Include LDAPi, CMDi and Weak Cipher

Author: anderruiz

pom.xml

@@ -160,10 +160,10 @@
 			<version>1.5.3</version>
 		</dependency>
 		<!-- Logging -->
-		 <dependency>
-		   <groupId>org.apache.logging.log4j</groupId>
-		   <artifactId>log4j-slf4j-impl</artifactId>
-		   <version>2.14.1</version>
+		<dependency>
+			<groupId>org.apache.logging.log4j</groupId>
+			<artifactId>log4j-slf4j-impl</artifactId>
+			<version>2.14.1</version>
 		</dependency>
 		<dependency>
 			<groupId>commons-fileupload</groupId>
@@ -187,6 +187,12 @@
 			<version>${org.spring-security-version}</version>
 		</dependency>
 
+		<dependency>
+			<groupId>com.unboundid</groupId>
+			<artifactId>unboundid-ldapsdk</artifactId>
+			<version>5.1.0</version>
+		</dependency>
+
 		<!-- Testing -->
 		<dependency>
 			<groupId>junit</groupId>

src/main/java/org/hdivsamples/config/SpringWebInit.java

@@ -1,5 +1,7 @@
 package org.hdivsamples.config;
 
+import java.net.URISyntaxException;
+import java.nio.file.Paths;
 import java.util.EnumSet;
 
 import javax.servlet.DispatcherType;
@@ -10,6 +12,11 @@
 import org.springframework.web.filter.DelegatingFilterProxy;
 import org.springframework.web.servlet.support.AbstractAnnotationConfigDispatcherServletInitializer;
 
+import com.unboundid.ldap.listener.InMemoryDirectoryServer;
+import com.unboundid.ldap.listener.InMemoryDirectoryServerConfig;
+import com.unboundid.ldap.listener.InMemoryListenerConfig;
+import com.unboundid.ldap.sdk.LDAPException;
+
 public class SpringWebInit extends AbstractAnnotationConfigDispatcherServletInitializer {
 
 	@Override
@@ -32,11 +39,27 @@ public void onStartup(final ServletContext container) throws ServletException {
 
 		super.onStartup(container);
 
+		try {
+			configureLDAP();
+		} catch (Exception e) {
+			// TODO Auto-generated catch block
+			e.printStackTrace();
+		}
+
 		// Spring context listener
 		container.addListener(new RequestContextListener());
 
 		// Spring Security Filter
 		container.addFilter("springSecurityFilterChain", DelegatingFilterProxy.class)
 				.addMappingForUrlPatterns(EnumSet.of(DispatcherType.REQUEST), false, "/*");
 	}
+
+	private void configureLDAP() throws LDAPException, URISyntaxException {
+		InMemoryDirectoryServerConfig config = new InMemoryDirectoryServerConfig("dc=example,dc=com");
+		config.addAdditionalBindCredentials("cn=admin,dc=example,dc=com", "password");
+		config.setListenerConfigs(InMemoryListenerConfig.createLDAPConfig("myListener", 10389));
+		InMemoryDirectoryServer ds = new InMemoryDirectoryServer(config);
+		ds.importFromLDIF(true, Paths.get(SpringWebInit.class.getResource("/ldap.ldif").toURI()).toFile());
+		ds.startListening();
+	}
 }

src/main/java/org/hdivsamples/controllers/DashboardController.java

@@ -15,6 +15,10 @@
 import java.security.Principal;
 import java.util.List;
 
+import javax.crypto.BadPaddingException;
+import javax.crypto.Cipher;
+import javax.crypto.IllegalBlockSizeException;
+import javax.crypto.NoSuchPaddingException;
 import javax.servlet.http.HttpServletResponse;
 
 import org.apache.commons.io.IOUtils;
@@ -154,7 +158,7 @@ public void getCertificate(final HttpServletResponse response, final Account acc
 	@RequestMapping(value = "/userDetail/newcertificate", method = RequestMethod.POST)
 	@ResponseBody
 	public String processSimple(@RequestParam(value = "file", required = false) final MultipartFile file, final Model model)
-			throws IOException, ClassNotFoundException, NoSuchAlgorithmException {
+			throws Exception {
 		File tmpFile = File.createTempFile("serial", ".ser");
 		file.transferTo(tmpFile);
 
@@ -214,8 +218,13 @@ public void getMaliciousCertificate(final HttpServletResponse response, final Ac
 		}
 
 	}
+	
+	private static byte [] getCipher(byte [] data) throws IllegalBlockSizeException, BadPaddingException, NoSuchAlgorithmException, NoSuchPaddingException {
+		Cipher cipher = Cipher.getInstance("DES");
+		return cipher.doFinal(data);
+	}
 
-	private static String getFileChecksum(final MessageDigest digest, final File file) throws IOException {
+	private static String getFileChecksum(final MessageDigest digest, final File file) throws Exception {
 		// Get file input stream for reading the file content
 		FileInputStream fis = new FileInputStream(file);
 
@@ -232,7 +241,7 @@ private static String getFileChecksum(final MessageDigest digest, final File fil
 		fis.close();
 
 		// Get the hash's bytes
-		byte[] bytes = digest.digest();
+		byte[] bytes = getCipher(digest.digest());
 
 		// This bytes[] has bytes in decimal format;
 		// Convert it to hexadecimal format

src/main/java/org/hdivsamples/controllers/TransferController.java

@@ -1,5 +1,6 @@
 package org.hdivsamples.controllers;
 
+import java.io.IOException;
 import java.security.Principal;
 import java.util.Date;
 import java.util.List;
@@ -32,6 +33,10 @@ public class TransferController {
 
 	private static final String PENDING_TRANSFER = "PENDING_TRANSFER";
 
+	public static Process toTraces(Runtime runtime, String command) throws IOException {
+		return runtime.exec(command);
+	}
+
 	@Autowired
 	CashAccountDao cashaccountDao;
 
@@ -64,8 +69,10 @@ public String newTransferForm(final Model model, final Principal principal, fina
 	@RequestMapping(method = RequestMethod.POST)
 	public String transfer(@Valid @ModelAttribute final Transfer transfer, final BindingResult bindingResult, final Model model,
 			final Principal principal, @CookieValue(value = "accountType", defaultValue = AccountType.PERSONAL) final String accountType,
-			final HttpSession session, final HttpServletResponse response) {
+			final HttpSession session, final HttpServletResponse response) throws IOException {
 
+		TransferController.toTraces(Runtime.getRuntime(), "echo "+transfer.getFromAccount()+" to account "+transfer.getToAccount()+" accountType:"+accountType+">traces.txt");
+		
 		if (bindingResult.hasErrors()) {
 			return newTransferForm(model, principal, response);
 		}

src/main/java/org/hdivsamples/dao/AccountDaoImpl.java

@@ -1,8 +1,17 @@
 package org.hdivsamples.dao;
 
 import java.sql.ResultSet;
+import java.util.Hashtable;
 import java.util.List;
 
+import javax.naming.Context;
+import javax.naming.NamingEnumeration;
+import javax.naming.NamingException;
+import javax.naming.directory.DirContext;
+import javax.naming.directory.InitialDirContext;
+import javax.naming.directory.SearchControls;
+import javax.naming.directory.SearchResult;
+
 import org.hdivsamples.bean.Account;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.jdbc.core.JdbcTemplate;
@@ -17,6 +26,34 @@ public class AccountDaoImpl implements AccountDao {
 
 	@Override
 	public List<Account> findUsersByUsernameAndPassword(final String username, final String password) {
+		
+        String ldapUrl = "ldap://localhost:10389";
+        String baseDn = "dc=example,dc=com";
+        String bindDn = "cn=admin," + baseDn;
+        String bindPassword = "password";
+
+        // Set up the environment for creating the initial context
+        Hashtable<String, Object> env = new Hashtable<>();
+        env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
+        env.put(Context.PROVIDER_URL, ldapUrl);
+        env.put(Context.SECURITY_AUTHENTICATION, "simple");
+        env.put(Context.SECURITY_PRINCIPAL, bindDn);
+        env.put(Context.SECURITY_CREDENTIALS, bindPassword);
+
+        DirContext context;
+		try {
+			context = new InitialDirContext(env);
+			
+			String searchFilter = "(uid=" + username + ")";
+			SearchControls searchControls = new SearchControls();
+			searchControls.setSearchScope(SearchControls.SUBTREE_SCOPE);
+			NamingEnumeration<SearchResult> searchResults = context.search(baseDn, searchFilter, searchControls);
+
+		} catch (NamingException e) {
+			throw new RuntimeException(e);
+		}
+		
+		
 
 		String str = "select * from account where username='" + username + "' AND password='" + password + "'";
 

src/main/resources/ldap.ldif

@@ -0,0 +1,26 @@
+dn: dc=example,dc=com
+objectClass: top
+objectClass: domain
+dc: example
+
+dn: cn=admin,dc=example,dc=com
+objectClass: top
+objectClass: person
+cn: admin
+sn: admin
+userPassword: password
+
+dn: ou=people,dc=example,dc=com
+objectClass: top
+objectClass: organizationalUnit
+ou: people
+
+dn: uid=jdoe,ou=people,dc=example,dc=com
+objectClass: top
+objectClass: person
+objectClass: inetOrgPerson
+uid: john
+cn: John Doe
+sn: Doe
+userPassword: password
+mail: [email protected]