@@ -59,7 +59,9 @@ web.allowCookieAuthentication = true | |||
realm.userService = users.properties | |||
# How to store passwords. | |||
# Valid values are plain or md5. Default is md5. | |||
# Valid values are plain, md5, or combined-md5. md5 is the hash of password. | |||
# combined-md5 is the hash of username.toLowerCase()+password. | |||
# Default is md5. | |||
# | |||
# SINCE 0.5.0 | |||
realm.passwordStorage = md5 |
@@ -41,6 +41,10 @@ Gitblit requires a Java 6 Runtime Environment (JRE) or a Java 6 Development Kit | |||
- added: Gitblit Manager (Java/Swing Application) for remote administration of a Gitblit server. | |||
- added: per-repository setting to skip size calculation (faster repositories page loading) | |||
- added: per-repository setting to skip summary metrics calculation (faster summary page loading) | |||
- added: IUserService.setup(IStoredSettings) for custom user service implementations | |||
- added: setting to control Gitblit GO context path for proxy setups | |||
**New:** *server.contextPath = /* | |||
- added: *combined-md5* password storage option which stores the hash of username+password as the password | |||
- fixed: federation protocol timestamps. dates are now serialized to the [iso8601](http://en.wikipedia.org/wiki/ISO_8601) standard. | |||
**This breaks 0.6.0 federation clients/servers.** | |||
- fixed: collision on rename for repositories and users | |||
@@ -49,9 +53,6 @@ Gitblit requires a Java 6 Runtime Environment (JRE) or a Java 6 Development Kit | |||
- fixed: Set the RSS content type of syndication feeds for Firefox 4 (issue 22) | |||
- fixed: Null pointer exception if did not set federation strategy (issue 20) | |||
- fixed: Gitblit GO allows SSL renegotiation if running on Java 1.6.0_22 or later | |||
- added: IUserService.setup(IStoredSettings) for custom user service implementations | |||
- added: setting to control Gitblit GO context path for proxy setups | |||
**New:** *server.contextPath = /* | |||
- updated: MarkdownPapers 1.2.4 | |||
issues, binaries, and sources @ [Google Code][googlecode]<br/> |
@@ -15,6 +15,10 @@ | |||
- added: Gitblit Manager (Java/Swing Application) for remote administration of a Gitblit server. | |||
- added: per-repository setting to skip size calculation (faster repositories page loading) | |||
- added: per-repository setting to skip summary metrics calculation (faster summary page loading) | |||
- added: IUserService.setup(IStoredSettings) for custom user service implementations | |||
- added: setting to control Gitblit GO context path for proxy setups | |||
**New:** *server.contextPath = /* | |||
- added: *combined-md5* password storage option which stores the hash of username+password as the password | |||
- fixed: federation protocol timestamps. dates are now serialized to the [iso8601](http://en.wikipedia.org/wiki/ISO_8601) standard. | |||
**This breaks 0.6.0 federation clients/servers.** | |||
- fixed: collision on rename for repositories and users | |||
@@ -23,9 +27,6 @@ | |||
- fixed: Set the RSS content type of syndication feeds for Firefox 4 (issue 22) | |||
- fixed: Null pointer exception if did not set federation strategy (issue 20) | |||
- fixed: Gitblit GO allows SSL renegotiation if running on Java 1.6.0_22 or later | |||
- added: IUserService.setup(IStoredSettings) for custom user service implementations | |||
- added: setting to control Gitblit GO context path for proxy setups | |||
**New:** *server.contextPath = /* | |||
- updated: MarkdownPapers 1.2.4 | |||
### Older Releases |
@@ -126,11 +126,20 @@ public class FileUserService extends FileSettings implements IUserService { | |||
UserModel returnedUser = null; | |||
UserModel user = getUserModel(username); | |||
if (user.password.startsWith(StringUtils.MD5_TYPE)) { | |||
// password digest | |||
String md5 = StringUtils.MD5_TYPE + StringUtils.getMD5(new String(password)); | |||
if (user.password.equalsIgnoreCase(md5)) { | |||
returnedUser = user; | |||
} | |||
} else if (user.password.startsWith(StringUtils.COMBINED_MD5_TYPE)) { | |||
// username+password digest | |||
String md5 = StringUtils.COMBINED_MD5_TYPE | |||
+ StringUtils.getMD5(username.toLowerCase() + new String(password)); | |||
if (user.password.equalsIgnoreCase(md5)) { | |||
returnedUser = user; | |||
} | |||
} else if (user.password.equals(new String(password))) { | |||
// plain-text password | |||
returnedUser = user; | |||
} | |||
return returnedUser; |
@@ -191,6 +191,7 @@ public class EditUserDialog extends JDialog { | |||
return false; | |||
} | |||
boolean rename = false; | |||
// verify username uniqueness on create | |||
if (isCreate) { | |||
if (usernames.contains(uname.toLowerCase())) { | |||
@@ -199,7 +200,8 @@ public class EditUserDialog extends JDialog { | |||
} | |||
} else { | |||
// check rename collision | |||
if (!username.equalsIgnoreCase(uname)) { | |||
rename = !StringUtils.isEmpty(username) && !username.equalsIgnoreCase(uname); | |||
if (rename) { | |||
if (usernames.contains(uname.toLowerCase())) { | |||
error(MessageFormat.format( | |||
"Failed to rename ''{0}'' because ''{1}'' already exists.", username, | |||
@@ -208,34 +210,51 @@ public class EditUserDialog extends JDialog { | |||
} | |||
} | |||
} | |||
user.username = uname; | |||
int minLength = settings.get(Keys.realm.minPasswordLength).getInteger(5); | |||
if (minLength < 4) { | |||
minLength = 4; | |||
} | |||
char[] pw = passwordField.getPassword(); | |||
if (pw == null || pw.length < minLength) { | |||
String password = new String(passwordField.getPassword()); | |||
if (StringUtils.isEmpty(password) || password.length() < minLength) { | |||
error(MessageFormat.format("Password is too short. Minimum length is {0} characters.", | |||
minLength)); | |||
return false; | |||
} | |||
char[] cpw = confirmPasswordField.getPassword(); | |||
if (cpw == null || cpw.length != pw.length) { | |||
error("Please confirm the password!"); | |||
return false; | |||
} | |||
if (!Arrays.equals(pw, cpw)) { | |||
error("Passwords do not match!"); | |||
if (!password.toUpperCase().startsWith(StringUtils.MD5_TYPE) | |||
&& !password.toUpperCase().startsWith(StringUtils.COMBINED_MD5_TYPE)) { | |||
String cpw = new String(confirmPasswordField.getPassword()); | |||
if (cpw == null || cpw.length() != password.length()) { | |||
error("Please confirm the password!"); | |||
return false; | |||
} | |||
if (!password.equals(cpw)) { | |||
error("Passwords do not match!"); | |||
return false; | |||
} | |||
String type = settings.get(Keys.realm.passwordStorage).getString("md5"); | |||
if (type.equalsIgnoreCase("md5")) { | |||
// store MD5 digest of password | |||
user.password = StringUtils.MD5_TYPE + StringUtils.getMD5(password); | |||
} else if (type.equalsIgnoreCase("combined-md5")) { | |||
// store MD5 digest of username+password | |||
user.password = StringUtils.COMBINED_MD5_TYPE | |||
+ StringUtils.getMD5(username.toLowerCase() + password); | |||
} else { | |||
// plain-text password | |||
user.password = password; | |||
} | |||
} else if (rename && password.toUpperCase().startsWith(StringUtils.COMBINED_MD5_TYPE)) { | |||
error("Gitblit is configured for combined-md5 password hashing. You must enter a new password on account rename."); | |||
return false; | |||
} | |||
user.username = uname; | |||
String type = settings.get(Keys.realm.passwordStorage).getString("md5"); | |||
if (type.equalsIgnoreCase("md5")) { | |||
// store MD5 digest of password | |||
user.password = StringUtils.MD5_TYPE + StringUtils.getMD5(new String(pw)); | |||
} else { | |||
user.password = new String(pw); | |||
// no change in password | |||
user.password = password; | |||
} | |||
user.canAdmin = canAdminCheckbox.isSelected(); | |||
user.excludeFromFederation = notFederatedCheckbox.isSelected(); | |||
@@ -33,6 +33,8 @@ import java.util.regex.PatternSyntaxException; | |||
public class StringUtils { | |||
public static final String MD5_TYPE = "MD5:"; | |||
public static final String COMBINED_MD5_TYPE = "CMD5:"; | |||
/** | |||
* Returns true if the string is null or empty. |
@@ -77,14 +77,19 @@ public class ChangePasswordPage extends RootSubPage { | |||
return; | |||
} | |||
UserModel user = GitBlitWebSession.get().getUser(); | |||
// convert to MD5 digest, if appropriate | |||
String type = GitBlit.getString(Keys.realm.passwordStorage, "md5"); | |||
if (type.equalsIgnoreCase("md5")) { | |||
// store MD5 digest of password | |||
password = StringUtils.MD5_TYPE + StringUtils.getMD5(password); | |||
} else if (type.equalsIgnoreCase("combined-md5")) { | |||
// store MD5 digest of username+password | |||
password = StringUtils.COMBINED_MD5_TYPE | |||
+ StringUtils.getMD5(user.username.toLowerCase() + password); | |||
} | |||
UserModel user = GitBlitWebSession.get().getUser(); | |||
user.password = password; | |||
try { | |||
GitBlit.self().updateUserModel(user.username, user, false); |
@@ -70,7 +70,7 @@ public class EditUserPage extends RootSubPage { | |||
} else { | |||
super.setupPage(getString("gb.edit"), userModel.username); | |||
} | |||
final Model<String> confirmPassword = new Model<String>( | |||
StringUtils.isEmpty(userModel.password) ? "" : userModel.password); | |||
CompoundPropertyModel<UserModel> model = new CompoundPropertyModel<UserModel>(userModel); | |||
@@ -109,12 +109,14 @@ public class EditUserPage extends RootSubPage { | |||
return; | |||
} | |||
} | |||
boolean rename = !StringUtils.isEmpty(oldName) && !oldName.equalsIgnoreCase(username); | |||
if (!userModel.password.equals(confirmPassword.getObject())) { | |||
error("Passwords do not match!"); | |||
return; | |||
} | |||
String password = userModel.password; | |||
if (!password.toUpperCase().startsWith(StringUtils.MD5_TYPE)) { | |||
if (!password.toUpperCase().startsWith(StringUtils.MD5_TYPE) | |||
&& !password.toUpperCase().startsWith(StringUtils.COMBINED_MD5_TYPE)) { | |||
// This is a plain text password. | |||
// Check length. | |||
int minLength = GitBlit.getInteger(Keys.realm.minPasswordLength, 5); | |||
@@ -134,7 +136,15 @@ public class EditUserPage extends RootSubPage { | |||
// store MD5 digest of password | |||
userModel.password = StringUtils.MD5_TYPE | |||
+ StringUtils.getMD5(userModel.password); | |||
} else if (type.equalsIgnoreCase("combined-md5")) { | |||
// store MD5 digest of username+password | |||
userModel.password = StringUtils.COMBINED_MD5_TYPE | |||
+ StringUtils.getMD5(username.toLowerCase() + userModel.password); | |||
} | |||
} else if (rename | |||
&& password.toUpperCase().startsWith(StringUtils.COMBINED_MD5_TYPE)) { | |||
error("Gitblit is configured for combined-md5 password hashing. You must enter a new password on account rename."); | |||
return; | |||
} | |||
Iterator<String> selectedRepositories = repositories.getSelectedChoices(); |