Index: lams_build/lib/lams/lams.jar =================================================================== RCS file: /usr/local/cvsroot/lams_build/lib/lams/lams.jar,v diff -u -r1.420 -r1.421 Binary files differ Index: lams_central/src/java/org/lamsfoundation/lams/web/LoginRequestServlet.java =================================================================== RCS file: /usr/local/cvsroot/lams_central/src/java/org/lamsfoundation/lams/web/LoginRequestServlet.java,v diff -u -r1.21 -r1.22 --- lams_central/src/java/org/lamsfoundation/lams/web/LoginRequestServlet.java 8 Apr 2014 15:27:08 -0000 1.21 +++ lams_central/src/java/org/lamsfoundation/lams/web/LoginRequestServlet.java 5 Aug 2014 22:28:30 -0000 1.22 @@ -131,7 +131,14 @@ langIsoCode, countryIsoCode, email, prefix); } - Authenticator.authenticate(serverMap, timestamp, extUsername, method, hash); + //in case of request for learner with strict authentication check cache should also contain lsid + if (LoginRequestDispatcher.METHOD_LEARNER_STRICT_AUTHENTICATION.equals(method)) { + String lsId = request.getParameter(LoginRequestDispatcher.PARAM_LESSON_ID); + Authenticator.authenticate(serverMap, timestamp, extUsername, method, lsId, hash); + } else { + Authenticator.authenticate(serverMap, timestamp, extUsername, method, hash); + } + User user = userMap.getUser(); String login = user.getLogin(); // The "extUser" attribute works as a flag to indicate if the user has logged in Index: lams_common/src/java/org/lamsfoundation/lams/integration/security/Authenticator.java =================================================================== RCS file: /usr/local/cvsroot/lams_common/src/java/org/lamsfoundation/lams/integration/security/Authenticator.java,v diff -u -r1.4 -r1.5 --- lams_common/src/java/org/lamsfoundation/lams/integration/security/Authenticator.java 12 Oct 2006 06:37:54 -0000 1.4 +++ lams_common/src/java/org/lamsfoundation/lams/integration/security/Authenticator.java 5 Aug 2014 22:27:19 -0000 1.5 @@ -30,39 +30,94 @@ *

* View Source *

- * + * * @author Fei Yang */ public class Authenticator { - public static void authenticate(ExtServerOrgMap map, String datetime, String username, String method, String hashValue) throws AuthenticationException{ - if(map==null) throw new AuthenticationException("The third party server is not configured on LAMS server"); - if(map.getDisabled()) throw new AuthenticationException("The third party server is disabled"); - String plaintext = datetime.toLowerCase().trim() + - username.toLowerCase().trim() + - method.toLowerCase().trim() + - map.getServerid().toLowerCase().trim() + - map.getServerkey().toLowerCase().trim(); - checkHash(plaintext, hashValue); + /** + * Checks hash. Hash is expected to be constructed using the following formula [ts + uid + method + serverID + + * serverKey]. (Note: all lower case before hashing) + * + * @param map + * @param datetime + * @param username + * @param method + * @param hashValue + * @throws AuthenticationException + */ + public static void authenticate(ExtServerOrgMap map, String datetime, String username, String method, + String hashValue) throws AuthenticationException { + if (map == null) { + throw new AuthenticationException("The third party server is not configured on LAMS server"); } - - public static void authenticate(ExtServerOrgMap map, String datetime, String username, String hashValue) throws AuthenticationException{ - if(map==null) throw new AuthenticationException("The third party server is not configured on LAMS server"); - if(map.getDisabled()) throw new AuthenticationException("The third party server is disabled"); - String plaintext = datetime.toLowerCase().trim()+username.toLowerCase().trim()+map.getServerid().toLowerCase().trim()+map.getServerkey().toLowerCase().trim(); - checkHash(plaintext, hashValue); + if (map.getDisabled()) { + throw new AuthenticationException("The third party server is disabled"); } - public static void authenticate(ExtServerOrgMap map, String datetime, String hashValue) throws AuthenticationException{ - if(map==null) throw new AuthenticationException("The third party server is not configured on LAMS server"); - if(map.getDisabled()) throw new AuthenticationException("The third party server is disabled"); - String plaintext = datetime.toLowerCase().trim()+map.getServerid().toLowerCase().trim()+map.getServerkey().toLowerCase().trim(); - checkHash(plaintext, hashValue); + String plaintext = datetime.toLowerCase().trim() + username.toLowerCase().trim() + method.toLowerCase().trim() + + map.getServerid().toLowerCase().trim() + map.getServerkey().toLowerCase().trim(); + checkHash(plaintext, hashValue); + } + + /** + * Checks hash. Differs from the method above (the one without lsid parameter) in a way that hash is expected to also + * contain lsidx: [ts + uid + method + lsid + serverID + serverKey] + * + * @param map + * @param datetime + * @param username + * @param method + * @param lsid + * @param hashValue + * @throws AuthenticationException + */ + public static void authenticate(ExtServerOrgMap map, String datetime, String username, String method, String lsid, + String hashValue) throws AuthenticationException { + if (map == null) { + throw new AuthenticationException("The third party server is not configured on LAMS server"); } + if (map.getDisabled()) { + throw new AuthenticationException("The third party server is disabled"); + } + + String plaintext = datetime.toLowerCase().trim() + username.toLowerCase().trim() + method.toLowerCase().trim() + + lsid.toLowerCase().trim() + map.getServerid().toLowerCase().trim() + + map.getServerkey().toLowerCase().trim(); + checkHash(plaintext, hashValue); + } + + public static void authenticate(ExtServerOrgMap map, String datetime, String username, String hashValue) + throws AuthenticationException { + if (map == null) { + throw new AuthenticationException("The third party server is not configured on LAMS server"); + } + if (map.getDisabled()) { + throw new AuthenticationException("The third party server is disabled"); + } - private static void checkHash(String plaintext, String hashValue) throws AuthenticationException { - if(!hashValue.equals(HashUtil.sha1(plaintext))){ - throw new AuthenticationException("Authentication failed!"); - } + String plaintext = datetime.toLowerCase().trim() + username.toLowerCase().trim() + + map.getServerid().toLowerCase().trim() + map.getServerkey().toLowerCase().trim(); + checkHash(plaintext, hashValue); + } + + public static void authenticate(ExtServerOrgMap map, String datetime, String hashValue) + throws AuthenticationException { + if (map == null) { + throw new AuthenticationException("The third party server is not configured on LAMS server"); } + if (map.getDisabled()) { + throw new AuthenticationException("The third party server is disabled"); + } + + String plaintext = datetime.toLowerCase().trim() + map.getServerid().toLowerCase().trim() + + map.getServerkey().toLowerCase().trim(); + checkHash(plaintext, hashValue); + } + private static void checkHash(String plaintext, String hashValue) throws AuthenticationException { + if (!hashValue.equals(HashUtil.sha1(plaintext))) { + throw new AuthenticationException("Authentication failed!"); + } + } + } Index: lams_common/src/java/org/lamsfoundation/lams/integration/security/LoginRequestValve.java =================================================================== RCS file: /usr/local/cvsroot/lams_common/src/java/org/lamsfoundation/lams/integration/security/LoginRequestValve.java,v diff -u -r1.9 -r1.10 --- lams_common/src/java/org/lamsfoundation/lams/integration/security/LoginRequestValve.java 19 Dec 2012 12:45:34 -0000 1.9 +++ lams_common/src/java/org/lamsfoundation/lams/integration/security/LoginRequestValve.java 5 Aug 2014 22:27:19 -0000 1.10 @@ -49,8 +49,6 @@ // Declare the constants private static final String PARAM_USERID = "uid"; - private static final String PARAM_OPENID_URL = "openid_url"; - private static final String LOGIN_REQUEST = "LoginRequest"; @Override Index: lams_common/src/java/org/lamsfoundation/lams/integration/util/LoginRequestDispatcher.java =================================================================== RCS file: /usr/local/cvsroot/lams_common/src/java/org/lamsfoundation/lams/integration/util/LoginRequestDispatcher.java,v diff -u -r1.16 -r1.17 --- lams_common/src/java/org/lamsfoundation/lams/integration/util/LoginRequestDispatcher.java 8 Apr 2014 15:26:47 -0000 1.16 +++ lams_common/src/java/org/lamsfoundation/lams/integration/util/LoginRequestDispatcher.java 5 Aug 2014 22:27:19 -0000 1.17 @@ -84,6 +84,10 @@ public static final String METHOD_MONITOR = "monitor"; public static final String METHOD_LEARNER = "learner"; + + // the same as METHOD_LEARNER but additionally requires hash to contain lsId in order to prevent users tampering + // with lesson id parameter + public static final String METHOD_LEARNER_STRICT_AUTHENTICATION = "learnerStrictAuth"; public static final String PARAM_LESSON_ID = "lsid"; @@ -160,7 +164,7 @@ return request.getContextPath() + URL_MONITOR + lessonId; } /** LEARNER * */ - else if (METHOD_LEARNER.equals(method) && lessonId != null) { + else if ((METHOD_LEARNER.equals(method) || METHOD_LEARNER_STRICT_AUTHENTICATION.equals(method)) && lessonId != null) { String url = request.getContextPath() + URL_LEARNER + lessonId; if (mode != null) { url += "&" + PARAM_MODE + "=" + mode; @@ -192,7 +196,7 @@ throw new UserInfoFetchException(error); } - if (METHOD_LEARNER.equals(method)) + if (METHOD_LEARNER.equals(method) || METHOD_LEARNER_STRICT_AUTHENTICATION.equals(method)) lessonService.addLearner(Long.parseLong(lessonId), user.getUserId()); else if (METHOD_MONITOR.equals(method)) lessonService.addStaffMember(Long.parseLong(lessonId), user.getUserId());