Merge pull request #811 from jamesrdf/issues/#681-server-password

Fix #681: Encode server password in base64 over the network

Author: James Leigh

core/http/workbench/src/main/java/org/eclipse/rdf4j/workbench/base/AbstractServlet.java

@@ -38,10 +38,14 @@ public abstract class AbstractServlet implements Servlet {
 
 	protected final Logger log = LoggerFactory.getLogger(this.getClass());
 
+	@Deprecated
 	protected static final String SERVER_USER = "server-user";
 
+	@Deprecated
 	protected static final String SERVER_PASSWORD = "server-password";
 
+	protected static final String SERVER_USER_PASSWORD = "server-user-password";
+
 	protected static final String ACCEPT = "Accept";
 
 	/**

core/http/workbench/src/main/java/org/eclipse/rdf4j/workbench/proxy/WorkbenchGateway.java

@@ -178,10 +178,8 @@ private void changeServer(final HttpServletRequest req, final HttpServletRespons
 		// Valid server was submitted by form. Set cookie and redirect to
 		// repository selection page.
 		this.cookies.addNewCookie(req, resp, SERVER_COOKIE, server);
-		final String user = getOptionalParameter(req, SERVER_USER);
-		this.cookies.addNewCookie(req, resp, SERVER_USER, user);
-		final String password = getOptionalParameter(req, SERVER_PASSWORD);
-		this.cookies.addNewCookie(req, resp, SERVER_PASSWORD, password);
+		final String user_password = getOptionalParameter(req, SERVER_USER_PASSWORD);
+		this.cookies.addNewCookie(req, resp, SERVER_USER_PASSWORD, user_password);
 		final StringBuilder uri = new StringBuilder(req.getRequestURI());
 		uri.setLength(uri.length() - req.getPathInfo().length());
 		resetCache();

core/http/workbench/src/main/java/org/eclipse/rdf4j/workbench/proxy/WorkbenchServlet.java

@@ -13,6 +13,7 @@
 import java.net.MalformedURLException;
 import java.net.URL;
 import java.net.URLDecoder;
+import java.util.Base64;
 import java.util.concurrent.ConcurrentHashMap;
 import java.util.concurrent.ConcurrentMap;
 
@@ -255,10 +256,21 @@ private void setCredentials(final HttpServletRequest req, final HttpServletRespo
 			final RemoteRepositoryManager rrm = (RemoteRepositoryManager)manager;
 			LOGGER.info("RemoteRepositoryManager URL: {}", rrm.getLocation());
 			final CookieHandler cookies = new CookieHandler(config);
-			final String user = cookies.getCookieNullIfEmpty(req, resp, WorkbenchGateway.SERVER_USER);
-			final String password = cookies.getCookieNullIfEmpty(req, resp, WorkbenchGateway.SERVER_PASSWORD);
-			LOGGER.info("Setting user '{}' and password '{}'.", user, password);
-			rrm.setUsernameAndPassword(user, password);
+			final String user_password = cookies.getCookieNullIfEmpty(req, resp, WorkbenchGateway.SERVER_USER_PASSWORD);
+			if (user_password == null) {
+				rrm.setUsernameAndPassword(null, null);
+			} else {
+				String decoded;
+				try {
+					decoded = new String(Base64.getDecoder().decode(user_password));
+				} catch(IllegalArgumentException e) {
+					decoded = user_password; // older browsers
+				}
+				final String user = decoded.substring(0, decoded.indexOf(':'));
+				final String password = decoded.substring(decoded.indexOf(':')+1);
+				LOGGER.info("Setting user '{}' and their password.", user);
+				rrm.setUsernameAndPassword(user, password);
+			}
 			// initialize() required to push credentials to internal HTTP
 			// client.
 			rrm.initialize();

core/http/workbench/src/main/webapp/scripts/saved-queries.js

@@ -12,7 +12,9 @@ module workbench {
         declare var YASQE: any;
 
         export function deleteQuery(savedBy: string, name: string, urn: string) {
-            var currentUser = workbench.getCookie("server-user");
+            var encoded = workbench.getCookie("server-user-password");
+            var decoded = encoded && window.atob ? window.atob(encoded) : encoded;
+            var currentUser = decoded && decoded.substring(0, decoded.indexOf(':'));
             if ((!savedBy || currentUser == savedBy)) {
                 if (confirm("'"
                     + name