Use a random key to "encrypt" the remember-me cookie's value

Since Spring's default remember-me technique is
terrible security-wise (`user:timstamp:md5(use:timestamp:password:key)`),
we should at least use a random key, instead of a fixed one,
otherwise, and attacker able to capture the cookies
might be able to trivially bruteforce offline
the password of the associated user.
master
jvoisin 6 years ago
parent 83882b18d9
commit 3e07ea5288
  1. 12
      airsonic-main/src/main/java/org/airsonic/player/security/GlobalSecurityConfig.java

@ -22,6 +22,8 @@ import org.springframework.security.web.authentication.UsernamePasswordAuthentic
import org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter; import org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher; import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import java.security.SecureRandom;
@Configuration @Configuration
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER) @Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
@EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true) @EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true)
@ -31,6 +33,14 @@ public class GlobalSecurityConfig extends GlobalAuthenticationConfigurerAdapter
static final String FAILURE_URL = "/login?error=1"; static final String FAILURE_URL = "/login?error=1";
private static final String key;
static {
byte[] array = new byte[32];
new SecureRandom().nextBytes(array);
key = new String(array);
}
@Autowired @Autowired
private SecurityService securityService; private SecurityService securityService;
@ -162,7 +172,7 @@ public class GlobalSecurityConfig extends GlobalAuthenticationConfigurerAdapter
// see http://docs.spring.io/spring-security/site/docs/3.2.4.RELEASE/reference/htmlsingle/#csrf-logout // see http://docs.spring.io/spring-security/site/docs/3.2.4.RELEASE/reference/htmlsingle/#csrf-logout
.and().logout().logoutRequestMatcher(new AntPathRequestMatcher("/logout", "GET")).logoutSuccessUrl( .and().logout().logoutRequestMatcher(new AntPathRequestMatcher("/logout", "GET")).logoutSuccessUrl(
"/login?logout") "/login?logout")
.and().rememberMe().key("airsonic"); .and().rememberMe().key(key);
} }
} }

Loading…
Cancel
Save