Bug #3591 : using a password field for prompting password instead of clear field

Author: Emmanuel Hugonnet

src/main/java/com/silverpeas/openoffice/AuthenticationInfo.java

@@ -24,22 +24,24 @@
 
 package com.silverpeas.openoffice;
 
+import java.util.Arrays;
+
 /**
  * Authentication information.
  * @author Ludovic Bertin
  */
 public class AuthenticationInfo {
 
-  String login = null;
-  String password = null;
+  private String login = null;
+  private char[] password = new char[0];
 
   /**
    * @param login
-   * @param password
+   * @param pass
    */
-  public AuthenticationInfo(String login, String password) {
+  public AuthenticationInfo(String login, char[] pass) {
     this.login = login;
-    this.password = password;
+    this.password = Arrays.copyOf(pass, pass.length);
   }
 
   /**
@@ -59,22 +61,16 @@ public void setLogin(String login) {
   /**
    * @return the password
    */
-  public String getPassword() {
-    return password;
+  public char[] getPassword() {
+    return Arrays.copyOf(password, password.length);
   }
 
-  /**
-   * @param password the password to set
-   */
-  public void setPassword(String password) {
-    this.password = password;
-  }
 
   @Override
   public int hashCode() {
-    int hash = 3;
+    int hash = 7;
     hash = 47 * hash + (this.login != null ? this.login.hashCode() : 0);
-    hash = 47 * hash + (this.password != null ? this.password.hashCode() : 0);
+    hash = 47 * hash + Arrays.hashCode(this.password);
     return hash;
   }
 
@@ -87,14 +83,14 @@ public boolean equals(Object obj) {
       return false;
     }
     final AuthenticationInfo other = (AuthenticationInfo) obj;
-    if ((this.login == null) ? (other.login != null)
-        : !this.login.equals(other.login)) {
+    if ((this.login == null) ? (other.login != null) : !this.login.equals(other.login)) {
       return false;
     }
-    if ((this.password == null) ? (other.password != null)
-        : !this.password.equals(other.password)) {
+    if (!Arrays.equals(this.password, other.password)) {
       return false;
     }
     return true;
   }
+
+  
 }

src/main/java/com/silverpeas/openoffice/util/MessageDisplayer.java

@@ -1,33 +1,32 @@
 /**
  * Copyright (C) 2000 - 2009 Silverpeas
  *
- * This program is free software: you can redistribute it and/or modify
- * it under the terms of the GNU Affero General Public License as
- * published by the Free Software Foundation, either version 3 of the
- * License, or (at your option) any later version.
+ * This program is free software: you can redistribute it and/or modify it under the terms of the
+ * GNU Affero General Public License as published by the Free Software Foundation, either version 3
+ * of the License, or (at your option) any later version.
  *
- * As a special exception to the terms and conditions of version 3.0 of
- * the GPL, you may redistribute this Program in connection with Free/Libre
- * Open Source Software ("FLOSS") applications as described in Silverpeas's
- * FLOSS exception.  You should have received a copy of the text describing
- * the FLOSS exception, and it is also available here:
+ * As a special exception to the terms and conditions of version 3.0 of the GPL, you may
+ * redistribute this Program in connection with Free/Libre Open Source Software ("FLOSS")
+ * applications as described in Silverpeas's FLOSS exception. You should have received a copy of the
+ * text describing the FLOSS exception, and it is also available here:
  * "http://repository.silverpeas.com/legal/licensing"
  *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU Affero General Public License for more details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Affero General Public License for more details.
  *
- * You should have received a copy of the GNU Affero General Public License
- * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ * You should have received a copy of the GNU Affero General Public License along with this program.
+ * If not, see <http://www.gnu.org/licenses/>.
  */
-
 package com.silverpeas.openoffice.util;
 
+import javax.swing.JLabel;
 import javax.swing.JOptionPane;
+import javax.swing.JPasswordField;
 
 /**
  * Simple utility class to display messages graphically.
+ *
  * @author ehugonnet
  */
 public class MessageDisplayer {
@@ -41,9 +40,12 @@ public static void displayError(Throwable t) {
     JOptionPane.showMessageDialog(null, t.getMessage(),
         MessageUtil.getMessage("error.title"), JOptionPane.ERROR_MESSAGE);
   }
-  
-  public static String displayPromptPassword() {
-    return JOptionPane.showInputDialog(null, MessageUtil.getMessage("info.missing.password.label"),
-        MessageUtil.getMessage("info.missing.password.title"), JOptionPane.PLAIN_MESSAGE);
+
+  public static char[] displayPromptPassword() {
+    JLabel label = new JLabel(MessageUtil.getMessage("info.missing.password.label"));
+    JPasswordField jpf = new JPasswordField();
+    JOptionPane.showConfirmDialog(null, new Object[]{label, jpf}, 
+        MessageUtil.getMessage("info.missing.password.title"), JOptionPane.OK_CANCEL_OPTION);
+    return jpf.getPassword();  
   }
 }

src/main/java/com/silverpeas/openoffice/util/PasswordManager.java

@@ -1,27 +1,23 @@
 /**
  * Copyright (C) 2000 - 2009 Silverpeas
  *
- * This program is free software: you can redistribute it and/or modify
- * it under the terms of the GNU Affero General Public License as
- * published by the Free Software Foundation, either version 3 of the
- * License, or (at your option) any later version.
+ * This program is free software: you can redistribute it and/or modify it under the terms of the
+ * GNU Affero General Public License as published by the Free Software Foundation, either version 3
+ * of the License, or (at your option) any later version.
  *
- * As a special exception to the terms and conditions of version 3.0 of
- * the GPL, you may redistribute this Program in connection with Free/Libre
- * Open Source Software ("FLOSS") applications as described in Silverpeas's
- * FLOSS exception.  You should have received a copy of the text describing
- * the FLOSS exception, and it is also available here:
+ * As a special exception to the terms and conditions of version 3.0 of the GPL, you may
+ * redistribute this Program in connection with Free/Libre Open Source Software ("FLOSS")
+ * applications as described in Silverpeas's FLOSS exception. You should have received a copy of the
+ * text describing the FLOSS exception, and it is also available here:
  * "http://www.silverpeas.com/legal/licensing"
  *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU Affero General Public License for more details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Affero General Public License for more details.
  *
- * You should have received a copy of the GNU Affero General Public License
- * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ * You should have received a copy of the GNU Affero General Public License along with this program.
+ * If not, see <http://www.gnu.org/licenses/>.
  */
-
 package com.silverpeas.openoffice.util;
 
 import java.io.UnsupportedEncodingException;
@@ -43,40 +39,46 @@
  */
 public class PasswordManager {
 
-  private final static byte[] KEY = new byte[] { -23, -75, -2, -17, 79, -94, -125,
-      -14 };
+  private final static byte[] KEY = new byte[]{-23, -75, -2, -17, 79, -94, -125,
+    -14};
   private final static Key decryptionKey = new SecretKeySpec(KEY, "DES");
   private final static String DIGITS = "0123456789abcdef";
 
   /**
    * Converts a hexadecimal String to clear password.
-   * @param hex hexadecimal String to convert
+   *
+   * @param encodedPassword password to decode.
    * @return resulting password
+   * @throws UnsupportedEncodingException
+   * @throws GeneralSecurityException
    */
-  public static String decodePassword(String encodedPassword) throws
-      UnsupportedEncodingException, GeneralSecurityException {
+  public static char[] decodePassword(String encodedPassword) throws UnsupportedEncodingException,
+      GeneralSecurityException {
     Cipher cipher = Cipher.getInstance("DES");
     cipher.init(Cipher.DECRYPT_MODE, decryptionKey);
     byte[] bytes = new BigInteger(encodedPassword, 16).toByteArray();
-    Logger.getLogger(Launcher.class.getName()).log(Level.INFO, "decrypted password byte array length : {0}", bytes.length);
+    Logger.getLogger(Launcher.class.getName()).log(Level.INFO,
+        "decrypted password byte array length : {0}", bytes.length);
     int nbCaracToRemove = (bytes.length) % 8;
     byte[] result = new byte[bytes.length - nbCaracToRemove];
-    System.arraycopy(bytes, nbCaracToRemove, result, 0, bytes.length -
-        nbCaracToRemove);
-    return new String(cipher.doFinal(result), "UTF-8");
+    System.arraycopy(bytes, nbCaracToRemove, result, 0, bytes.length - nbCaracToRemove);
+    return new String(cipher.doFinal(result), "UTF-8").toCharArray();
   }
 
   /**
    * Converts a password to a hexadecimal String containing the DES encrypted password.
+   *
    * @param password the password to encrypt
    * @return resulting hexadecimal String
+   * @throws UnsupportedEncodingException
+   * @throws GeneralSecurityException
    */
-  public static String encodePassword(String password) throws
-      UnsupportedEncodingException, GeneralSecurityException {
+  public static String encodePassword(String password) throws UnsupportedEncodingException,
+      GeneralSecurityException {
     Cipher cipher = Cipher.getInstance("DES");
     cipher.init(Cipher.ENCRYPT_MODE, decryptionKey);
     byte[] cipherText = cipher.doFinal(password.getBytes("UTF-8"));
-    StringBuilder buf = new StringBuilder();
+    StringBuilder buf = new StringBuilder(cipherText.length);
     for (int i = 0; i != cipherText.length; i++) {
       int v = cipherText[i] & 0xff;
       buf.append(DIGITS.charAt(v >> 4));
@@ -87,27 +89,30 @@ public static String encodePassword(String password) throws
 
   /**
    * Build an authentication objec from arguments
-   * @param args arguments passed through JNLP
+   *
+   * @param login
+   * @param encodedPassword
    * @return the Authentication object
    */
   public static AuthenticationInfo extractAuthenticationInfo(String login, String encodedPassword) {
-    String clearPwd = null;
-    String decodedLogin = login;
     try {
-      clearPwd = decodePassword(encodedPassword);
-      if(clearPwd.isEmpty()) {
+      char[] clearPwd = decodePassword(encodedPassword);
+      if (clearPwd.length <= 0) {
         clearPwd = promptForpassword();
       }
-      decodedLogin = URLDecoder.decode(login, "UTF-8");
-    } catch (Exception e) {
-      Logger.getLogger(Launcher.class.getName()).log(Level.SEVERE, "can't retrieve credentials", e);
+      String decodedLogin = URLDecoder.decode(login, "UTF-8");
+      return new AuthenticationInfo(decodedLogin, clearPwd);
+    } catch (GeneralSecurityException ex) {
+      Logger.getLogger(Launcher.class.getName()).log(Level.SEVERE, "can't retrieve credentials", ex);
+      System.exit(-1);
+    } catch (UnsupportedEncodingException ex) {
+      Logger.getLogger(Launcher.class.getName()).log(Level.SEVERE, "can't retrieve credentials", ex);
       System.exit(-1);
     }
-
-    return new AuthenticationInfo(decodedLogin, clearPwd);
+    return null;
   }
 
-  private static String promptForpassword() {
+  private static char[] promptForpassword() {
     return MessageDisplayer.displayPromptPassword();
   }
 }

src/main/java/com/silverpeas/openoffice/windows/FileWebDavAccessManager.java

@@ -1,27 +1,23 @@
 /**
  * Copyright (C) 2000 - 2009 Silverpeas
  *
- * This program is free software: you can redistribute it and/or modify
- * it under the terms of the GNU Affero General Public License as
- * published by the Free Software Foundation, either version 3 of the
- * License, or (at your option) any later version.
+ * This program is free software: you can redistribute it and/or modify it under the terms of the
+ * GNU Affero General Public License as published by the Free Software Foundation, either version 3
+ * of the License, or (at your option) any later version.
  *
- * As a special exception to the terms and conditions of version 3.0 of
- * the GPL, you may redistribute this Program in connection with Free/Libre
- * Open Source Software ("FLOSS") applications as described in Silverpeas's
- * FLOSS exception.  You should have received a copy of the text describing
- * the FLOSS exception, and it is also available here:
+ * As a special exception to the terms and conditions of version 3.0 of the GPL, you may
+ * redistribute this Program in connection with Free/Libre Open Source Software ("FLOSS")
+ * applications as described in Silverpeas's FLOSS exception. You should have received a copy of the
+ * text describing the FLOSS exception, and it is also available here:
  * "http://repository.silverpeas.com/legal/licensing"
  *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU Affero General Public License for more details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Affero General Public License for more details.
  *
- * You should have received a copy of the GNU Affero General Public License
- * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ * You should have received a copy of the GNU Affero General Public License along with this program.
+ * If not, see <http://www.gnu.org/licenses/>.
  */
-
 package com.silverpeas.openoffice.windows;
 
 import com.silverpeas.openoffice.AuthenticationInfo;
@@ -38,17 +34,19 @@
 
 /**
  * This class manage download and upload of documents using webdav protocol.
+ *
  * @author Ludovic Bertin
  */
 public class FileWebDavAccessManager {
 
   private String userName;
-  private String password;
+  private char[] password;
   private String lockToken = null;
   static Logger logger = Logger.getLogger(FileWebDavAccessManager.class.getName());
 
   /**
    * The AccessManager is inited with authentication info to avoid login prompt
+   *
    * @param auth authentication info
    */
   public FileWebDavAccessManager(AuthenticationInfo auth) {
@@ -58,14 +56,15 @@ public FileWebDavAccessManager(AuthenticationInfo auth) {
 
   /**
    * Retrieve the file from distant URL to local temp file.
+   *
    * @param url document url
    * @return full path of local temp file
    * @throws HttpException
    * @throws IOException
    */
   public String retrieveFile(String url) throws HttpException, IOException {
     URI uri = getURI(url);
-    WebdavManager webdav = new WebdavManager(uri.getHost(), userName, password);
+    WebdavManager webdav = new WebdavManager(uri.getHost(), userName, new String(password));
     // Let's lock the file
     lockToken = webdav.lockFile(uri, userName);
     logger.log(Level.INFO, "{0}{1}{2}", new Object[]{MessageUtil.getMessage("info.webdav.locked"),
@@ -78,18 +77,20 @@ public String retrieveFile(String url) throws HttpException, IOException {
 
   /**
    * Push back file into remote location using webdav.
+   *
    * @param tmpFilePath full path of local temp file
    * @param url remote url
    * @throws HttpException
    * @throws IOException
    */
-  public void pushFile(String tmpFilePath, String url) throws HttpException,
-      IOException {
+  public void pushFile(String tmpFilePath, String url) throws HttpException, IOException {
     URI uri = getURI(url);
-    WebdavManager webdav = new WebdavManager(uri.getHost(), userName, password);
-    logger.log(Level.INFO, "{0}{1}{2}", new Object[]{MessageUtil.getMessage("info.webdav.put"), ' ', tmpFilePath});
+    WebdavManager webdav = new WebdavManager(uri.getHost(), userName, new String(password));
+    logger.log(Level.INFO, "{0}{1}{2}", new Object[]{MessageUtil.getMessage("info.webdav.put"), ' ',
+          tmpFilePath});
     webdav.putFile(uri, tmpFilePath, lockToken);
-    logger.log(Level.INFO, "{0}{1}{2}", new Object[]{MessageUtil.getMessage("info.webdav.unlocking"), ' ', uri.getEscapedURI()});
+    logger.log(Level.INFO, "{0}{1}{2}",
+        new Object[]{MessageUtil.getMessage("info.webdav.unlocking"), ' ', uri.getEscapedURI()});
     // Let's unlock the file
     webdav.unlockFile(uri, lockToken);
     // delete temp file