Index: lams_build/lib/lams/lams.jar =================================================================== RCS file: /usr/local/cvsroot/lams_build/lib/lams/lams.jar,v diff -u -r1.420.2.3 -r1.420.2.4 Binary files differ Index: lams_central/src/java/org/lamsfoundation/lams/web/LoginRequestServlet.java =================================================================== RCS file: /usr/local/cvsroot/lams_central/src/java/org/lamsfoundation/lams/web/LoginRequestServlet.java,v diff -u -r1.21.2.1 -r1.21.2.2 --- lams_central/src/java/org/lamsfoundation/lams/web/LoginRequestServlet.java 12 Sep 2014 20:46:10 -0000 1.21.2.1 +++ lams_central/src/java/org/lamsfoundation/lams/web/LoginRequestServlet.java 12 Sep 2014 21:01:17 -0000 1.21.2.2 @@ -134,7 +134,19 @@ langIsoCode, countryIsoCode, email, prefix, isUpdateUserDetails); } - Authenticator.authenticate(serverMap, timestamp, extUsername, method, hash); + //in case of request for learner with strict authentication check cache should also contain lsid + if (LoginRequestDispatcher.METHOD_LEARNER_STRICT_AUTHENTICATION.equals(method)) { + String lsId = request.getParameter(LoginRequestDispatcher.PARAM_LESSON_ID); + if (lsId == null) { + response.sendError(HttpServletResponse.SC_BAD_REQUEST, "Login Failed - lsId parameter missing"); + return; + } + Authenticator.authenticate(serverMap, timestamp, extUsername, method, lsId, hash); + + } else { + Authenticator.authenticate(serverMap, timestamp, extUsername, method, hash); + } + User user = userMap.getUser(); String login = user.getLogin(); // The "extUser" attribute works as a flag to indicate if the user has logged in Index: lams_common/src/java/org/lamsfoundation/lams/integration/security/Authenticator.java =================================================================== RCS file: /usr/local/cvsroot/lams_common/src/java/org/lamsfoundation/lams/integration/security/Authenticator.java,v diff -u -r1.4 -r1.4.24.1 --- lams_common/src/java/org/lamsfoundation/lams/integration/security/Authenticator.java 12 Oct 2006 06:37:54 -0000 1.4 +++ lams_common/src/java/org/lamsfoundation/lams/integration/security/Authenticator.java 12 Sep 2014 21:00:53 -0000 1.4.24.1 @@ -30,39 +30,94 @@ *

* View Source *

- * + * * @author Fei Yang */ public class Authenticator { - public static void authenticate(ExtServerOrgMap map, String datetime, String username, String method, String hashValue) throws AuthenticationException{ - if(map==null) throw new AuthenticationException("The third party server is not configured on LAMS server"); - if(map.getDisabled()) throw new AuthenticationException("The third party server is disabled"); - String plaintext = datetime.toLowerCase().trim() + - username.toLowerCase().trim() + - method.toLowerCase().trim() + - map.getServerid().toLowerCase().trim() + - map.getServerkey().toLowerCase().trim(); - checkHash(plaintext, hashValue); + /** + * Checks hash. Hash is expected to be constructed using the following formula [ts + uid + method + serverID + + * serverKey]. (Note: all lower case before hashing) + * + * @param map + * @param datetime + * @param username + * @param method + * @param hashValue + * @throws AuthenticationException + */ + public static void authenticate(ExtServerOrgMap map, String datetime, String username, String method, + String hashValue) throws AuthenticationException { + if (map == null) { + throw new AuthenticationException("The third party server is not configured on LAMS server"); } - - public static void authenticate(ExtServerOrgMap map, String datetime, String username, String hashValue) throws AuthenticationException{ - if(map==null) throw new AuthenticationException("The third party server is not configured on LAMS server"); - if(map.getDisabled()) throw new AuthenticationException("The third party server is disabled"); - String plaintext = datetime.toLowerCase().trim()+username.toLowerCase().trim()+map.getServerid().toLowerCase().trim()+map.getServerkey().toLowerCase().trim(); - checkHash(plaintext, hashValue); + if (map.getDisabled()) { + throw new AuthenticationException("The third party server is disabled"); } - public static void authenticate(ExtServerOrgMap map, String datetime, String hashValue) throws AuthenticationException{ - if(map==null) throw new AuthenticationException("The third party server is not configured on LAMS server"); - if(map.getDisabled()) throw new AuthenticationException("The third party server is disabled"); - String plaintext = datetime.toLowerCase().trim()+map.getServerid().toLowerCase().trim()+map.getServerkey().toLowerCase().trim(); - checkHash(plaintext, hashValue); + String plaintext = datetime.toLowerCase().trim() + username.toLowerCase().trim() + method.toLowerCase().trim() + + map.getServerid().toLowerCase().trim() + map.getServerkey().toLowerCase().trim(); + checkHash(plaintext, hashValue); + } + + /** + * Checks hash. Differs from the method above (the one without lsid parameter) in a way that hash is expected to also + * contain lsidx: [ts + uid + method + lsid + serverID + serverKey] + * + * @param map + * @param datetime + * @param username + * @param method + * @param lsid + * @param hashValue + * @throws AuthenticationException + */ + public static void authenticate(ExtServerOrgMap map, String datetime, String username, String method, String lsid, + String hashValue) throws AuthenticationException { + if (map == null) { + throw new AuthenticationException("The third party server is not configured on LAMS server"); } + if (map.getDisabled()) { + throw new AuthenticationException("The third party server is disabled"); + } + + String plaintext = datetime.toLowerCase().trim() + username.toLowerCase().trim() + method.toLowerCase().trim() + + lsid.toLowerCase().trim() + map.getServerid().toLowerCase().trim() + + map.getServerkey().toLowerCase().trim(); + checkHash(plaintext, hashValue); + } + + public static void authenticate(ExtServerOrgMap map, String datetime, String username, String hashValue) + throws AuthenticationException { + if (map == null) { + throw new AuthenticationException("The third party server is not configured on LAMS server"); + } + if (map.getDisabled()) { + throw new AuthenticationException("The third party server is disabled"); + } - private static void checkHash(String plaintext, String hashValue) throws AuthenticationException { - if(!hashValue.equals(HashUtil.sha1(plaintext))){ - throw new AuthenticationException("Authentication failed!"); - } + String plaintext = datetime.toLowerCase().trim() + username.toLowerCase().trim() + + map.getServerid().toLowerCase().trim() + map.getServerkey().toLowerCase().trim(); + checkHash(plaintext, hashValue); + } + + public static void authenticate(ExtServerOrgMap map, String datetime, String hashValue) + throws AuthenticationException { + if (map == null) { + throw new AuthenticationException("The third party server is not configured on LAMS server"); } + if (map.getDisabled()) { + throw new AuthenticationException("The third party server is disabled"); + } + + String plaintext = datetime.toLowerCase().trim() + map.getServerid().toLowerCase().trim() + + map.getServerkey().toLowerCase().trim(); + checkHash(plaintext, hashValue); + } + private static void checkHash(String plaintext, String hashValue) throws AuthenticationException { + if (!hashValue.equals(HashUtil.sha1(plaintext))) { + throw new AuthenticationException("Authentication failed!"); + } + } + } Index: lams_common/src/java/org/lamsfoundation/lams/integration/security/LoginRequestValve.java =================================================================== RCS file: /usr/local/cvsroot/lams_common/src/java/org/lamsfoundation/lams/integration/security/LoginRequestValve.java,v diff -u -r1.9 -r1.9.2.1 --- lams_common/src/java/org/lamsfoundation/lams/integration/security/LoginRequestValve.java 19 Dec 2012 12:45:34 -0000 1.9 +++ lams_common/src/java/org/lamsfoundation/lams/integration/security/LoginRequestValve.java 12 Sep 2014 21:00:53 -0000 1.9.2.1 @@ -49,8 +49,6 @@ // Declare the constants private static final String PARAM_USERID = "uid"; - private static final String PARAM_OPENID_URL = "openid_url"; - private static final String LOGIN_REQUEST = "LoginRequest"; @Override Index: lams_common/src/java/org/lamsfoundation/lams/integration/util/LoginRequestDispatcher.java =================================================================== RCS file: /usr/local/cvsroot/lams_common/src/java/org/lamsfoundation/lams/integration/util/LoginRequestDispatcher.java,v diff -u -r1.16.2.1 -r1.16.2.2 --- lams_common/src/java/org/lamsfoundation/lams/integration/util/LoginRequestDispatcher.java 12 Sep 2014 20:45:37 -0000 1.16.2.1 +++ lams_common/src/java/org/lamsfoundation/lams/integration/util/LoginRequestDispatcher.java 12 Sep 2014 21:00:53 -0000 1.16.2.2 @@ -86,6 +86,10 @@ public static final String METHOD_MONITOR = "monitor"; public static final String METHOD_LEARNER = "learner"; + + // the same as METHOD_LEARNER but additionally requires hash to contain lsId in order to prevent users tampering + // with lesson id parameter + public static final String METHOD_LEARNER_STRICT_AUTHENTICATION = "learnerStrictAuth"; public static final String PARAM_LESSON_ID = "lsid"; @@ -162,7 +166,7 @@ return request.getContextPath() + URL_MONITOR + lessonId; } /** LEARNER * */ - else if (METHOD_LEARNER.equals(method) && lessonId != null) { + else if ((METHOD_LEARNER.equals(method) || METHOD_LEARNER_STRICT_AUTHENTICATION.equals(method)) && lessonId != null) { String url = request.getContextPath() + URL_LEARNER + lessonId; if (mode != null) { url += "&" + PARAM_MODE + "=" + mode; @@ -194,7 +198,7 @@ throw new UserInfoFetchException(error); } - if (METHOD_LEARNER.equals(method)) + if (METHOD_LEARNER.equals(method) || METHOD_LEARNER_STRICT_AUTHENTICATION.equals(method)) lessonService.addLearner(Long.parseLong(lessonId), user.getUserId()); else if (METHOD_MONITOR.equals(method)) lessonService.addStaffMember(Long.parseLong(lessonId), user.getUserId());