From baffcf11fa8ea96d5fa663f73b78fa916c89822f Mon Sep 17 00:00:00 2001
From: Mike McKay <mfmckay@wustl.edu>
Date: Mon, 9 May 2016 13:51:32 -0500
Subject: [PATCH] Made AliasToken secret a 64 char random String.

---
 src/main/java/org/nrg/pipeline/XnatPipelineLauncher.java | 2 +-
 .../org/nrg/xnat/restlet/services/AliasTokenRestlet.java | 9 ++++-----
 .../security/alias/AliasTokenAuthenticationProvider.java | 2 +-
 .../security/alias/AliasTokenAuthenticationToken.java    | 6 +++---
 .../xnat/turbine/modules/screens/InactiveAccount.java    | 2 +-
 .../turbine/modules/screens/XDATScreen_UpdateUser.java   | 2 +-
 6 files changed, 11 insertions(+), 12 deletions(-)

diff --git a/src/main/java/org/nrg/pipeline/XnatPipelineLauncher.java b/src/main/java/org/nrg/pipeline/XnatPipelineLauncher.java
index c3d6e8fc..c912575f 100644
--- a/src/main/java/org/nrg/pipeline/XnatPipelineLauncher.java
+++ b/src/main/java/org/nrg/pipeline/XnatPipelineLauncher.java
@@ -371,7 +371,7 @@ public class XnatPipelineLauncher {
         arguments.add("-u");
         arguments.add(token.getAlias());
         arguments.add("-pwd");
-        arguments.add(Long.toString(token.getSecret()));
+        arguments.add(token.getSecret());
         arguments.add("-dataType");
         arguments.add(dataType);
 
diff --git a/src/main/java/org/nrg/xnat/restlet/services/AliasTokenRestlet.java b/src/main/java/org/nrg/xnat/restlet/services/AliasTokenRestlet.java
index e73a29c3..93920f1a 100644
--- a/src/main/java/org/nrg/xnat/restlet/services/AliasTokenRestlet.java
+++ b/src/main/java/org/nrg/xnat/restlet/services/AliasTokenRestlet.java
@@ -47,8 +47,7 @@ public class AliasTokenRestlet extends SecureResource {
         _operation = (String) getRequest().getAttributes().get(PARAM_OPERATION);
         _username = (String) getRequest().getAttributes().get(PARAM_USERNAME);
         _token = (String) getRequest().getAttributes().get(PARAM_TOKEN);
-        final String secret = (String) getRequest().getAttributes().get(PARAM_SECRET);
-        _secret = StringUtils.isBlank(secret) ? INVALID : Long.parseLong(secret);
+        _secret = (String) getRequest().getAttributes().get(PARAM_SECRET);
 
         _serializer = XDAT.getContextService().getBean(SerializerService.class);
         if (null == _serializer) {
@@ -70,7 +69,7 @@ public class AliasTokenRestlet extends SecureResource {
                 throw new ResourceException(Status.CLIENT_ERROR_BAD_REQUEST, "An error occurred retrieving the user: " + _username, exception);
             }
         } else if (OP_VALIDATE.equals(_operation)) {
-            if (StringUtils.isBlank(_token) || _secret == INVALID) {
+            if (StringUtils.isBlank(_token) || StringUtils.isBlank(_secret)) {
                 throw new ResourceException(Status.CLIENT_ERROR_UNAUTHORIZED, "You must specify both token and secret to validate a token.");
             }
             try {
@@ -91,7 +90,7 @@ public class AliasTokenRestlet extends SecureResource {
     private String mapToken(final AliasToken token) {
         Map<String, String> map = Maps.newHashMap();
         map.put("alias", token.getAlias());
-        map.put("secret", Long.toString(token.getSecret()));
+        map.put("secret", token.getSecret());
         String value = "";
         try {
             value = _serializer.toJson(map);
@@ -119,5 +118,5 @@ public class AliasTokenRestlet extends SecureResource {
     private       String            _operation;
     private final String            _username;
     private final String            _token;
-    private final long              _secret;
+    private final String              _secret;
 }
diff --git a/src/main/java/org/nrg/xnat/security/alias/AliasTokenAuthenticationProvider.java b/src/main/java/org/nrg/xnat/security/alias/AliasTokenAuthenticationProvider.java
index bb59042a..39672b61 100644
--- a/src/main/java/org/nrg/xnat/security/alias/AliasTokenAuthenticationProvider.java
+++ b/src/main/java/org/nrg/xnat/security/alias/AliasTokenAuthenticationProvider.java
@@ -131,7 +131,7 @@ public class AliasTokenAuthenticationProvider extends AbstractUserDetailsAuthent
         Users.validateUserLogin(xdatUserDetails);
 
         String alias = ((AliasTokenAuthenticationToken) authentication).getAlias();
-        long secret = ((AliasTokenAuthenticationToken) authentication).getSecret();
+        String secret = ((AliasTokenAuthenticationToken) authentication).getSecret();
         String userId = getAliasTokenService().validateToken(alias, secret);
         if (StringUtils.isBlank(userId) || !userId.equals(userDetails.getUsername())) {
             throw new BadCredentialsException("The submitted alias token was invalid: " + alias);
diff --git a/src/main/java/org/nrg/xnat/security/alias/AliasTokenAuthenticationToken.java b/src/main/java/org/nrg/xnat/security/alias/AliasTokenAuthenticationToken.java
index 32c45c8e..bcf7af96 100644
--- a/src/main/java/org/nrg/xnat/security/alias/AliasTokenAuthenticationToken.java
+++ b/src/main/java/org/nrg/xnat/security/alias/AliasTokenAuthenticationToken.java
@@ -18,7 +18,7 @@ public class AliasTokenAuthenticationToken extends UsernamePasswordAuthenticatio
         _principal = principal;
         _credentials = credentials;
         _alias = (String) principal;
-        _secret = (Long) credentials;
+        _secret = (String) credentials;
 	}
 
     @Override
@@ -43,7 +43,7 @@ public class AliasTokenAuthenticationToken extends UsernamePasswordAuthenticatio
         return _alias;
     }
 
-    public long getSecret() {
+    public String getSecret() {
         return _secret;
     }
 
@@ -55,5 +55,5 @@ public class AliasTokenAuthenticationToken extends UsernamePasswordAuthenticatio
     private Object _principal;
     private Object _credentials;
     private String _alias;
-    private long _secret;
+    private String _secret;
 }
diff --git a/src/main/java/org/nrg/xnat/turbine/modules/screens/InactiveAccount.java b/src/main/java/org/nrg/xnat/turbine/modules/screens/InactiveAccount.java
index 41e11d15..f87e5295 100644
--- a/src/main/java/org/nrg/xnat/turbine/modules/screens/InactiveAccount.java
+++ b/src/main/java/org/nrg/xnat/turbine/modules/screens/InactiveAccount.java
@@ -67,7 +67,7 @@ public class InactiveAccount extends VelocitySecureScreen {
                         String userID="";
                         try
                         {
-                            userID = XDAT.getContextService().getBean(AliasTokenService.class).validateToken(alias,Long.parseLong(secret));
+                            userID = XDAT.getContextService().getBean(AliasTokenService.class).validateToken(alias,secret);
                             if(userID!=null){
                                 user = Users.getUser(userID);
                                 boolean forcePasswordChange = true;
diff --git a/src/main/java/org/nrg/xnat/turbine/modules/screens/XDATScreen_UpdateUser.java b/src/main/java/org/nrg/xnat/turbine/modules/screens/XDATScreen_UpdateUser.java
index 185bca80..c524493f 100644
--- a/src/main/java/org/nrg/xnat/turbine/modules/screens/XDATScreen_UpdateUser.java
+++ b/src/main/java/org/nrg/xnat/turbine/modules/screens/XDATScreen_UpdateUser.java
@@ -99,7 +99,7 @@ public class XDATScreen_UpdateUser extends SecureScreen {
                         {
                             context.put("forgot", true);
                             data.getSession().setAttribute("forgot", true);
-                            userID = XDAT.getContextService().getBean(AliasTokenService.class).validateToken(alias,Long.parseLong(secret));
+                            userID = XDAT.getContextService().getBean(AliasTokenService.class).validateToken(alias,secret);
                             if(userID!=null){
                                 user = Users.getUser(userID);
                                 XDAT.loginUser(data, user, true);
-- 
GitLab