I. Overview
1) When the password information used for authentication is stored in a database, such as FineDB (the FineReport built-in database) or others, database breaches can pose a real threat to system security. Therefore, FineReport introduces a password encryption feature to further enhance security.
2) By enabling password encryption when adding users, the password input is encrypted to match the ciphertext stored in a database, which increases the difficulty for cracking and improves system security.
II. Approaches
1. Setup Instructions
1) Log in to the decision-making platform and go to Manage -> User -> All Users -> Synchronize Users.
2) Click OK in User Update Setting and go to Synchronize Users panel, where you can set up the encryption method.
2. Encryption Methods
1) Two methods of password encryption are provided, namely Built-in SHA Encryption and Custom Password Encryption.
2) Built-in SHA encryption: An encryption method that is encapsulated in the FineReport system.
3) Custom Password Encryption: It requires to place a custom password validator class that contains an encryption method into the report server (/webapps/webroot/WEB-INF/classes). Select Custom Password Encryption in setup and specify the class path.
3. Principle
With encryption rules set up, the input password will first go through the encryption before matching with passwords stored in databases.
Built-in SHA Encryption: The input password goes through SHA encryption by default and then matches with passwords stored in databases.
Custom Password Encryption: The input password (or both username and password) goes through custom encryption and then matches with passwords stored in databases. Two ways of implementing the interface are supported here.
Encrypt the password to get the ciphertext:
String encode(String originText);// The argument receives the plain-text password which is encrypted.
Encrypt the username and password to get the ciphertext: String encode(String originUserName, String originPassword);//The argument receives the username and plain-text password that are encrypted.
III. Examples of Custom Password Encryption
This section introduces e simple custom password encryption examples implementing custom password features.
BASE64 Encryption
SHA256
MD5 Encryption
1. BASE64 Encryption Method
1) Custom password validator class
a) Define a class Base64PasswordValidator.java extended from AbstractPasswordValidator. Please refer to the detailed code below:
package com.fr.decision.privilege.encrpt;;
import com.fr.base.Base64;
import com.fr.base.ServerConfig;
import com.fr.decision.privilege.encrpt.AbstractPasswordValidator;
import com.fr.log.FineLoggerFactory;
import java.io.UnsupportedEncodingException;
public class Base64PasswordValidator extends AbstractPasswordValidator {
public Base64PasswordValidator() {
}
public String encode(String originText) {
try {
return Base64.encode(originText.getBytes(ServerConfig.getInstance().getServerCharset()));
} catch (UnsupportedEncodingException var3) {
FineLoggerFactory.getLogger().debug(var3.getMessage());
return "";
}
}
}
Compile to get Base64PasswordValidator.class
Base64PasswordValidator.class.zip
b) Place the compliled Base64PasswordValidator.class into /webapps/webroot/WEB-INF/classes/com/fr/decision/privilege/encrpt.
Note:
Use String encode(String originText);//Only encrypt the password to get the ciphertext.
Restarting the server is required.
2) Platform settings
a) Go to Manage -> User -> All Users -> Synchronize Users.
b) In Synchronize Users, choose Custom Password Encryption for Encryption Method, and select Base64PasswordValidator.class. Click OK.
2. SHA256 Encryption Method
1) Custom password encryption class
a) Define a class CustomSHA256PasswordValidator.java extended from AbstractPasswordValidator. The detailed codes are as follows.
package com.fr.decision.privilege.encrpt;
import com.fr.security.SecurityToolbox;
public class CustomSHA256PasswordValidator extends AbstractPasswordValidator {
public CustomSHA256PasswordValidator() {
}
@Override
public String encode(String originUserName, String originPassword) {
String unionPwd = originUserName + originPassword;
return SecurityToolbox.sha256(unionPwd);
}
}
b) Compile to get CustomSHA256PasswordValidator.class
CustomSHA256PasswordValidator.class.zip
c) Place the compliled CustomSHA256PasswordValidator.class into /webapps/webroot/WEB-INF/classes/com/fr/decision/privilege/encrpt.
Note: Use String encode(String originUserName, String originPassword);//Encrypt both the username and password to get the ciphertext.
2) Platform settings
a) Go to Manage -> User -> All Users -> Synchronize Users.
b) In Synchronize Users, choose Custom Password Encryption for Encryption Method, and select CustomSHA256PasswordValidator.class. Click OK.
3. MD5 Encryption Method
In version 9.0 and earlier versions, "Built-in MD5 Encryption" option can be set up for passwords in synchronous datasets, while version 10.0 removes the default MD5 encryption method.
Supposing that a project is now upgraded from version 9.0 to 10.0, what if the built-in MD5 encryption method has been applied before upgrading, or users just have the demand for MD5 encryption?
1) Download and place the MD5 encryption class
a) Please see the ready-made MD5 encryption class below.
b) Extract the folder named "decision" from the downloaded decision-new-password.zip. Put it into %FR_HOME%\webroot\WEB-INF\classes\com\fr\decision.
2) Platform settings
a) Go to Manage -> User -> All Users -> Synchronize Users.
b) In Synchronize Users, choose Custom Password Encryption for Encryption Method, and select MD5PasswordValodator.class. Click OK.
3) Username encryption
To custom encrypt both username and password, please use decision.zip in the way described above.
4) Important notes
a) The MD5 encryption method adapted to version 10.0 is case sensitive, but the one that comes with version 9.0 is not.
b) For version 9.0 projects set up with built-in MD5 encryption, upgrading will bring a built-in lowercase MD5 class. The uppercase ciphertext will lead to login failure in version 10.0 and require to be replaced manually in the way mentioned above.
