WebPasswordSafe (http://code.google.com/p/webpasswordsafe/) is a Web based secure password store, and it supports multiple users with delegated access controls. The installation guide is available at http://webpasswordsafe.googlecode.com/svn/trunk/docs/AdministratorGuide.html
I deployed it and initially faced some issues when I tried to implement LDAP authentication using Active Directory. I would like to mention one point here, I found that in many applications which use LDAP authentication, automatically create a local user in the application whenever the user tries to login for the first time using LDAP login. But here I had to create a local user first with the same username as his/her LDAP login, then the user can use his/her LDAP credentials to login to the application.
WebPasswordSafe has few different authentication modes to authenticate a user. For my deployment I found Multi authentication most suitable, which allows using multiple Authenticator implementations for different sets of users. e.g. for admin user I can use local authentication and for other users I can use LDAP authentication.
So my webpasswordsafe-service.xml file that looks like (for using multi authentication):
<?xml version="1.0" encoding="UTF-8"?>
<!--
Copyright 2008-2012 Josh Drummond
This file is part of WebPasswordSafe.
WebPasswordSafe is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
WebPasswordSafe is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with WebPasswordSafe; if not, write to the Free Software
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
-->
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd">
<!-- core services -->
<context:component-scan base-package="net.webpasswordsafe.server.service" />
<!-- pluggable services -->
<bean id="passwordGenerator"
class="net.webpasswordsafe.server.plugin.generator.SimpleRandomPasswordGenerator" >
<property name="passwordLength" value="14" />
<property name="allowLowercase" value="true" />
<property name="allowUppercase" value="true" />
<property name="allowNumeric" value="true" />
<property name="specialChars" value="" />
<property name="excludeChars" value="O0l1" />
</bean>
<bean id="authenticator"
class="net.webpasswordsafe.server.plugin.authentication.IPLockoutAuthenticator">
<property name="authenticator" ref="userLockoutAuthenticator" />
<property name="failedLoginThreshold" value="10" />
<property name="lockoutLength" value="1440" />
<property name="whitelist">
<set>
<value>127.0.0.1</value>
</set>
</property>
</bean>
<bean id="userLockoutAuthenticator"
class="net.webpasswordsafe.server.plugin.authentication.UserLockoutAuthenticator">
<property name="authenticator" ref="multiAuthenticator" />
<property name="failedLoginThreshold" value="5" />
<property name="whitelist">
<set>
<value>admin</value>
</set>
</property>
</bean>
<bean id="multiAuthenticator"
class="net.webpasswordsafe.server.plugin.authentication.CompositeAuthenticator">
<property name="authenticators">
<list>
<map>
<entry key="users">
<list>
<value>admin</value>
</list>
</entry>
<entry key="authenticator" value-ref="localAuthenticator"></entry>
</map>
<map>
<entry key="anyUser" value="true" />
<entry key="authenticator" value-ref="ldapAuthenticator"></entry>
</map>
</list>
</property>
</bean>
<bean id="authnContextSource" class="org.springframework.ldap.core.support.LdapContextSource">
<property name="url" value="ldap://192.168.20.1:389" />
<property name="userDn" value="CN=pranab,OU=Staff,DC=mkcl,DC=local" />
<property name="password" value="12345678" />
</bean>
<bean id="authnLdapTemplate" class="org.springframework.ldap.core.LdapTemplate">
<constructor-arg ref="authnContextSource" />
</bean>
<bean id="ldapAuthenticator" class="net.webpasswordsafe.server.plugin.authentication.LdapAuthenticator">
<property name="ldapTemplate" ref="authnLdapTemplate" />
<property name="filter" value="(&(objectclass=person)(sAMAccountName=$1))" />
<property name="base" value="OU=Staff,DC=mkcl,DC=local" />
</bean>
<bean id="localAuthenticator"
class="net.webpasswordsafe.server.plugin.authentication.LocalAuthenticator">
</bean>
<bean id="roleRetriever"
class="net.webpasswordsafe.server.plugin.authentication.LocalRoleRetriever">
<property name="adminUsers">
<set>
<value>admin</value>
</set>
</property>
</bean>
<bean id="authorizer"
class="net.webpasswordsafe.server.plugin.authorization.DefaultAuthorizer">
</bean>
<bean id="auditLoggerLog4j"
class="net.webpasswordsafe.server.plugin.audit.Log4jAuditLogger">
<property name="delimiter" value=" || " />
</bean>
<bean id="auditLoggerDatabase"
class="net.webpasswordsafe.server.plugin.audit.DatabaseAuditLogger" />
<bean id="auditLogger"
class="net.webpasswordsafe.server.plugin.audit.CompositeAuditLogger">
<property name="auditLoggers">
<list>
<ref bean="auditLoggerLog4j" />
<ref bean="auditLoggerDatabase" />
</list>
</property>
</bean>
<!-- Encryption related settings, these should not be changed after initial deployment otherwise
data may be corrupted or unreadable -->
<!-- ## Uncomment for Jasypt Encryption -->
<bean id="digester" class="net.webpasswordsafe.server.plugin.encryption.JasyptDigester">
<property name="passwordEncryptor" ref="passwordEncryptor" />
</bean>
<bean id="passwordEncryptor" class="org.jasypt.util.password.StrongPasswordEncryptor" />
<bean id="encryptor" class="net.webpasswordsafe.server.plugin.encryption.JasyptEncryptor">
<property name="stringEncryptor" ref="strongEncryptor" />
</bean>
<bean id="bcProvider" class="org.bouncycastle.jce.provider.BouncyCastleProvider" />
<bean id="strongEncryptor" class="org.jasypt.encryption.pbe.StandardPBEStringEncryptor">
<property name="algorithm" value="${encryptor.jasypt.algorithm}" />
<property name="provider" ref="bcProvider" />
<property name="password" value="${encryptor.jasypt.password}" />
<property name="keyObtentionIterations" value="${encryptor.jasypt.keyObtentionIterations}" />
</bean>
</beans>
After using the application, I found that the admin user can see passwords of any user, even though permissions for those passwords were not given to the admin user. After some search I found this issue:
http://code.google.com/p/webpasswordsafe/issues/detail?id=47
So again building the application by commenting the BYPASS_PASSWORD_PERMISSIONS line in DefaultAuthorizer.java file worked for me. Now the admin user was not able to see the passwords (which were not shared with the admin user).
No comments:
Post a Comment