MightyPork
/
airsonic-custom
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge remote-tracking branch 'airsonic/pr/1037'

Browse Source
master
Andrew DeMaria 5 years ago
parent b663a2fb90 8a90d9f77b
commit 3cdecb87f4
No known key found for this signature in database
GPG Key ID: 0A3F5E91F8364EDF
2 changed files with 51 additions and 1 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 30
      airsonic-main/src/main/java/org/airsonic/player/security/GlobalSecurityConfig.java
  2. 22
      airsonic-main/src/main/java/org/airsonic/player/service/SettingsService.java

30
airsonic-main/src/main/java/org/airsonic/player/security/GlobalSecurityConfig.java
Unescape View File

@ -33,6 +33,8 @@ public class GlobalSecurityConfig extends GlobalAuthenticationConfigurerAdapter
static final String FAILURE_URL = "/login?error=1";
static final String DEVELOPMENT_REMEMBER_ME_KEY = "airsonic";
@Autowired
private SecurityService securityService;
@ -125,6 +127,32 @@ public class GlobalSecurityConfig extends GlobalAuthenticationConfigurerAdapter
restAuthenticationFilter.setEventPublisher(eventPublisher);
http = http.addFilterBefore(restAuthenticationFilter, UsernamePasswordAuthenticationFilter.class);
// Try to load the 'remember me' key.
//
// Note that using a fixed key compromises security as perfect
// forward secrecy is not guaranteed anymore.
//
// An external entity can then re-use our authentication cookies before
// the expiration time, or even, given enough time, recover the password
// from the MD5 hash.
//
// See: https://docs.spring.io/spring-security/site/docs/3.0.x/reference/remember-me.html
String rememberMeKey = settingsService.getRememberMeKey();
boolean development = settingsService.isDevelopmentMode();
if (StringUtils.isBlank(rememberMeKey) && !development) {
// ...if it is empty, generate a random key on startup (default).
logger.debug("Generating a new ephemeral 'remember me' key in a secure way.");
rememberMeKey = generateRememberMeKey();
} else if (StringUtils.isBlank(rememberMeKey) && development) {
// ...if we are in development mode, we can use a fixed key.
logger.warn("Using a fixed 'remember me' key because we're in development mode, this is INSECURE.");
rememberMeKey = DEVELOPMENT_REMEMBER_ME_KEY;
} else {
// ...otherwise, use the custom key directly.
logger.info("Using a fixed 'remember me' key from system properties, this is insecure.");
}
http
.csrf()
.requireCsrfProtectionMatcher(csrfSecurityRequestMatcher)
@ -169,7 +197,7 @@ public class GlobalSecurityConfig extends GlobalAuthenticationConfigurerAdapter
// see http://docs.spring.io/spring-security/site/docs/3.2.4.RELEASE/reference/htmlsingle/#csrf-logout
.and().logout().logoutRequestMatcher(new AntPathRequestMatcher("/logout", "GET")).logoutSuccessUrl(
"/login?logout")
.and().rememberMe().key(generateRememberMeKey());
.and().rememberMe().key(rememberMeKey);
}
}

22
airsonic-main/src/main/java/org/airsonic/player/service/SettingsService.java
Unescape View File

@ -107,6 +107,7 @@ public class SettingsService {
private static final String KEY_SONOS_SERVICE_NAME = "SonosServiceName";
private static final String KEY_SONOS_SERVICE_ID = "SonosServiceId";
private static final String KEY_JWT_KEY = "JWTKey";
private static final String KEY_REMEMBER_ME_KEY = "RememberMeKey";
private static final String KEY_SMTP_SERVER = "SmtpServer";
private static final String KEY_SMTP_ENCRYPTION = "SmtpEncryption";
@ -794,6 +795,27 @@ public class SettingsService {
setString(KEY_MEDIA_LIBRARY_STATISTICS, statistics.format());
}
/**
* Returns whether we are running in Development mode.
*
* @return true if we are in Development mode.
*/
public boolean isDevelopmentMode() {
return System.getProperty("airsonic.development") != null;
}
/**
* Returns the custom 'remember me' key used for generating authentication tokens.
*
* @return The 'remember me' key.
*/
public String getRememberMeKey() {
String key = null;
if (StringUtils.isBlank(key)) key = getString(KEY_REMEMBER_ME_KEY, null);
if (StringUtils.isBlank(key)) key = System.getProperty("airsonic.rememberMeKey");
return key;
}
/**
* Returns the locale (for language, date format etc).
*

Write Preview
Loading…
Cancel
Save