-
-
Notifications
You must be signed in to change notification settings - Fork 2.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add possibility to remember password for shared databases. #1846
Add possibility to remember password for shared databases. #1846
Conversation
5079221
to
b38f020
Compare
private static final String SHARED_DATABASE_REMEMBER_PASSWORD = "sharedDatabaseRememberPassword"; | ||
|
||
// This {@link Preferences} is used only for things which should not appear in real JabRefPreferences due to security reasons. | ||
private final Preferences internalPrefs = Preferences.userNodeForPackage(OpenSharedDatabaseDialog.class); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is it possible to use another node for storing? The whole preference tree gets exported. Therefore, this should be located somewhere else @matthiasgeiger
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
Could you use some unique system properties such as the login name, serial number of Windows or something as additional encryption key? - If you use that too, maybe the preferences can be exported completely. As alternative, on Windows, maybe the Windows Credential Store can be used? On Linux, the key store. On Mac? |
Maybe this // Edit: Of course it must be outside "/net/sf/jabref" ... ;-) |
@@ -194,6 +197,12 @@ private void applyGlobalPrefs() { | |||
if (sharedDatabaseUser.isPresent()) { | |||
userField.setText(sharedDatabaseUser.get()); | |||
} | |||
|
|||
if (sharedDatabasePassword.isPresent()) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The password should only be set when there is a password available and the checkbox to remember the password is checked so please add && sharedDatabaseRememberPassword
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See: https://github.com/JabRef/jabref/pull/1846/files#diff-bf287bbdc594ec6ec66a15154e141110R316. If the checkbox is not select the pref is going to be cleared.
Only minor coments from me. Once they are done and the conflicts are reseolved, it looks good to me 👍 |
Password Hashing is the solution! (It should have come earlier to my mind) |
@matthiasgeiger Unfortunately it does not work. I used for testing
As another solution we could add |
@obraliar I think that the exported key is a remnant of previously saved settings. If you are using windows use Your addition should be placed in |
@Siedlerchr There should be a possibility to decrypt the password again as this is going to be sent to DBMS. Could you explain what to do with hashing? |
@matthiasgeiger 👍 I'm using Linux (Debian) and there you have to remove |
@koppor What about using the MAC address? |
b38f020
to
55de86b
Compare
I think the suggestion is now obsolote as exporting the prefs without the password is now possible. Maybe we should add a comment in the help file that the password is saved on the local hard disk - then a user can decide whether he wants to save it or not... Regarding the prefs node: As we want to move the package from "net.sf" to "org" eventually in the future it would be perhaps better to use |
55de86b
to
2b94985
Compare
@matthiasgeiger I agree cause the safest way is not to use the function "remember password" as this is generally a security gap due to symetric encryption. |
316e94f
to
2e700f6
Compare
Forget about the Hashing. I didn't think about that you need it in plaintex to send to the db.. |
@matthiasgeiger I would nevertheless keep a simple encryption to make it a bit harder to access the password. |
@JabRef/developers Could someone look at this PR and possibly merge it in, please? |
f459b5c
to
d5fec26
Compare
LGTM 👍 |
|
||
public class OpenSharedDatabaseDialog extends JDialog { | ||
|
||
private static final Log LOGGER = LogFactory.getLog(Password.class); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Change the class in getLog to the actual class name (OpenSharedDatabaseDialog)
Otherwise logs shows wrong class.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
Generally good work, if you address the comments, then we can merge it in 👍 |
d5fec26
to
5ae1bfa
Compare
|
||
public class OpenSharedDatabaseDialog extends JDialog { | ||
|
||
protected static final Log LOGGER = LogFactory.getLog(OpenSharedDatabaseDialog.class); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why is the logger protected here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done. Copy & paste from DBMSProcessor
🙈.
5ae1bfa
to
2ec2e0d
Compare
- Add checkbox to the open shared database dialog - Add SharedDatabasePreferences - Add password encrypting and decrypting methods - Update localization entries - Reorganize clearing methods for Preferences
- Use username as one operand - Add new parameter to the constructor
- Use CBC and padding - Hash the key before using - Simplify conversion
2ec2e0d
to
968e8b1
Compare
968e8b1
to
0a8fc3a
Compare
All issues have been fixed. |
* Check integrity edition check * Conflict in Jabref_fr * Changed order Biblatex/Bibtex condition * Create own object * Rename variable * Extract checker to own file * Improved comment * French localization: Jabref_fr: empty strings translated + removal of unused header (#1911) * Remove teamscale findings in the database package (#1577) * Check integrity edition check * Changed order Biblatex/Bibtex condition * Create own object * Rename variable * Mark some methods as deprecated in BibEntry and BibDatabase (#1913) * Mark some methods as deprecated in BibEntry and BibDatabase * Rename getResolvedFieldOrAlias * Use flatmap * Fix location field not exported correctly to office 2007 xml (#1909) * Fix location field not exported to office 2007 xml * Add some test for exporting location and address field Address in xml field is now imported as location add some javadoc * Add possibility to remember password for shared databases. (#1846) * Add possibility to remember password. - Add checkbox to the open shared database dialog - Add SharedDatabasePreferences - Add password encrypting and decrypting methods - Update localization entries - Reorganize clearing methods for Preferences * Change prefs node and add class comment. * Relativate node path for password storage. * Fix LOGGER factory. * Improve password encryption using XOR. - Use username as one operand - Add new parameter to the constructor * Extract method. * Improve exception handling. * Improve password encryption and decryption. - Use CBC and padding - Hash the key before using - Simplify conversion * Fix modifier. Fix conflicts. * Extract checker to own file * Improved comment * Translation of shared (#1919) * Add missing entries in german localization * Resolved conflicts * Some more conflicts de sv * Expressions changed
Issue: #1703. (completition)
Screenshot: