Problem
When a user logs in to the decision-making platform, user authentication is required. The system will authenticate the username and password entered to ensure system security.
Login credentials (username and password) are stored in the database (FineReport's built-in database FineDB or external databases). During authentication, if the password entered by a user matches that stored in the database, the authentication is passed.
If the database is cracked, the login credentials are exposed, risking system security. Such situations must be avoided to ensure system security.
Solution
You can encrypt login information in FineDB. In this case, the login credentials cannot be obtained even if the database is cracked.
In addition, FineBI provides the Custom Password Encryption method in Import User, which can encrypt the entered login information on the login page. The authentication is passed when the encrypted login credentials match those stored in FineDB.
Custom Password Encryption: It refers to customizing a password encryption class.
The encryption method is described in a class, of which its file is stored in the path %FR_Home%\webapps\webroot\WEB-INF\classes.
The decision-making platform will perform a second SHA256 encryption based on the user's custom encryption algorithms to ensure password security.
Application scenario: Custom encryption can be used when passwords in the column of the imported server dataset are displayed in plaintexts.
Login password: The plaintext of the password in the column of the imported server dataset.
Encryption Interface: It refers to writing a custom password encryption class through an interface to encrypt user-entered passwords or usernames and passwords according to custom encryption rules. The following contents show the supported interfaces.
1. Encrypting the password to obtain ciphertext: String encode(String originText);. The input parameter is the plaintext password, the returned result of which is ciphertext after the encryption.
2. Encrypting the username and the password to obtain ciphertext: String encode(String originUserName, String originPassword);. The input parameters are the username and the plaintext password, the returned result of which is ciphertext after the encryption.
Note:Implementation Idea
Encryption Authentication Logic
Four encryptions and one login authentication are performed during the login process where you enter the plaintext password on the login page and successfully log in to the decision-making platform.
After the users are imported:
1. The first encryption: After you import users, the system performs custom encryption on the plaintext of the server dataset.
2. The second encryption: It refers to an SHA256 encryption (performed uniformly by the system). The encryption object is the ciphertext obtained after the first encryption.
During the user login:
3. The third encryption: It refers to the custom password encryption method selected by the user. The encryption object is the plaintext password entered by the user.
4. The fourth encryption: An SHA256 encryption performed uniformly by the system. The encryption object is the ciphertext obtained after the third encryption.
5. The login authentication: Compare the ciphertext (obtained after the fourth encryption) with the ciphertext (in the FineDB database). If the two ciphertexts are consistent, the authentication is passed.
Implementation Steps
1. Create a custom password encryption class to encrypt the plaintext password A entered by the user on the login page.
Prepare the compilation environment.
Write a Java file.
Compile a class file.
2. Create a server dataset to store user login information, including username and login password.
3. Import the user information to the decision-making platform for the system login authentication.
Set User Source to the server dataset prepared in the second step.
Set Password to custom-encrypted ciphertext in the server dataset.
Set Encryption Method to Custom Password Encryption and use the password encryption class prepared in the first step.
Custom Password Encryption Example
This example shows how to write a BASE64 password encryption class, encrypt the user-entered password based on custom encryption rules, and successfully log in to the decision-making platform through login authentication.
Note:Preparing the Compilation Environment
Before compiling the program, you need to create a Java project environment and have a Java editor, such as Eclipse or IntelliJ IDEA.
Choose Properties > Java Build Path > Libraries in Eclipse and import the FineReport project JAR package file.
Writing a Java File
Define a class in the compiler named Base64PasswordValidator.java that extends AbstractPasswordValidator. The following contents show the Java codes.
package com.fr.decision.privilege.encrpt;;
import com.fr.base.Base64;
import com.fr.base.ServerConfig;
import com.fr.decision.privilege.encrpt.AbstractPasswordValidator;
import com.fr.log.FineLoggerFactory;
import java.io.UnsupportedEncodingException;
public class Base64PasswordValidator extends AbstractPasswordValidator {
public Base64PasswordValidator() {
}
public String encode(String originText) {
try {
return Base64.encode(originText.getBytes(ServerConfig.getInstance().getServerCharset()));
} catch (UnsupportedEncodingException var3) {
FineLoggerFactory.getLogger().debug(var3.getMessage());
return "";
}
}
}Compiling a Class File
Click, download, and unzip to obtain the class file: Base64PasswordValidator.zip.
1. Generating the class file
Compile Base64PasswordValidator.java to generate the Base64PasswordValidator.class file.
2. Importing the class file
Save the compiled file Base64PasswordValidator.class to the path %FR_HOME%/webapps/webroot/WEB-INF/classes/com/fr/decision/privilege/encrpt.
Creating a Server Dataset
The password prepared in the database will be encrypted twice and written into the FineDB database for login authentication. In this case, the login credentials cannot be obtained even if the database is cracked.
Data Preparation
Prepare a user information table, where the password in the Password column is plaintext. The following figure shows the table structure.
Example: If user a enters 123456 (plaintext password) on the login page, the password in the Password column is 123456.
You can download the user information table: Import User.xlsx.
Adding a Server Dataset
You can use a third-party database management tool to import the above table into a database and establish a data connection between the decision-making platform and the database. Besides, you can create a database and import the table into the database. The following content takes a created database Data Connection as an example.
1. Log in to the decision-making platform as the admin, choose System Management > Data Connection > Server Dataset, click Create Dataset, and select SQL Dataset from the drop-down list.
2. Name the dataset Import User, set Data from Data Connection to Data Connection, and enter the following SQL statement:
select * from "Import User"
Setting the Encryption Method
Note:In Import User, you can select the Custom Password Encryption method to enhance system security.
Importing Users
Log into the FineBI system as the admin, choose System Management > User Management > All Users, and click Import User to configure the user information.
Encryption Configuration
1. Set the user source to the server dataset Import User prepared in section "Adding a Server Dataset."
2. Set Password to Password.
3. Set Encryption Method to Custom Encryption Method and use Base64PasswordValidator.class (the custom encryption class prepared in section "Compiling a Class File.").
Click OK to finish importing users.
Effect Display
Log in to the decision-making platform as user a.
User a's password in the server data is 123456. Enter 123456 (plaintext password) on the login page.
Click Login to log in to the decision-making platform successfully.
Commonly-Used Custom Password Encryption Method
This document provides commonly used custom password encryption files, which you can download and use as needed. After downloading the file, you need to place it in the specified folder and modify the custom class in section "Encryption Configuration." For the remaining steps, see section "Custom Password Encryption Example."
Encrypting Username and Password Through BASE64
FineReport supports the encryption of the user-entered username and password through BASE64.
The compiled BASE64 encryption class is provided. You can click and download the file: Base64UserPasswordValidator.zip.
1. Click to download and unzip the file to obtain the class file, and save the file to the path %FR_HOME%/webapps/webroot/WEB-INF/classes/com/fr/decision/privilege.
2. Configure the plaintext in the password column of the server dataset. The system will encrypt the username and password, and store the ciphertext in the FineDB database.
Example: If user a's password is 123456, then in the server database, the password column should be 123456, and the system encrypts a123456.
Encrypting Password Through SHA256
FineReport supports the encryption of the user-entered password through SHA256.
The compiled SHA256 encryption class is provided. You can click and download the file: SHA256PasswordValidator.zip.
Click to download and unzip the class file, and save the file to the path %FR_HOME%/webapps/webroot/WEB-INF/classes/com/fr/decision/privilege/encrpt.
Encrypting Username and Password Through SHA256
FineReport supports the encryption of the user-entered username and password through SHA256.
The compiled SHA256 encryption class is provided. You can click and download the file: CustomSHA256PasswordValidator.zip.
1. Click to download and unzip the class file, and save the file to the path %FR_HOME%/webapps/webroot/WEB-INF/classes/com/fr/decision/privilege/encrpt.
2. Configure the plaintext in the password column of the server dataset. The system will encrypt the username and password, and store the ciphertext in t FineDB database.
Example: If user a's password is 123456, then in the server database, the password column should be 123456, and the system encrypts a123456.
Encrypting Password Through MD5 (32-Bit Lowercase)
FineReport supports the encryption of the user-entered password through MD5 (32-bit lowercase).
The compiled MD5 (32-bit lowercase) encryption class is provided. You can click and download the file: MD5CasePasswordValidator.zip.
Click to download and unzip to obtain the class file, and save the file to the path %FR_HOME%/webapps/webroot/WEB-INF/classes/com/fr/decision/privilege.
Encrypting Username and Password Through MD5 (32-Bit Lowercase)
FineReport supports the encryption of the user-entered username and password through MD5 (32-bit lowercase).
The compiled MD5 (32-bit lowercase) encryption class is provided. You can click and download the file: MD5CaseUserPasswordValidator.zip.
1. Click to download and unzip the file to obtain the class file, and save the file to the path %FR_HOME%/webapps/webroot/WEB-INF/classes/com/fr/decision/privilege.
2. Configure the plaintext in the password column of the server dataset. The system will encrypt the username and password, and store the ciphertext in the FineDB database.
Example: If user a's password is 123456, then in the server database, the password column should be 123456, and the system encrypts a123456.
Encrypting Password Through MD5 (32-Bit Uppercase)
FineReport supports the encryption of the user-entered password through MD5 (32-bit uppercase).
The compiled MD5 (32-bit uppercase) encryption class is provided. Click to download the file: MD5UpperCasePasswordValidator.zip.
Click to download and unzip to obtain the class file, and save the file to the path %FR_HOME%/webapps/webroot/WEB-INF/classes/com/fr/decision/privilege.
Encrypting Username and Password Through MD5 (32-Bit Uppercase)
FineReport supports the encryption of the user-entered username and password through MD5 (32-bit uppercase).
The compiled MD5 (32-bit uppercase) encryption class is provided. You can click and download the file: MD5UpperCaseUserPasswordValidator.zip.
1. Click to download and unzip the file to obtain the class file, and save the file to the path %FR_HOME%/webapps/webroot/WEB-INF/classes/com/fr/decision/privilege.
2. Configure the plaintext in the password column of the server dataset. The system will encrypt the username and password, and store the ciphertext in the FineDB database.
Example: If user a's password is 123456, then in the server database, the password column should be 123456, and the system encrypts a123456.
Previous:Password Encryption Settings for Synchronized Users
