completly reworked hashing algorithm + way easier to install application (database)

Hattinger04 · Hattinger04 · commit 09df9915864f · 2022-12-24T21:39:59.000+01:00
diff --git a/README.MD b/README.MD
@@ -2,15 +2,14 @@
 
 This is the API Background where our frontend framework (= VueJS) sends request to.
 
-## Installation guide for developer (not using docker)
+## Installation guide for developer (not using docker) to edit program
 
 - git clone https://github.com/xJHamster/BackendSpring
 - open maven spring project in your IDE 
 - create mysql database called "springserver"
 - run ProjectWebsiteApplication 
-- go to application.properties and change spring.sql.init.mode=never to spring.sql.init.mode=always 
-- restart program
-- then undo changes in application.properties and restart again 
+
+You can apply some changes in settings.properties, but be careful! You might need to reinstall your database!
 
 ## The commands 
 
diff --git a/src/main/java/io/github/Hattinger04/configuration/AdminUserCreator.java b/src/main/java/io/github/Hattinger04/configuration/AdminUserCreator.java
@@ -0,0 +1,70 @@
+package io.github.Hattinger04.configuration;
+
+import java.util.Arrays;
+import java.util.HashSet;
+
+import javax.persistence.EntityManager;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.boot.CommandLineRunner;
+import org.springframework.context.annotation.PropertySource;
+import org.springframework.stereotype.Component;
+
+import io.github.Hattinger04.role.Role;
+import io.github.Hattinger04.role.RoleRepository;
+import io.github.Hattinger04.user.model.User;
+import io.github.Hattinger04.user.model.UserRepository;
+
+@Component
+@PropertySource("classpath:settings.properties")
+public class AdminUserCreator implements CommandLineRunner {
+
+	private final UserRepository userRepository;
+	private final RoleRepository roleRepository;
+
+	private final CustomPasswordEncoder passwordEncoder;
+
+	// TODO: creating database here not working yet!
+	// but a beginning is there
+	private final EntityManager entityManager;
+
+	@Value("${database}")
+	private String database; 
+	
+	@Autowired
+	public AdminUserCreator(UserRepository userRepository, CustomPasswordEncoder passwordEncoder,
+			RoleRepository roleRepository, EntityManager entityManager) {
+		this.userRepository = userRepository;
+		this.passwordEncoder = passwordEncoder;
+		this.roleRepository = roleRepository;
+		this.entityManager = entityManager;
+	}
+
+	@Override
+	public void run(String... args) {
+		try {
+			entityManager.getTransaction().begin();
+			entityManager.createNativeQuery(String.format("CREATE DATABASE %s", database)).executeUpdate();
+			entityManager.getTransaction().commit();
+		} catch (Exception e) {
+			// database already exists
+		}
+		if (roleRepository.count() == 0) {
+			roleRepository.save(new Role("ADMIN"));
+			roleRepository.save(new Role("DEV"));
+			roleRepository.save(new Role("TEACHER"));
+			roleRepository.save(new Role("USER"));
+		}
+
+		if (userRepository.count() == 0) {
+			User user = new User();
+			user.setUsername("admin");
+			user.setActive(true);
+			user.setPassword(passwordEncoder.encode("admin"));
+			Role userRole = roleRepository.findByRole("ADMIN");
+			user.setRoles(new HashSet<Role>(Arrays.asList(userRole)));
+			userRepository.save(user);
+		}
+	}
+}
diff --git a/src/main/java/io/github/Hattinger04/configuration/CustomPasswordEncoder.java b/src/main/java/io/github/Hattinger04/configuration/CustomPasswordEncoder.java
@@ -0,0 +1,35 @@
+package io.github.Hattinger04.configuration;
+
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.context.annotation.PropertySource;
+import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
+import org.springframework.security.crypto.password.PasswordEncoder;
+import org.springframework.stereotype.Component;
+
+@Component
+@PropertySource("classpath:settings.properties")
+public class CustomPasswordEncoder implements PasswordEncoder {
+
+	@Value("${password.pepper}")
+	private String pepper;
+
+	@Value("${password.rounds}")
+	private int rounds;
+
+	
+	public CustomPasswordEncoder() {}
+	
+	@Override
+	public String encode(CharSequence rawPassword) {
+		BCryptPasswordEncoder encoder = new BCryptPasswordEncoder(rounds);
+		String saltedPassword = pepper + rawPassword + pepper;
+		return encoder.encode(saltedPassword);
+	}
+
+	@Override
+	public boolean matches(CharSequence rawPassword, String encodedPassword) {
+		BCryptPasswordEncoder encoder = new BCryptPasswordEncoder();
+		String saltedPassword = pepper + rawPassword + pepper;
+		return encoder.matches(saltedPassword, encodedPassword);
+	}
+}
diff --git a/src/main/java/io/github/Hattinger04/configuration/SecurityConfiguration.java b/src/main/java/io/github/Hattinger04/configuration/SecurityConfiguration.java
@@ -4,19 +4,20 @@
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.access.hierarchicalroles.RoleHierarchy;
 import org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl;
-import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
+import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.web.servlet.config.annotation.CorsRegistry;
 import org.springframework.web.servlet.config.annotation.ResourceHandlerRegistry;
 import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
 import org.springframework.web.servlet.resource.PathResourceResolver;
 
 @Configuration
 public class SecurityConfiguration implements WebMvcConfigurer {
-
+	
     @Bean
-    public BCryptPasswordEncoder passwordEncoder() {
-        return new BCryptPasswordEncoder();
+    public PasswordEncoder passwordEncoder() {
+        return new CustomPasswordEncoder(); 
     }
+    
     @Override
     public void addResourceHandlers(ResourceHandlerRegistry registry) {
 	    registry.addResourceHandler("/files/**")
diff --git a/src/main/java/io/github/Hattinger04/configuration/WebSecurityConfig.java b/src/main/java/io/github/Hattinger04/configuration/WebSecurityConfig.java
@@ -11,7 +11,6 @@
 import org.springframework.security.config.annotation.web.builders.WebSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
-import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
 
 import io.github.Hattinger04.user.model.MyUserDetailsService;
 
@@ -21,14 +20,14 @@
 public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
 
 	@Autowired
-	private BCryptPasswordEncoder bCryptPasswordEncoder;
+	private CustomPasswordEncoder encoder;
 
 	@Autowired
 	private MyUserDetailsService userDetailsService;
 	
 	@Override
 	protected void configure(AuthenticationManagerBuilder auth) throws Exception {
-		auth.userDetailsService(userDetailsService).passwordEncoder(bCryptPasswordEncoder);
+		auth.userDetailsService(userDetailsService).passwordEncoder(encoder);
 	}
 
     @Bean
diff --git a/src/main/java/io/github/Hattinger04/hamster/HamsterController.java b/src/main/java/io/github/Hattinger04/hamster/HamsterController.java
@@ -18,7 +18,6 @@
 import com.fasterxml.jackson.databind.JsonNode;
 import com.fasterxml.jackson.databind.ObjectMapper;
 
-import io.github.Hattinger04.course.model.student.Student;
 import io.github.Hattinger04.hamster.model.Hamster;
 import io.github.Hattinger04.hamsterEvaluation.workbench.Workbench;
 
diff --git a/src/main/java/io/github/Hattinger04/role/Role.java b/src/main/java/io/github/Hattinger04/role/Role.java
@@ -20,4 +20,8 @@ public class Role {
     private int id;
     @Column(name = "role")
     private String role;
+    
+    public Role(String role) {
+    	this.role = role; 
+    }
 }
diff --git a/src/main/java/io/github/Hattinger04/user/model/UserService.java b/src/main/java/io/github/Hattinger04/user/model/UserService.java
@@ -5,9 +5,9 @@
 import java.util.List;
 
 import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
 import org.springframework.stereotype.Service;
 
+import io.github.Hattinger04.configuration.CustomPasswordEncoder;
 import io.github.Hattinger04.role.Role;
 import io.github.Hattinger04.role.RoleRepository;
 
@@ -16,14 +16,14 @@ public class UserService {
 
 	private UserRepository userRepository;
 	private RoleRepository roleRepository;
-	private BCryptPasswordEncoder bCryptPasswordEncoder;
+	private CustomPasswordEncoder customPasswordEncoder;
 
 	@Autowired
 	public UserService(UserRepository userRepository, RoleRepository roleRepository,
-			BCryptPasswordEncoder bCryptPasswordEncoder) {
+			CustomPasswordEncoder customPasswordEncoder) {
 		this.userRepository = userRepository;
 		this.roleRepository = roleRepository;
-		this.bCryptPasswordEncoder = bCryptPasswordEncoder;
+		this.customPasswordEncoder = customPasswordEncoder;
 	}
 
 	public User findUserByID(int id) {
@@ -36,7 +36,7 @@ public User findUserByUsername(String username) {
 
 	public boolean saveUser(User user) {
 		try {
-			user.setPassword(bCryptPasswordEncoder.encode(user.getPassword()));
+			user.setPassword(customPasswordEncoder.encode(user.getPassword()));
 			user.setActive(true);
 			Role userRole = roleRepository.findByRole("USER");
 			user.setRoles(new HashSet<Role>(Arrays.asList(userRole)));
diff --git a/src/main/resources/allLogs.log b/src/main/resources/allLogs.log
@@ -396,3 +396,11 @@ Dez. 23, 2022 3:04:13 PM io.github.Hattinger04.aop.LogAspect loginLog
 FEIN: User(id=null, username=admin, password=admin, active=null, roles=null) - [logged in]
 Dez. 23, 2022 5:45:52 PM io.github.Hattinger04.aop.LogAspect loginLog
 FEIN: User(id=null, username=admin, password=admin, active=null, roles=null) - [logged in]
+Dez. 24, 2022 9:06:04 PM io.github.Hattinger04.aop.LogAspect loginLog
+FEIN: User(id=null, username=admin, password=admin, active=null, roles=null) - [logged in]
+Dez. 24, 2022 9:06:23 PM io.github.Hattinger04.aop.LogAspect loginLog
+FEIN: User(id=null, username=admin, password=admin, active=null, roles=null) - [logged in]
+Dez. 24, 2022 9:22:14 PM io.github.Hattinger04.aop.LogAspect loginLog
+FEIN: User(id=null, username=admin, password=admin, active=null, roles=null) - [logged in]
+Dez. 24, 2022 9:33:53 PM io.github.Hattinger04.aop.LogAspect loginLog
+FEIN: User(id=null, username=admin, password=admin, active=null, roles=null) - [logged in]
diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties
@@ -4,8 +4,6 @@ spring.datasource.password=
 spring.jpa.show-sql = true
 spring.jpa.hibernate.ddl-auto = update
 spring.jpa.properties.hibernate.dialect = org.hibernate.dialect.MySQL5Dialect
-# set to always to generate data.sql in database - but you have to start webserver one time before to create tables
-spring.sql.init.mode=never
 
 server.address=0.0.0.0
 
@@ -20,4 +18,5 @@ server.ssl.key-store-password=Winter21!
 #logging.level.org.springframework.security=DEBUG
 
 # all reqests should begin with /api: 
-spring.mvc.servlet.path=/api
+spring.mvc.servlet.path=/api
+bcrypt.strength=15
diff --git a/src/main/resources/data.sql b/src/main/resources/data.sql
diff --git a/src/main/resources/settings.properties b/src/main/resources/settings.properties
@@ -0,0 +1,3 @@
+password.pepper=my_secret_pepper_value
+password.rounds=15
+database=springserver

Original file line number	Diff line number	Diff line change
`@@ -20,4 +20,8 @@ public class Role {`
`20`	`20`	`private int id;`
`21`	`21`	`@Column(name = "role")`
`22`	`22`	`private String role;`
	`23`	`+`
	`24`	`+ public Role(String role) {`
	`25`	`+ this.role = role;`
	`26`	`+ }`
`23`	`27`	`}`