Password Encryption Settings for Synchronized Users-FineReport Help Document

Last update：June 26, 2024

Problem

When a user logs in to the decision-making platform, authentication is required. The system will authenticate the username and password entered to ensure system security.

Login credentials (username and password) are stored in the database (FineReport's built-in database FineDB or other external databases). During authentication, if the password entered by a user matches that stored in the database, the authentication is successful.

If the database is cracked, the login credentials are exposed, risking system security. Such situations must be avoided to ensure system security.

Solution

Users can encrypt login credentials stored in the database to ensure that even if the database is cracked, the actual login credentials of users cannot be obtained. In this case, the actual login credentials cannot be obtained even if the database is cracked.

At the same time, FineReport provides Custom Password Encryption under Encryption > Synchronize User to allow the encryption of login credentials entered by users on the login page. The authentication is successful when the encrypted login credentials match those stored in FineDB.

Custom Password Encryption: It refers to customizing a password encryption class.

The encryption method is described in a class, of which its file is stored in the path %FR_Home%\webapps\webroot\WEB-INF\classes.

The decision-making platform will perform a secondary SHA256 encryption on top of the user-defined encryption algorithms to ensure password security.

Application Scenario: Such an encryption method must be used when the password in the synchronized server dataset is custom-encrypted ciphertext.

Encryption Interface: It refers to writing a custom password encryption class through an interface to encrypt user-entered passwords or usernames and passwords according to custom encryption rules. The following contents show the supported interfaces.

1. Encrypting the password to obtain ciphertext: String encode(String originText);. The inputted parameter is the plaintext password, the returned result of which is ciphertext after encryption.

2. Encrypting the username and the password to obtain ciphertext: String encode(String originUserName, String originPassword);. The inputted parameters are the username and the plaintext password, the returned result of which is ciphertext after encryption.

Note:

1. The interface String encode(String originUserName, String originPassword); with the defined encryption method inside is newly added on 2019/01/18 and includes the functionality of the first interface. You are advised to use this interface.

2. Custom encryption algorithms need to inherit the AbstractPasswordValidator class.

Implementation Idea

Encryption Authentication Logic

Three encryptions and one login authentication are performed during the login process where a user enters the plaintext password on the login page and successfully logs in to the decision-making platform.

After user synchronization:

1. First encryption: After user synchronization, the system performs a SHA256 encryption on the ciphertext in the server dataset and writes the resulting ciphertext into the database FineDB.

During user login:

2. Second encryption: Custom password encryption. The encryption object is the entered plaintext password.

3. Third encryption: SHA256 encryption (performed uniformly by the system). The encryption object is the ciphertext obtained after the second encryption.

4. Login authentication: A comparison is performed between the ciphertext obtained after the third encryption with that in the database FineDB. If the two match, the authentication is successful.

Implementation Steps

1. Create a custom password encryption class to encrypt the plaintext password A entered by the user on the login page.

Prepare the compilation environment.

Write a Java file.

Compile a class file.

2. Create a server dataset to store user login credentials, including the username and the password (custom-encrypted ciphertext B).

Note:

After the user synchronization, the system performs a SHA256 encryption on ciphertext B in the server dataset and writes the resulting ciphertext into the database FineDB.

3. Synchronize user information to the decision-making platform for system login authentication.

Set User Source to the server dataset prepared in the second step.

Set Password to custom-encrypted ciphertext in the server dataset.

Set Encryption Method to Custom Password Encryption and use the password encryption class prepared in the first step.

Custom Password Encryption Example

This example shows how to write a BASE64 password encryption class, encrypt the the user-entered password based on custom encryption rules, and successfully log in to the decision-making platform through login authentication.

Note:

This document demonstrates a simple example of the encryption method BASE64. For other common encryption methods, custom class files are provided in section "Commonly-Used Custom Password Encryption Method." You can download and use the files as needed.

Preparing the Compilation Environment

Before compiling the program, you need to create a Java project environment and have a Java editor, such as Eclipse or IntelliJ IDEA.

Choose Properties > Java Build Path > Libraries in Eclipse and import the FineReport project JAR package file.

Writing a Java File

Define a class in the compiler named Base64PasswordValidator.java that extends AbstractPasswordValidator. The following contents show the Java codes.


package com.fr.decision.privilege.encrpt;;
import com.fr.base.Base64;
import com.fr.base.ServerConfig;
import com.fr.decision.privilege.encrpt.AbstractPasswordValidator;
import com.fr.log.FineLoggerFactory;
import java.io.UnsupportedEncodingException;
public class Base64PasswordValidator extends AbstractPasswordValidator {
    public Base64PasswordValidator() {
    }
    public String encode(String originText) {
        try {
            return Base64.encode(originText.getBytes(ServerConfig.getInstance().getServerCharset()));
        } catch (UnsupportedEncodingException var3) {
            FineLoggerFactory.getLogger().debug(var3.getMessage());
            return "";
        }
    }
}

Compiling a class File

Click, download, and unzip to obtain the class file: Base64PasswordValidator.zip.

1. Generating the class file

Compile Base64PasswordValidator.java to generate the Base64PasswordValidator.class file.

2. Importing the class file

Save the compiled file Base64PasswordValidator.class to the path %FR_HOME%/webapps/webroot/WEB-INF/classes/com/fr/decision/privilege/encrpt.

Creating a Server Dataset

You need to perform a BASE64 encryption on the login credentials in the database. Then the system performs a SHA256 encryption again and finally writes the ciphertext into the database FineDB for login authentication to ensure that even if the database is cracked, the actual login credentials of users cannot be obtained. In this case, the actual login credentials cannot be obtained even if the database is cracked.

Data Preparation

Prepare a user information table, where the password in the Password data column is the ciphertext encrypted through BASE64. The following figure shows the table structure.

Example: If user A enters 123456 (plaintext password) on the login page, the password in the Password column is MTIzNDU2 (ciphertext encrypted through BASE64).

You can click and download the table: User Synchronization.xlsx.

Adding a Server Dataset

Import the above table to a third-party database management tool and establish a connection between the system and the database. The following content takes a created database as an example.

1. Log in to the decision-making platform as the admin, choose System Management > Data Connection > Server Dataset, click Create Dataset, and select SQL Dataset from the drop-down list.

2. Set Dataset Name to User Synchronization, set Data from Data Connection to JDBC3, and enter the following SQL statement.

SELECT * FROM user_synchronization

Setting the Encryption Method

Note:

You can also select another custom encryption method by modifying its corresponding class. For details, see "Encryption Configuration." Commonly used custom encryption class files are provided in section "Commonly-Used Custom Password Encryption Method"; you can select the method as needed.

You can select Custom Password Encryption under Encryption Method > Synchronize User to enhance system security.

Synchronizing Users

1. Log in to the decision-making platform as the admin, choose System Management > User Management > All Users, and click Synchronize User.

A prompt box displaying "Sure to retain existing asynchronous data, including imported/added users, departments, positions, and roles?" pops up, as shown in the following figure.

Note:

1. This section introduces the data update rules for users performing an initial Synchronize User or an initial Synchronize User with User Synchronization not enabled.

If users have performed Synchronize User or non-initial Synchronize User with User Synchronization enabled before, the prompt box will not pop up, and the synchronization will not be performed based on the update rules in this section.

2. The synchronized users can coexist with manually added/imported users.

The following table shows the update logic corresponding to different selections.

Selection

Definition

Retain

If the existing user is not in the synchronized server dataset, the user's information

and permissions will be retained without modification.

If the existing user (with the same username) is in the synchronized server dataset:

The user's username will remain unchanged, with permissions retained.

The user's username, password, phone number, and email address will be updated.

If the user's current department, position, and role exist in the synchronized server

dataset, all the above information will be updated.

If the user's current department, position, and role are not in the synchronized server dataset, all the above information will remain unchanged.

Clear

All the usernames, names, passwords, phone numbers, email addresses,

departments, positions, roles, and permissions of users (manually added or imported into the platform) will be deleted. Users need to be resynchronized.

Note:

Based on the update logic, if some user information is updated after the initial synchronization,

only users (changed to the synchronous type) can be automatically updated in the later synchronization.

For subsequent synchronizations, the dataset cannot overwrite or update built-in data. Otherwise, conflicts and error messages appear.

Encryption Configuration

1. Set User Source to User Synchronization (the server dataset prepared in section "Adding a Server Dataset.").

2. Set Password to Password.

3. Set Encryption Method to Custom Encryption Method and use Base64PasswordValidator.class (the custom encryption class prepared in section "Compiling a Class File.").

Note:

If you need to use the custom encryption method, do not select Editable when synchronizing users. Otherwise, users cannot log in to the platform.

图片1.png

Click OK to complete the user synchronization.

Effect Display

The ciphertext of user a in the server dataset is MTIzNDU2, of which the decrypted plaintext is 123456.

Enter 123456 (plaintext password) on the login page and click Login to log in to the decision-making platform successfully.

Commonly-Used Custom Password Encryption Method

This document provides commonly used custom password encryption files, which you can download and use as needed. After downloading the file, you need to place it in the specified folder and modify the custom class in section "Encryption Configuration." For the remaining steps, see section "Custom Password Encryption Example."

Encrypting Username and Password Through BASE64

FineReport supports the encryption of the user-entered username and password through BASE64.

The compiled BASE64 encryption class is provided. You can click and download the file: Base64UserPasswordValidator.zip.

1. Click, download, and unzip the class file to obtain the .class file. Save the file to the path %FR_HOME%/webapps/webroot/WEB-INF/classes/com/fr/decision/privilege.

2. Configure the BASE64-encrypted ciphertext of username plus password (in the Password column of the server dataset).

Example: If user a's password is 123456, the password in the Password column in the server dataset should be QTEyMzQ1Ng== (BASE64-encrypted ciphertext of a123456).

Encrypting Password Through SHA256

FineReport supports the encryption of the user-entered password through SHA256.

The compiled SHA256 encryption class is provided. You can click and download the file: SHA256PasswordValidator.zip.