRequestValve.java) (revision c6867c1780952042c1c587da64b3002b60b31c85) @@ -49,8 +49,6 @@ // Declare the constants private static final String PARAM_USERID = "uid"; - private static final String PARAM_OPENID_URL = "openid_url"; - private static final String LOGIN_REQUEST = "LoginRequest"; @Override Index: lams_common/src/java/org/lamsfoundation/lams/integration/util/LoginRequestDispatcher.java =================================================================== diff -u -r0d275bf753620ae71aeb4e7589c540c9777532cb -rc6867c1780952042c1c587da64b3002b60b31c85 --- lams_common/src/java/org/lamsfoundation/lams/integration/util/LoginRequestDispatcher.java (.../LoginRequestDispatcher.java) (revision 0d275bf753620ae71aeb4e7589c540c9777532cb) +++ lams_common/src/java/org/lamsfoundation/lams/integration/util/LoginRequestDispatcher.java (.../LoginRequestDispatcher.java) (revision c6867c1780952042c1c587da64b3002b60b31c85) @@ -84,6 +84,10 @@ public static final String METHOD_MONITOR = "monitor"; public static final String METHOD_LEARNER = "learner"; + + // the same as METHOD_LEARNER but additionally requires hash to contain lsId in order to prevent users tampering + // with lesson id parameter + public static final String METHOD_LEARNER_STRICT_AUTHENTICATION = "learnerStrictAuth"; public static final String PARAM_LESSON_ID = "lsid"; @@ -160,7 +164,7 @@ return request.getContextPath() + URL_MONITOR + lessonId; } /** LEARNER * */ - else if (METHOD_LEARNER.equals(method) && lessonId != null) { + else if ((METHOD_LEARNER.equals(method) || METHOD_LEARNER_STRICT_AUTHENTICATION.equals(method)) && lessonId != null) { String url = request.getContextPath() + URL_LEARNER + lessonId; if (mode != null) { url += "&" + PARAM_MODE + "=" + mode; @@ -192,7 +196,7 @@ throw new UserInfoFetchException(error); } - if (METHOD_LEARNER.equals(method)) + if (METHOD_LEARNER.equals(method) || METHOD_LEARNER_STRICT_AUTHENTICATION.equals(method)) lessonService.addLearner(Long.parseLong(lessonId), user.getUserId()); else if (METHOD_MONITOR.equals(method)) lessonService.addStaffMember(Long.parseLong(lessonId), user.getUserId());