Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add possibility to remember password for shared databases. #1846

Merged

Conversation

obraliar
Copy link
Contributor

@obraliar obraliar commented Aug 25, 2016

Issue: #1703. (completition)

Store last used connection in the "open remote database dialog"

Screenshot:
openshareddatabase

  • Screenshots added (for bigger UI changes)
  • Manually tested changed features in running JabRef

@obraliar obraliar force-pushed the PasswordManagementForSharedDatabase branch from 5079221 to b38f020 Compare August 25, 2016 01:55
@koppor koppor added this to the v3.6 milestone Aug 25, 2016
private static final String SHARED_DATABASE_REMEMBER_PASSWORD = "sharedDatabaseRememberPassword";

// This {@link Preferences} is used only for things which should not appear in real JabRefPreferences due to security reasons.
private final Preferences internalPrefs = Preferences.userNodeForPackage(OpenSharedDatabaseDialog.class);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it possible to use another node for storing? The whole preference tree gets exported. Therefore, this should be located somewhere else @matthiasgeiger

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

@koppor
Copy link
Member

koppor commented Aug 25, 2016

Could you use some unique system properties such as the login name, serial number of Windows or something as additional encryption key? - If you use that too, maybe the preferences can be exported completely.

As alternative, on Windows, maybe the Windows Credential Store can be used? On Linux, the key store. On Mac?

@koppor koppor modified the milestones: v3.7, v3.6 Aug 25, 2016
@matthiasgeiger
Copy link
Member

matthiasgeiger commented Aug 25, 2016

Maybe this Preferences userPrefs = Preferences.userRoot().node( "/com/tutego/insel" ); as used here http://openbook.rheinwerk-verlag.de/javainsel/javainsel_11_009.html could be used to create another registry node just for the password which is then not exported by JabRef.

// Edit: Of course it must be outside "/net/sf/jabref" ... ;-)

@@ -194,6 +197,12 @@ private void applyGlobalPrefs() {
if (sharedDatabaseUser.isPresent()) {
userField.setText(sharedDatabaseUser.get());
}

if (sharedDatabasePassword.isPresent()) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The password should only be set when there is a password available and the checkbox to remember the password is checked so please add && sharedDatabaseRememberPassword.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See: https://github.com/JabRef/jabref/pull/1846/files#diff-bf287bbdc594ec6ec66a15154e141110R316. If the checkbox is not select the pref is going to be cleared.

@boceckts
Copy link
Contributor

Only minor coments from me. Once they are done and the conflicts are reseolved, it looks good to me 👍

@Siedlerchr
Copy link
Member

Password Hashing is the solution! (It should have come earlier to my mind)
https://paragonie.com/blog/2016/02/how-safely-store-password-in-2016#java

@obraliar
Copy link
Contributor Author

obraliar commented Aug 25, 2016

@matthiasgeiger Unfortunately it does not work. I used for testing private final Preferences internalPrefs = Preferences.userRoot().node("/bla/bla1/security"); If I export the preferences, the following nodes appear again:

  1 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
  2 <!DOCTYPE preferences SYSTEM "http://java.sun.com/dtd/preferences.dtd">
  3 <preferences EXTERNAL_XML_VERSION="1.0">
  4   <root type="user">
  5     <map/>
  6     <node name="net">
  7       <map/>
  8       <node name="sf">
  9         <map/>
 10         <node name="jabref">
 11           <map>
 12           <!-- ... -->
 13           </map>
 14           <node name="bibtexKeyPattern">
 15             <map/>
 16           </node>
 17           <node name="bibtexkeypatterns">
 18             <map/>
 19           </node>
 20           <node name="gui">
 21             <map/>
 22             <node name="shared">
 23               <map>
 24                 <entry key="sharedDatabasePassword" value="kJicIWFbSjTjw5QYiENFLA=="/>
 25               </map>
 26             </node>
 27           </node>
 28           <node name="labelPattern">
 29             <map/>
 30           </node>
 31           <node name="logic">
 32             <map/>
 33             <node name="labelpattern">
 34               <map/>
 35             </node>
 36           </node>
 37         </node>
 38       </node>
 39     </node>
 40   </root>
 41 </preferences>

As another solution we could add new SharedDatabasePreferences().clear(); into JabRefPreferences.exportPreferences(String filename).

@matthiasgeiger
Copy link
Member

matthiasgeiger commented Aug 25, 2016

@obraliar I think that the exported key is a remnant of previously saved settings.

If you are using windows use regedit to delete the keys in the node HKEY_CURRENT_USER\SOFTWARE\JavaSoft\Prefs\net\sf\jabref\gui\shared

Your addition should be placed in HKEY_CURRENT_USER\SOFTWARE\JavaSoft\Prefs\bla\bla1\security

@obraliar
Copy link
Contributor Author

@Siedlerchr There should be a possibility to decrypt the password again as this is going to be sent to DBMS. Could you explain what to do with hashing?

@obraliar
Copy link
Contributor Author

@matthiasgeiger 👍 I'm using Linux (Debian) and there you have to remove ~/.java/.userPrefs/net/sf from file system. Now it works very well!
Now using: private final Preferences internalPrefs = Preferences.userRoot().node("/net/sf/security/jabref");

@obraliar
Copy link
Contributor Author

@koppor What about using the MAC address?

@obraliar obraliar force-pushed the PasswordManagementForSharedDatabase branch from b38f020 to 55de86b Compare August 25, 2016 14:20
@matthiasgeiger
Copy link
Member

matthiasgeiger commented Aug 25, 2016

I think the suggestion is now obsolote as exporting the prefs without the password is now possible. Maybe we should add a comment in the help file that the password is saved on the local hard disk - then a user can decide whether he wants to save it or not...

Regarding the prefs node: As we want to move the package from "net.sf" to "org" eventually in the future it would be perhaps better to use Preferences.getUserNodeForPackage(JabRefMain.class).parent().node("jabref-pwdstorage") to use a relative approach.

@obraliar obraliar force-pushed the PasswordManagementForSharedDatabase branch from 55de86b to 2b94985 Compare August 25, 2016 14:30
@obraliar
Copy link
Contributor Author

obraliar commented Aug 25, 2016

@matthiasgeiger I agree cause the safest way is not to use the function "remember password" as this is generally a security gap due to symetric encryption.

@obraliar obraliar force-pushed the PasswordManagementForSharedDatabase branch 3 times, most recently from 316e94f to 2e700f6 Compare August 25, 2016 16:28
@Siedlerchr
Copy link
Member

Forget about the Hashing. I didn't think about that you need it in plaintex to send to the db..

@obraliar obraliar changed the title [WIP] Add possibility to remember password for shared databases. Add possibility to remember password for shared databases. Aug 25, 2016
@koppor
Copy link
Member

koppor commented Aug 26, 2016

@matthiasgeiger I would nevertheless keep a simple encryption to make it a bit harder to access the password.

@Braunch Braunch changed the title Add possibility to remember password for shared databases. [WIP]Add possibility to remember password for shared databases. Aug 29, 2016
@obraliar
Copy link
Contributor Author

@JabRef/developers Could someone look at this PR and possibly merge it in, please?
Reason: @koppor is offline for a week.

@Braunch Braunch changed the title [WIP]Add possibility to remember password for shared databases. Add possibility to remember password for shared databases. Aug 29, 2016
@obraliar obraliar force-pushed the PasswordManagementForSharedDatabase branch from f459b5c to d5fec26 Compare August 29, 2016 13:53
@stefan-kolb
Copy link
Member

LGTM 👍


public class OpenSharedDatabaseDialog extends JDialog {

private static final Log LOGGER = LogFactory.getLog(Password.class);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Change the class in getLog to the actual class name (OpenSharedDatabaseDialog)
Otherwise logs shows wrong class.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

@Siedlerchr
Copy link
Member

Generally good work, if you address the comments, then we can merge it in 👍

@obraliar obraliar force-pushed the PasswordManagementForSharedDatabase branch from d5fec26 to 5ae1bfa Compare September 2, 2016 00:23

public class OpenSharedDatabaseDialog extends JDialog {

protected static final Log LOGGER = LogFactory.getLog(OpenSharedDatabaseDialog.class);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is the logger protected here?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done. Copy & paste from DBMSProcessor 🙈.

@obraliar obraliar force-pushed the PasswordManagementForSharedDatabase branch from 5ae1bfa to 2ec2e0d Compare September 2, 2016 13:37
- Add checkbox to the open shared database dialog
- Add SharedDatabasePreferences
- Add password encrypting and decrypting methods
- Update localization entries
- Reorganize clearing methods for Preferences
- Use username as one operand
- Add new parameter to the constructor
- Use CBC and padding
- Hash the key before using
- Simplify conversion
@obraliar obraliar force-pushed the PasswordManagementForSharedDatabase branch from 2ec2e0d to 968e8b1 Compare September 4, 2016 16:35
@obraliar obraliar force-pushed the PasswordManagementForSharedDatabase branch from 968e8b1 to 0a8fc3a Compare September 4, 2016 20:39
@obraliar
Copy link
Contributor Author

obraliar commented Sep 4, 2016

All issues have been fixed.

@stefan-kolb stefan-kolb merged commit 3f64b08 into JabRef:master Sep 4, 2016
tobiasdiez pushed a commit that referenced this pull request Sep 5, 2016
* Check integrity edition check

* Conflict in Jabref_fr

* Changed order Biblatex/Bibtex condition

* Create own object

* Rename variable

* Extract checker to own file

* Improved comment

* French localization: Jabref_fr: empty strings translated + removal of unused header (#1911)

* Remove teamscale findings in the database package (#1577)

* Check integrity edition check

* Changed order Biblatex/Bibtex condition

* Create own object

* Rename variable

* Mark some methods as deprecated in BibEntry and BibDatabase (#1913)

* Mark some methods as deprecated in BibEntry and BibDatabase

* Rename getResolvedFieldOrAlias

* Use flatmap

* Fix location field not exported correctly to office 2007 xml (#1909)

* Fix location field not exported to office 2007 xml
* Add some test for exporting location and address field
Address in xml field is now imported as location
add some javadoc

* Add possibility to remember password for shared databases. (#1846)

* Add possibility to remember password.
- Add checkbox to the open shared database dialog
- Add SharedDatabasePreferences
- Add password encrypting and decrypting methods
- Update localization entries
- Reorganize clearing methods for Preferences

* Change prefs node and add class comment.

* Relativate node path for password storage.

* Fix LOGGER factory.

* Improve password encryption using XOR.

- Use username as one operand
- Add new parameter to the constructor

* Extract method.

* Improve exception handling.

* Improve password encryption and decryption.

- Use CBC and padding
- Hash the key before using
- Simplify conversion

* Fix modifier. Fix conflicts.

* Extract checker to own file

* Improved comment

* Translation of shared (#1919)

* Add missing entries in german localization

* Resolved conflicts

* Some more conflicts de sv

* Expressions changed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
status: ready-for-review Pull Requests that are ready to be reviewed by the maintainers
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants