gitblit

Commit Graph

Author	SHA1	Message	Date
Florian Zschocke	803d4171bf	Delete password from memory in AuthenticationManager Zero out the password to remove it from memory after use. This is only a first step, implementing it for one method: `AuthenticationManager.authenticate(String, char[], String)`.	4 years ago
Florian Zschocke	e47647b00d	🦟 fix: Password hash upgrade kills existing passwords The upgrade of a MD5 stored password hash to a PBKDF password hash destroys the stored password. The has check zeroes out the password that is tested, so that the new hash is built over the zeroed out value. This fix prevents that an also adds a check to the test. Fixes #1335	4 years ago
Florian Zschocke	c09335a030	Use the new PasswordHash classes. Integrate the `PasswordHash` class and subclass in the user and password editing and authentication. Replaces the old code and the previous `SecurePasswordHashingUtils` class.	4 years ago
Martin Spielmann	c7f75029fc	fix comment	7 years ago
Martin Spielmann	4ab81b3465	Update AuthenticationManager to update weakly stored passwords on login	7 years ago
Martin Spielmann	15782f62ba	Added possibility to use secure hashes to store passwords Addresses #1166	7 years ago
Florian Zschocke	90a8d1af6c	Set secure user cookies and only for HTTP. Mark the user authentication cookie to be only used for HTTP, making it inaccessible for JavaScript engines. If only HTTPS is used and no HTTP (i.e. also if HTTP is redirected to HTTPS) then mark the user cookie to be sent only over secure connections.	7 years ago
Dariusz Bywalec	db09ef1033	Lower log level of servlet authenticate when request is already authenticated When calling a servlet which has already been authenticated, the server would produce a lot of superfluous log entries, e.g: Called servlet authenticate when request is already authenticated. The log level for this log entry has been lowered down to DEBUG.	8 years ago
Dariusz Bywalec	5274e12c7c	Fix authentication failure warning log messages for FEDERATION_USER The AuthenticationManager did not encounter for FEDERATION_USER and would unnecessarily generate a lot of failure warning log messages, e.g: Failed login attempt for $gitblit, invalid credentials from XXX.XX.XX.XX A simple condition will prematurely return null bypassing the regular authentication path and immediately make the authentication be routed via FederationManager.	8 years ago
Joel Johnson	46f61d3990	implement an HTTP header AuthenticationProvider	9 years ago
Paul Martin	0d7c650b3b	Log update for Fail2Ban usage + Adds standard logging for all authentication providers + Updates help page to use default GitBlit SSH port	8 years ago
Joel Johnson	62e0259129	prevent session fixation for external authentication + use request instead of session to flag authentication status and user, for external authentication types	9 years ago
Fabrice Bacchella	e97c01c140	Invalid kerberos patches, works now and with a test.	9 years ago
Fabrice Bacchella	2c0555f90e	A patch that allows to extract a new user informations from the HTTP session if the webapp container can fill it.	9 years ago
James Moger	efdb2b3d0c	Remove Wicket references from non-Wicket packages	10 years ago
James Moger	6e3481850d	Allow authentication providers to control user and team role changes	9 years ago
James Moger	ec7ed84b04	Restrict Gitblit cookie to the context path	9 years ago
James Moger	f9980ea7a6	Annotate managers with @Singleton	10 years ago
James Moger	cdb2fe6428	Use Guice annotations, not javax.inject annotations	10 years ago
James Moger	1b34b05f5b	Embrace @Inject for Managers, Servlets, and Filters	10 years ago
James Moger	bcc8a015ae	Handle ssh keys as objects, not strings, and improve the ls and rm key commands "gitblit keys ls" now defaults to showing an indexed list of fingerprints which almost matches the output of "sshadd -l". The indexes are useful specifying key(s) to remove using "gitblit keys rm <index>". This is an important improvement for key management.	10 years ago
James Moger	44e2ee1d05	Revise SSH public key integration with AuthenticationManager	10 years ago
James Moger	860d2ca577	Establish ssh keys folder, support multiple keys, revise key authenticator	10 years ago
David Ostrovsky	e3b636e7fa	SSHD: Add support for git pack commands Add git-upload-pack and git-receive-pack commands. Conflicts: src/main/java/com/gitblit/manager/ServicesManager.java src/main/java/com/gitblit/transport/ssh/CommandDispatcher.java src/main/java/com/gitblit/transport/ssh/SshCommandFactory.java Change-Id: I8c057b41f1dfad6d004e6aa91f96c8c673be9be2	10 years ago
James Moger	b4a63aad7f	Fix authentication security hole with external providers	10 years ago
James Moger	9aa11943f8	Implement user "disabled" flag as an alternative to deleting the account	10 years ago
James Moger	6659fa5151	API adjustments and elimination of duplicate config options	10 years ago
James Moger	7ab32b65fc	issue-361: Reset user cookie after administrative password change Cookies were not reset on administrative password change of a user account. This allowed accounts with changed passwords to continue authenticating. Cookies are now reset on password changes, they are validated on each page request, AND they will now expire 7 days after generation.	10 years ago
James Moger	1293c279d1	Fix external authentication failure Change-Id: I0f415941a4bfd5e63d85c60613cea0c7d10cbb49	10 years ago
James Moger	088b6f3367	Added filesystem write permission check (issue-345) Change-Id: I0a3aced3b8e9887347888c85e469b74fc70931ad	10 years ago
James Moger	23e08cdfd5	Refactor managers and authentication for federation Change-Id: I5ff18b2768095fb14e7fbece2e756115829abbde	10 years ago
James Moger	04a98505a4	Refactor user services and separate authentication (issue-281) Change-Id: I336e005e02623fc5e11a4f8b4408bea5465a43fd	10 years ago

35 Commits (a93cd37bc60b4f311692e0e9c6b0ddf320eb5c29)