反馈已提交
网络繁忙
You need to perform user authentication (The system will verify the entered username and password to ensure system security.) when logging into the FineBI system.
Login authentication information (username and login password) is stored in the database (FineBI built-in database FineDB or other external databases). If the password entered by the user during authentication is the same as the password in the database, the authentication is successful.
If the database is cracked, the login authentication information will be exposed, risking system security.
How to avoid such situations and ensure system security?
Encrypt login information in the database to ensure that the users' actual login information cannot be obtained even if the database is cracked.
In addition, FineBI provides the Custom Password Encryption method in Synchronize User, which can encrypt the login information entered by users on the login page. When the encrypted login information matches that in the FineDB database, the authentication is successful.
Customize a password encryption class. The encryption method (described in a class) is saved in the path %BI_Home%\webapps\webroot\WEB-INF\classes.
FineBI performs a second SHA256 encryption based on the user's custom encryption algorithm to ensure password security.
Custom Password Encryption need to be used when the password in the synchronized server dataset is a custom encrypted ciphertext.
Write a custom encryption class through the interface to encrypt entered Password or Username and Password according to custom encryption rules. Supported two interfaces are as follows:
Interface 1: Encrypt the password to get the ciphertext: String encode(String originText);. The input parameter is the plaintext password.
Interface 2: Encrypt the username and password to get the ciphertext: String encode(String originUserName, String originPassword);. The input parameters are the username and plaintext password.
1. String encode(String originUserName, String originPassword); is encrypted through a new interface (include the functionality of interface 1) added on 2019/01/18. You are advised to use interface 2.
2. Custom encryption algorithms need to inherit the AbstractPasswordValidator class.
A successful login involves three encryption steps and one login authentication.
After synchronizing users:
1. First encryption: SHA256 encryption. After synchronizing users, the system will encrypt the ciphertext of the server dataset and write the resulting ciphertext into the FineDB database.
During user login:
2. Second encryption: Custom password encryption. The encryption object is the entered plaintext password.
3. Third encryption: SHA256 encryption (performed uniformly by the system). The encryption object is the ciphertext obtained after the second encryption.
4. Login authentication: Compare the ciphertext obtained after the third encryption with the ciphertext in the FineDB database. If the two ciphertexts match, the authentication is successful.
1. Create a custom password encryption class to encrypt the plaintext password A entered by the user on the login page.
Prepare the compilation environment.
Write a Java file.
Compile a class file.
2. Create a server dataset to store user login information, including username and login password (a custom encrypted ciphertext B).
3. Synchronize user information to the FineBI system for login authentication.
User source: the server dataset prepared in step 2
Password: password in the server dataset (ciphertext after custom encryption)
Encryption method: custom password encryption (using the password encryption class prepared in step 1)
Write a Base64 password encryption class, encrypt the entered user's password through a custom encryption algorithm, and log into the FineBI system for authentication.
Define a class in the compiler named Base64PasswordValidator.java which extends AbstractPasswordValidator. Java codes are as follows:
package com.fr.decision.privilege.encrpt;;import com.fr.base.Base64;import com.fr.base.ServerConfig;import com.fr.decision.privilege.encrpt.AbstractPasswordValidator;import com.fr.log.FineLoggerFactory;import java.io.UnsupportedEncodingException;public class Base64PasswordValidator extends AbstractPasswordValidator { public Base64PasswordValidator() { } public String encode(String originText) { try { return Base64.encode(originText.getBytes(ServerConfig.getInstance().getServerCharset())); } catch (UnsupportedEncodingException var3) { FineLoggerFactory.getLogger().debug(var3.getMessage()); return ""; } }}
Click to download the class file and unzip it: Base64PasswordValidator.zip
1. Generating the class file
Compile Base64PasswordValidator.java to generate the Base64PasswordValidator.class file.
2. Importing the class file
Save the compiled file Base64PasswordValidator.class to the path %BI_HOME%/webapps/webroot/WEB-INF/classes/com/fr/decision/privilege/encrpt.
You need to perform Base64 encryption on the login information in the database. Then the system performs SHA256 encryption again and finally writes the ciphertext into the FineDB database for login authentication. The above operations can ensure that the user's actual login information cannot be obtained even if the database is cracked.
Prepare a user information table, where the password in the data column is the ciphertext encrypted through Base64. The table structure is shown in the following figure.
Example: If user A enters 123456 (plaintext password) on the login page, the password in the password column is MTIzNDU2 (ciphertext encrypted through Base64).
Click to download: Synchronize_Users.xlsx
Use third-party tools such as Navicat to import the above table into the targeted database, and establish a data connection between the system and the database.
Take the FRDemo database as an example.
1. Log into the FineBI system as the admin, choose System Management > Data Connection > Server Dataset, and create a SQL Dataset.
2. Set Synchronize_Users as Dataset Name, select FRDemo as the data source, and enter the SQL sentence:
SELECT * FROM Synchronize_Users
In Synchronize User, you can select the Custom Password Encryption method to enhance system security.
Log into the FineBI system as the admin, choose System Management > User Management > All Users, and click Synchronize User.
A prompt pops up: Sure to retain existing asynchronous data, including imported/added users, departments, positions, and roles?
1. This section introduces the data update rules for performing Synchronize User for the first time or executing the first Synchronize User operation when user synchronization is not enabled.
If users have been synchronized before, there will be no prompt pop-up window in the case of executing non-first synchronization operations when user synchronization is enabled, and the synchronization will not be performed according to the update rules in this section.
2. The synchronized users can coexist with manually added/imported users.
The update logic for different selections is as follows:
Reserved
If an existing user is not in the synchronized server dataset, the user's information and
permissions will be reserved without modification.
If an existing user is in the server dataset (with the same username):
The user's username will not change with the permissions being preserved.
The user's name, password, phone number, and mailbox will be updated.
If the user's current department, position, or role exists in the synchronized server
dataset, they will be updated.
If the user's current department, position, or role does not exist in the synchronizedserver dataset, they will be reserved without modification.
Clear
Delete all the platform information for manually added/imported users, including their
username, name, password, phone number, mailbox, department, position, role, and
permissions. Users need to be resynchronized.
According to the update logic for selection, some user information will be updated after the initial synchronization.
Only users (changed to the synchronous type) can be automatically updated in the future.
For subsequent synchronizations, the dataset cannot overwrite or update built-in data, otherwise it will result in conflicts and report error messages.
1. User source: the server dataset Synchronized_Users prepared in section "Adding a Server Dataset"
2. Password: Password
3. Encryption method: Custom Password Encryption, using the custom encryption class Base64PasswordValidator.class prepared in section "Compiling a class File".
Click OK, and user synchronization is successful.
User A logs into the FineBI system.
The ciphertext of user A's data on the server is MTIzNDU2, and its decrypted plaintext is 123456.
Enter 123456 (plaintext password) on the login page, click Login, and successfully log into the FineBI system.
This document provides commonly used custom password encryption method files, which you can use as needed. After downloading the file, place it in the specified folder and modify the custom class in section "Encryption Configuration". For the remaining steps, follow steps in section "Example for Custom Password Encryption".
FineBI allows encrypting the entered username and password through Base64 encryption.
The compiled Base64 encryption class is provided. Click to download the file: Base64UserPasswordValidator.class.zip
1. Click to download and unzip to obtain the class file, and save the file to the path %BI_HOME%/webapps/webroot/WEB-INF/classes/com/fr/decision/privilege.
2. Configure the Base64 encrypted ciphertext of username plus password (in the password column of the server data).
Example: If user A's password is 123456, then in the server dataset, the password column should be QTEyMzQ1Ng== (Base64 encrypted ciphertext of A123456).
FineBI allows encrypting the entered password through SHA256 encryption.
The compiled SHA256 encryption class is provided. Click to download the file: SHA256PasswordValidator.zip
Click to download and unzip the class file, and save the file to the path %BI_HOME%/webapps/webroot/WEB-INF/classes/com/fr/decision/privilege/encrpt.
FineBI allows encrypting the entered username and password through SHA256 encryption.
The compiled SHA256 encryption class is provided. Click to download the file: CustomSHA256PasswordValidator.zip
1. Click to download and unzip the class file, and save the file to the path %BI_HOME%/webapps/webroot/WEB-INF/classes/com/fr/decision/privilege/encrpt.
2. Configure the SHA256 encrypted ciphertext of username plus password (in the password column of the server data).
Example: If user A's password is 123456, then in the server database, the password column should be ac3704c5e852cec884a7695a2da26aaed697dae6bdb1d6ae830698e4e3666309 (SHA256 encrypted ciphertext of A123456).
FineBI allows encrypting the entered password through MD5 (32-bit lowercase) encryption.
The compiled MD5 (32-bit lowercase) encryption class is provided. Click to download the file: MD5CasePasswordValidator.zip
Click to download and unzip to obtain the class file, and save the file to the path %BI_HOME%/webapps/webroot/WEB-INF/classes/com/fr/decision/privilege.
FineBI allows encrypting the entered username and password through MD5 (32-bit lowercase) encryption.
The compiled MD5 (32-bit lowercase) encryption class is provided. Click to download the file: MD5CaseUserPasswordValidator.class.zip
2. Configure the MD5 (32-bit lowercase) encrypted ciphertext of username plus password (in the password column of the server data).
Example: If user A's password is 123456, then in the server database, the password column should be 507f513353702b50c145d5b7d138095c (MD5 (32-bit lowercase) encrypted ciphertext of A123456).
FineBI allows encrypting the entered password through MD5 (32-bit uppercase) encryption.
The compiled MD5 (32-bit uppercase) encryption class is provided. Click to download the file: MD5UpperCasePasswordValidator.zip
FineBI allows encrypting the entered username and password through MD5 (32-bit uppercase) encryption.
The compiled MD5 (32-bit uppercase) encryption class is provided. Click to download the file: MD5UpperCaseUserPasswordValidator.zip
2. Configure the MD5 (32-bit upppercase) encrypted ciphertext of username plus password (in the password column of the server data).
Example: If user A's password is 123456, then in the server database, the password column should be 507F513353702B50C145D5B7D138095C (MD5 (32-bit uppercase) encrypted ciphertext of A123456).
User synchronization fails after you set the custom encryption method, and it prompts: NoClassDefFoundError: com/fr/decision/privilege/Base64PasswordValidator (wrong name: com/fr/decision/privilege/encrpt/Base64PasswordValidator).
The path to save the custom encryption class file is incorrect.
In the error message, the path after wrong name: is the correct path.
Move the class file to the correct path and reset the encryption method.
feedback
鼠标选中内容,快速反馈问题
鼠标选中存在疑惑的内容,即可快速反馈问题,我们将会跟进处理。
不再提示
10s后关闭