I have a problem and I have no idea how to solve it.
I load an encrypted password (SSHA) from a text file and I need add a user with this password from the source code in Java.
Example from file:
e1NTSEF9Ukd6ZEZyanZBZlJGMGs3eGFDOGZxQ3U3QlozcUZXRGJoeWIyS0E9PQ==
Real password: 123
Example code not work as I want:
String encryptedPSWD = "e1NTSEF9Ukd6ZEZyanZBZlJGMGs3eGFDOGZxQ3U3QlozcUZXRGJoeWIyS0E9PQ==";
attributes.add(new BasicAttribute("userPassword","{SSHA}"+encryptedPSWD);
It not work, because we can send only real value password?
And is the problem that this is one-sided encryption and LDAP will also not be able to decrypt it?
The error number and text from the LDAP server would be instructive; but, in a general case, there are two things that stand out:
(1) Assuming the user already has a password, you are modifying an existing attribute, not adding an attribute. If you attempt to add a value to a single valued attribute that's already got a value, or if you attempt to add a value to a multi-value attribute that is already present, you would get ldap error 20. To modify an existing attribute would look something like this:
LDAPModificationSet attributes = new LDAPModificationSet();
LDAPAttribute attrUserPassword = new LDAPAttribute("userPassword", "{SSHA}"+encryptedPSWD);
attributes.add(LDAPModification.REPLACE, attrUserPassword);
(2) Some directories do not allow using "pre-encoded" passwords as a default. This is because password policies cannot be applied to an unknown password (i.e. how do I know this password is at least eight characters, contains a special character, and does not contain a dictionary word?). The Oracle Unified Directory servers that I manage return error 53 in this case, along with text saying "Pre-encoded passwords are not allowed for the password attribute userPassword.", but other directory servers may return use a different code (53 is a pretty generic code that just means something in the server config prevented the action from being completed). How to sort it depends on the LDAP server -- mine have a allow-pre-encoded-passwords Boolean within the password policy. I generally set it to "true", bulk import users, then return the setting to 'false' to prevent app developers from circumventing our password policies.
Related
I am working on a task to delete all the PDF document versions given their document key(Unique for each PDF) using AWS Java SDK.
Other developers have integrated the download code like below
final GetObjectRequest request = GetObjectRequest.builder().bucket(bucketName).key(documentKey).versionId(version).build();
return client.getObject(request);
After searching a bit I found this code to delete single version :-
DeleteObjectRequest request = DeleteObjectRequest.builder().bucket(bucketName)
.key(documentKey).versionId(version).build();
DeleteObjectResponse resp = client.deleteObject(request);
Main question :- How do I get all versions of single documentKey ?
I found ListObjectVersions on
below URL but It accepts a key-marker and not the actual key
key-marker Specifies the key to start with when listing objects in a
bucket.
https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListObjectVersions.html
I am just worried if I don't use this properly I might end up deleting something else in Prod.
Edit :- All the PDFs are stored at root level in S3 bucket.
The documentation states:
key-marker
Specifies the key to start with when listing objects in a bucket.
This means by specifying key-marker, you're just starting listing objects at the specified key. ListObjectVersions can and will continue listing objects past the specified key.
Further in the documentation:
prefix
Use this parameter to select only those keys that begin with the specified prefix.
In other words, if you pass a prefix of only the object name, it will return the versions for that object, along with all objects that start with that prefix.
So, you can specify either the prefix of the target object key, or the key marker, but you will need still need to filter in either event to ensure you don't include other objects.
I have a text file with blacklisted passwords and set up filename to Authentication -> Password Policy -> Password Blacklist in keycloak. If there's simple passwords like
password
admin
user
It works good - when I'm trying to change password I see this message Error! Invalid password: password is blacklisted.
But when I add more complex password to this list like Music.1% it doesn't work - I can change password to this.
Why does it work so and is there ways to blacklist similar passwords in file?
From the Keycloak documentation one can read the following:
Password Blacklist
This policy checks if a given password (converted to lowercase) is
contained in a blacklist file, which is potentially a very large file.
Password blacklists are UTF-8 plain-text files with Unix line endings
where every line represents a blacklisted password. All passwords in
the blacklist must be lowercased to facilitate case-insensitive
comparison. The file name of the blacklist file must be provided as
the password policy value, e.g.
10_million_password_list_top_1000000.txt. Blacklist files are resolved
against ${jboss.server.data.dir}/password-blacklists/ by default. This
path can be customized via the keycloak.password.blacklists.path
system property, or the blacklistsPath property of the
passwordBlacklist policy SPI configuration.
The reason why with the passwords "password", "admin", and "user" works whereas "Music.1%" did not is that the first three are in lower-case whereas the last one was not. It is not is the special symbol.
I am working on a project which have to access the MySQL database username and password to read and update the user database.
Initially i wrote the username and password of the database directly to my code.
But my teacher asked me to create a prompt box which will take the username and password on 1st run of the program and not again.
So if do that i will not be able to access the database next time.
I was thinking to store that username and password into a local text file.
Is it good idea.
Or there are any good methods to do this type of work?
You can store the information in a properties file (https://docs.oracle.com/javase/tutorial/essential/environment/properties.html), but should use encryption. See: How to encrypt String in Java
In your case, the best way will be storing in .properties file.
And after getting a user input => store to the properties file.
Also, good practice for storing passwords in DB is to use one-way hash. A variety of hash methods is good for this: MD5, SHA-256, etc.
However, it works only for one way. More info here - MD5 algorithm Decryption in java.
And in your case properties file should be enough.
Example for db.properties:
db.username=MyUser
db.password=MyPassword
You can have default values for connection. If user input doesn't match with it just print a warning message with something, like: "DB username or password is incorrect. Try again."
You can use something like JOptionPane for asking from user:
public void start() throws CreateDocumentConfigurationException {
// Custom button text
Object[] options = {"Yes, please", "Use default instead"};
int n = JOptionPane.showOptionDialog(null,
"Would you like to enter DB credentials?",
"DB Question", JOptionPane.YES_NO_CANCEL_OPTION,
JOptionPane.QUESTION_MESSAGE, null, options, options[1]);
estimateUserInput(n); // process result here. 0 - for entering new one, 1 - for using default
}
You can store the database login information in configuration file.
For Desktop Application,
.properties file can be use
For Web Based Application,
Store the password in context.xml of your Apache Tomcat Server.
At the moment I'm receiving messages which are signed with a certificate.
So far so good.
However the certificate contains an attribute PSEUDONYM.
Now the Java runtime doesn't accept it. I get an IO Exception. (When I remove the PSEUDONYM exception is gone )
Does anybody know you to validate these messages as i'm sure that attribute PSEUDONYM is allowed.
C=DE,O=InfoCompany,OU=SoftwareMe,CN=SIGNER,SERIALNUMBER=1,PSEUDONYM=SIGNER
Any ideas how to change the default java validation to allow the PSEUDONYM tag?
Using constructor X500Principal(String name, Map<String,String> keywordMap) allows you to specify custom RDNs in keywordMap. The map's key is a RDN name and the value is a string representation of OID. See Java documentation for details.
This question is in the specific context of the Java class java.security.KeyStore and its load(InputStream stream, char[] password) method which can accept null values for password to bypass integrity checking.
What are the risks involved with loading and querying a keystore without checking its integrity? The keystore will be queried for the user's private key which will be used to sign a document for non-repudiation. The certificate queried will be further validated against a copy stored in a database at the time the user registered himself and the (supposedly exact same) cert.
Well the main risk is that anyone who can read the file can also modify it. So someone could replace the file you read with a different keystore that has the same names for the keys but contains a different private key, so you end up signing documents with the wrong private key and none of them will pass verification.
Also, anyone with access to the file gains access to the private key and can sign documents as if they came from your app.