Why does Liferay prefix password with algorithm name? - liferay-7

I looked at the User_ table in liferay and every new password has a prefix of:
{SHA-256}
I am trying to set up a Shibboleth IDP to use the User_ table to authenticate like this:
ShibUserPassAuth {
relationalLogin.DBLogin required debug=true
dbDriver="com.mysql.jdbc.Driver"
userTable="User_"
userColumn="emailAddress"
passColumn="password_"
dbURL="jdbc:mysql://mysql:3306/lportal"
dbUser="root"
dbPassword="password"
hashAlgorithm="SHA-256";
};
However my authentication fails because the password does not match. If I go into the database an manually update the password, then it works.
Any ideas how I can work around this by getting Liferay to not set this prefix or getting Shibboleth to look for this prefix?

The answer to your question in the title probably is "because Liferay's history and upgrade compatibility". I guess they didn't want to alter the User_ table's schema, but needed a way to mark the hashing algorithm.
I don't have the answer to your actual question, but two ideas:
I found an old discussion that leads me to believe that you could write a query template for the Shibboleth DB connection (example copied from the linked discussion for longievity):
<resolver:DataConnector id="mySIS" xsi:type="RelationalDatabase"
xmlns="urn:mace:shibboleth:2.0:resolver:dc">
<ApplicationManagedConnection jdbcDriver="com.mysql.jdbc.Driver"
jdbcURL="jdbc:mysql://localhost:3306/userDB" jdbcUserName="root"
jdbcPassword="root" />
<QueryTemplate>
<![CDATA[
SELECT * FROM user WHERE usr_login =
'$requestContext.principalName'
]]>
</QueryTemplate>
<Column columnName="usr_login" attributeID="uid" />
<Column columnName="first_name" attributeID="displayname" />
</resolver:DataConnector>
This example looks like you might be able to use SQL string manipulation functions in the query to cut off the preceding hash algorithm string.
Another idea would be to create a View on the DB table that incorporates those SQL string manipulation methods, then connect Shibboleth to that View instead of the User_ table.

Related

Using RESTFul Oracle APEX

I am building a mobile App using Appery.io platform which uses MongoDB -based database. I need to link this DB to Oracle database and use APEX to design an interface such that users can query, update the mobile App DB from Oracle as well as Oracle DB can be updated from the mobile App.
In APEX, I use the URI with GET method:
https://api.appery.io/rest/1/db/collections/Outlet_Details/
And I add the header:
X-Appery-Database-Id
When I run the query in the APEX where I insert the Database-Id, APEX shows the table/collection Outlet_Details in JSON format. However, not the entire table is shown due to, I think, the length of CLOB type.
Now my main problem is I need to query this table/collection called Outlet_Details by a column named: _id. So when I use the following URI:
https://api.appery.io/rest/1/db/collections/Outlet_Details/1234
It returns the specific record that ha _id = 1234. However, I do not want to hardcode it. Instead, I need to have more like where condition such that I can query based on any column value (e.g. userId instead _id). The CURL command is as follows:
curl -X GET
-H "X-Appery-Database-Id: 544a5cdfe4b03d005b6233b9"
-G --data-urlencode 'where={"userId ": "1234"}'
https://api.appery.io/rest/1/db/collections/outlet_details/
My problem is how to insert such a command into APEX, specailly (where) part.
In this tutorial, oracle database is used. Hence using where condition with =:DEP condition, and then bind it to a variable is pretty straightforward. However, I need to replicate this tutorial with my MongoDB.
The other question, which I guess would clarify a lot to me, in the aforementioned tutorial, there is a prefix URI that is by default APEX shema URI. Even when I insert different URI template, the resultant URI will append APEX to the one I inserted. How to build a service there using different URI?
I found that APEX takes where condition as encoded parameter in the URL. Something like:
https://api.appery.io/rest/1/db/collections/Outlet_Details?where=%7B%22Oracle_Flag%22%3A%22Y%22%7D
The header is same and no input parameters.
This can be done from Application builder > New Application > Database > Create Application > Shared Componenets > Create > REST and then start inserting the header, utl .. etc.
You can refer to this link as a reference encoded URL

Dynamic auditing of data with PostgreSQL trigger

I'm interested in using the following audit mechanism in an existing PostgreSQL database.
http://wiki.postgresql.org/wiki/Audit_trigger
but, would like (if possible) to make one modification. I would also like to log the primary_key's value where it could be queried later. So, I would like to add a field named something like "record_id" to the "logged_actions" table. The problem is that every table in the existing database has a different primary key fieldname. The good news is that the database has a very consistent naming convention. It's always, _id. So, if a table was named "employee", the primary key is "employee_id".
Is there anyway to do this? basically, I need something like OLD.FieldByName(x) or OLD[x] to get value out of the id field to put into the record_id field in the new audit record.
I do understand that I could just create a separate, custom trigger for each table that I want to keep track of, but it would be nice to have it be generic.
edit: I also understand that the key value does get logged in either the old/new data fields. But, what I would like would be to make querying for the history easier and more efficient. In other words,
select * from audit.logged_actions where table_name = 'xxxx' and record_id = 12345;
another edit: I'm using PostgreSQL 9.1
Thanks!
You didn't mention your version of PostgreSQL, which is very important when writing answers to questions like this.
If you're running PostgreSQL 9.0 or newer (or able to upgrade) you can use this approach as documented by Pavel:
http://okbob.blogspot.com/2009/10/dynamic-access-to-record-fields-in.html
In general, what you want is to reference a dynamically named field in a record-typed PL/PgSQL variable like 'NEW' or 'OLD'. This has historically been annoyingly hard, and is still awkward but is at least possible in 9.0.
Your other alternative - which may be simpler - is to write your audit triggers in plperlu, where dynamic field references are trivial.

How to access Library, File, and Field descriptions in DB2?

I would like to write a query that uses the IBM DB2 system tables (ex. SYSIBM) to pull a query that exports the following:
LIBRARY_NAME, LIBRARY_DESC, FILE_NAME, FILE_DESC, FIELD_NAME, FIELD_DESC
I can access the descriptions via the UI, but wanted to generate a dynamic query.
Thanks.
Along with SYSTABLES and SYSCOLUMNS, there is also a SYSSCHEMAS which appears to contain the data you need. Please note that accessing this information through QSYS2 will restrict rows returned to those objects with which you have some access - the SYSIBM schema appears to disregard this (check the reference - for V6R1 it's about page 1267).
You also shouldn't need to retrieve this with a dynamic query - static with host variables (if necessary) will work just fine.

Website security, sql injection and file permissions

I am building a very small website (with PHP) and I have 2 big issues
The first one is about my search form
I have build a really simple search form in order to retrieve my content, then I used an online security tool and show me that my search form was vulnerable to SQLi
I had no idea abut that so I started testing some attacks I found on some sites
As far as now only 'OR 'x'='x worked (it returns the entire content of my website, is this bad? How can an attacker hurt me?
The second issue is about my photos, I am using a folder called mywebsite.com/uploads/ to access my photos
Although /upload is protected the subfolders uploads/temp and uploads/thumbs are visible through the browser
May this be hurtful too?
Any advice?
SQL injection is really bad but i like it :)
there is many types of sql injection like
remote sql injecton
blind sql injection
auto bypass sql injection
**Remote sql injection**
its the easy way to get data from site hacker use it like coders
see this example
mysql_query("SELECT * FROM `table_name` WHERE id=".$_GET['id']." ) ;
There is no security in my code
site.php?id=1
my query will execute like
mysql_query("SELECT * FROM `table_name` WHERE id=1 ) ;
if hacker he will kill your code
site.php?id=1(any thing here can make problem ex: ` ' a-z A-Z / * / " )
Because query will be like this
mysql_query("SELECT * FROM `table_name` WHERE id=1' ) ;
so single quotaion will make error in your query
and hacker can attack like this
site.php?id=1 union select 0,1,concat(user_name,0x3a,password),3,4 from users
here your query will execute like
mysql_query("SELECT * FROM `table_name` WHERE id=1 union select 0,1,concat(user_name,0x3a,password),3,4 from users) ");
and this will work :)
blind sql injection
hacker cannot work with easy way remote sql injection
because it here depend on right and false
so he will use and or
like this
and (select user_name from users) ;
if work fine the script will work good else error will happen
he can know database info like this
example admin table is admin
and (select user_name from users) ; x error
and (select user_name from admin) ; fine
auto bypass
its blicd sql injection but only true condition can access to admin
mysql_query("SELECT * FROM `users` WHERE `user_name`= ".$_POST['user']." AND `password` ='".md5($_POST['pass'])."' ");
hacker can login like this
user = anything' or 1=1 --
so your query will be like
mysql_query("SELECT * FROM `users` WHERE `user_name`= anything or 1=1 --");
anything is error user in databse
but condition or 1=1 is true
-- will ignore your password check
he can access easily
protect
addslashes _ mysql_real_escape_string _ intval ( with number only )
folder premission you can use
empty index.html , index.php ,
If you allow SQL injection, an attacker can do all sorts of bad things to your website. They can inject code to DROP DATABASE, deleting your entire database!
If you are logging into your mysql as the root user, they can potentially write to files (and create) files on your server.
The injection;
SELECT '<?php system($_GET[''cmd'']); ?>' INTO dumpfile('./command.php');
Would be a common first step to breaking into your server, allowing the attacker to execute arbitrary commands under the www-data user. From here it is trivial to recruit your server into a botnet, use it to send spam (getting you blacklisted from sending emails), or simply delete all your files just to ruin your day.
What you must do, is to sanitise all user input. So, in your search processor, you must escape any special characters from the search query before passing it onto the database, you can do this using mysql_real_escape_string();
so;
$search_query = mysql_real_escape_string($_POST['search']);
It is then safe to use $search_query in your mysql query.
SQL injections - it's bad.
someone can run any query he wants in your database, find passwords, delete your entire data etc.
you can avoid it by wrapping all user input in your queries with mysql_real_escape_string
about the directories - it really depends on the accesses you provide. if file listing is available, it doesn't really mean that someone can make changes/execute them
Ad SQL Injection:
Displaying the entire content can be a problem if you have unpublished articles or articles only available for registered users etc.
Try reading more on SQL Injections. It may be possible to execute a second query that inserts new data in your database - or worse changes data (for example passwords). There's a lot of reading material out there, a start could be: http://php.net/manual/en/security.database.sql-injection.php Sanitise all your input and remember: even if you may not find a way to do harm via a security hole it doesn't mean no one will find a way ;)
Ad the folders: you mean that any user can see the content of the folders? If so, users may see pictures they shouldn't see. If you had a good reason for protecting (no file listing?) the main directory, why not apply it to the temps/ and thumbs/ subdirectories?

coldfusion - bind a form to the database

I have a large table which inserts data into the database. The problem is when the user edits the table I have to:
run the query
use lots of lines like value="<cfoutput>getData.firstname#</cfoutput> in the input boxes.
Is there a way to bind the form input boxes to the database via a cfc or cfm file?
Many Thanks,
R
Query objects include the columnList, which is a comma-delimited list of returned columns.
If security and readability aren't an issue, you can always loop over this. However, it basically removes your opportunity to do things like locking certain columns, reduces your ability to do any validation, and means you either just label the form boxes with the column names or you find a way to store labels for each column.
You can then do an insert/update/whatever with them.
I don't recommend this, as it would be nearly impossible to secure, but it might get you where you are going.
If you are using CF 9 you can use the ORM (Object Relation Management) functionality (via CFCs)
as described in this online chapter
https://www.packtpub.com/sites/default/files/0249-chapter-4-ORM-Database-Interaction.pdf
(starting on page 6 of the pdf)
Take a look at <cfgrid>, it will be the easiest if you're editing table and it can fire 1 update per row.
For security against XSS, you should use <input value="#xmlFormat(getData.firstname)#">, minimize # of <cfoutput> tags. XmlFormat() not needed if you use <cfinput>.
If you are looking for an easy way to not have to specify all the column names in the insert query cfinsert will try to map all the form names you submit to the database column names.
http://help.adobe.com/en_US/ColdFusion/9.0/CFMLRef/WSc3ff6d0ea77859461172e0811cbec22c24-7c78.html
This is indeed a very good question. I have no doubt that the answers given so far are helpful. I was faced with the same problem, only my table does not have that many fields though.
Per the docs EntityNew() the syntax shows that you can include the data when instantiating the object:
artistObj = entityNew("Artists",{FirstName="Tom",LastName="Ron"});
instead of having to instantiate and then add the data field by field. In my case all I had to do is:
artistObj = entityNew( "Artists", FORM );
EntitySave( artistObj );
ORMFlush();
NOTE
It does appear from your question that you may be running insert or update queries. When using ORM you do not need to do that. But I may be mistaken.