From 073e8dd688d7043be91b62ed02b0c4ab94590ecb Mon Sep 17 00:00:00 2001 From: Pavol Mederly Date: Fri, 10 May 2019 12:43:38 +0200 Subject: [PATCH] Definitely fix password storage (MID-5336) This fixes password validation broken in previous commit. (cherry picked from commit 1dc8a58324b60052475d8304f4e07a027ba7e932) --- .../api/component/password/PasswordPanel.java | 15 +++---- .../SecureModelPasswordTextField.java | 40 +++++++++++++++++++ .../self/component/ChangePasswordPanel.java | 2 +- 3 files changed, 47 insertions(+), 10 deletions(-) create mode 100644 gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/api/component/password/SecureModelPasswordTextField.java diff --git a/gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/api/component/password/PasswordPanel.java b/gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/api/component/password/PasswordPanel.java index 1bf2b11cb00..e4afb26e177 100644 --- a/gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/api/component/password/PasswordPanel.java +++ b/gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/api/component/password/PasswordPanel.java @@ -97,29 +97,28 @@ public boolean isVisible() { inputContainer.setOutputMarkupId(true); add(inputContainer); - final PasswordTextField password1 = new PasswordTextField(ID_PASSWORD_ONE, new PasswordModel(model)); + final PasswordTextField password1 = new SecureModelPasswordTextField(ID_PASSWORD_ONE, new PasswordModel(model)); password1.setRequired(false); password1.setOutputMarkupId(true); password1.add(new EmptyOnBlurAjaxFormUpdatingBehaviour()); inputContainer.add(password1); - final PasswordTextField password2 = new PasswordTextField(ID_PASSWORD_TWO, new PasswordModel(Model.of(new ProtectedStringType()))); + final PasswordTextField password2 = new SecureModelPasswordTextField(ID_PASSWORD_TWO, new PasswordModel(Model.of(new ProtectedStringType()))); password2.setRequired(false); password2.setOutputMarkupId(true); - password2.add(new EmptyOnBlurAjaxFormUpdatingBehaviour()); inputContainer.add(password2); password1.add(new AjaxFormComponentUpdatingBehavior("change") { @Override protected void onUpdate(AjaxRequestTarget target) { - boolean required = !StringUtils.isEmpty(password1.getModel().getObject()); + boolean required = !StringUtils.isEmpty(password1.getModelObject()); password2.setRequired(required); //fix of MID-2463 // target.add(password2); // target.appendJavaScript("$(\"#"+ password2.getMarkupId() +"\").focus()"); } }); - password2.add(new PasswordValidator(password1, password2)); + password2.add(new PasswordValidator(password1)); final WebMarkupContainer linkContainer = new WebMarkupContainer(ID_LINK_CONTAINER) { @Override @@ -221,17 +220,15 @@ public FormComponent getBaseFormComponent() { private static class PasswordValidator implements IValidator { private PasswordTextField p1; - private PasswordTextField p2; - private PasswordValidator(@NotNull PasswordTextField p1, @NotNull PasswordTextField p2) { + private PasswordValidator(@NotNull PasswordTextField p1) { this.p1 = p1; - this.p2 = p2; } @Override public void validate(IValidatable validatable) { String s1 = p1.getModelObject(); - String s2 = p2.getModelObject(); + String s2 = validatable.getValue(); if (StringUtils.isEmpty(s1) && StringUtils.isEmpty(s2)) { return; diff --git a/gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/api/component/password/SecureModelPasswordTextField.java b/gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/api/component/password/SecureModelPasswordTextField.java new file mode 100644 index 00000000000..f581f28147e --- /dev/null +++ b/gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/api/component/password/SecureModelPasswordTextField.java @@ -0,0 +1,40 @@ +/* + * Copyright (c) 2010-2019 Evolveum + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.evolveum.midpoint.gui.api.component.password; + +import org.apache.wicket.markup.html.form.PasswordTextField; +import org.apache.wicket.model.IModel; + +/** + * PasswordTextField that assumes its underlying model is secure enough to be serialized. + * + * Therefore we can disable "reset password" security feature and - when detaching - clear only our input. + * The model is preserved, because it's considered secure enough. + */ +public class SecureModelPasswordTextField extends PasswordTextField { + + public SecureModelPasswordTextField(String id, IModel model) { + super(id, model); + setResetPassword(false); + } + + @Override + protected void onDetach() { + clearInput(); + super.onDetach(); + } +} diff --git a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/self/component/ChangePasswordPanel.java b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/self/component/ChangePasswordPanel.java index a127caed7b0..461903c0682 100644 --- a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/self/component/ChangePasswordPanel.java +++ b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/self/component/ChangePasswordPanel.java @@ -223,7 +223,7 @@ protected void onEvent(final AjaxRequestTarget target) { @Override public boolean isEnabled() { - return passwordAccountDto.getCssClass() != NO_CAPABILITY_ICON_CSS; + return !passwordAccountDto.getCssClass().equals(NO_CAPABILITY_ICON_CSS); } }); }