me0wster / webpasswordsafe Goto Github PK

What is the expected output? What do you see instead?
1. Create a new report that shows "expiring" passwords, or basically report all 
passwords whose current password value hasn't been updated for the last X days, 
all list them all ordered by current password value creation date ascending.

What steps will reproduce the problem?
1. Consume the webpasswordsafe wsdl file with webservice client
2. The default soap url is http://localhost:8080/WebPasswordSafe/webservice
3. Client can't talk to localhost:8080

What is the expected output? What do you see instead?
1. It should be the actual hostname of where ever host the webservice is 
deployed on.  Since that is unknown at build time to automatically determine, 
at the very least include in the install documentation where to manually change 
that if using web services.

What steps will reproduce the problem?
1. Start with a fresh database and installation
2. Load WebPasswordSafe for the first time
3. The data schema and initial admin user will fail to get created because the 
default admin email address isn't a valid format after the validation checking 
was implemented.

What is the expected output? What do you see instead?
1. Admin email address should be default a valid format, and database should 
get created properly allowing the initial admin user to login.

What steps will reproduce the problem?
1. View a report, client uses a GET request, not a POST
2. POST is slightly more secure in that it "hides" parameters from browser 
history, access logs, etc

What is the expected output? What do you see instead?
1. Use POST instead of GET

Right now this is low priority because there aren't any unique parameters 
passed to the reports yet, because they don't accept custom parameters.  Once 
they do, and that data is potentially sensitive in a future release, this will 
be more important.

What steps will reproduce the problem?
1. The architecture allows an administrator to create custom jasper reports and 
drop them in on the server-side, however the client side GUI doesn't 
automatically recognize them and offer them as choices to the user.

What is the expected output? What do you see instead?
1. It would be nice in a future version to design a pluggable report layer that 
allows easier customization of authorization to those custom reports as well as 
how they appear as options in the client-side GUI.

What steps will reproduce the problem?
1. Currently only basic installation documentation is included

What is the expected output? What do you see instead?
1. Need to complete User Guide, Administrator Guide, and Developer Guide

What steps will reproduce the problem?
1. Edit a permission (either on password or template)
2. Use a tool to tamper the request data when saving before it is sent to 
server, changing the access level to something other than READ/WRITE/GRANT yet 
is still <= 5 characters long.
3. It saves this bogus access level into the database without validating it, 
and creates 

What is the expected output? What do you see instead?
1. The server should validate the access level is a valid one, and throw an 
error and not update the database if it isn't.

What steps will reproduce the problem?
Regardless of which authentication mechanism you implement, a user can attempt 
to login and fail as many times as they like, leading the application's 
authentication module open to brute force attacks.

What is the expected output? What do you see instead?
Would be nice to implement as either a core feature, or a wrapper 
authentication plugin, the ability to lock out, or temporarily disable further 
authentication attempts if a certain configurable (both time and attempt count 
based) threshold has been reached.  For example, keep a history of sequential 
authentication failures, say after 5 failed attempts the account is locked out 
and disabled.  This could lead to denial-of-service attacks, where a brute 
force attacker could intentionally disable all known usernames, especially the 
default administrator account (although best practice would be to disable that 
anyway after the initial user-based accounts with admin role are setup) and 
render the application unusable.  Because of this, maybe the lockout should be 
time-based, and configurable, so it only disables the account for an hour, or 
day, or permanently.

What steps will reproduce the problem?
1. Currently when a User domain model pojo is loaded on the server and sent to 
the client as part of a response, it contains all the fields from the user 
table in the database, including the password column. 
2. Although the password is not clear text (by default it is a salted hash 
encrypted value), and can't be replayed to the server as the original value 
(server will re-encrypt it as though it were plaintext password), there is no 
reason for the client side to know what it is or use it, and there is a very 
small chance that if the digest algorithm and salt/encryption key is known on 
the client side, that an attacker could create rainbow tables to brute force 
get the original plaintext password.

What is the expected output? What do you see instead?
1. So the password field isn't sent to the client with each User object, 
refactor it into a child object, and normalize that column to its own table 
linking to user table.  This will also only select from the password table 
*only* when the password field is needed, not every time any user other 
information is needed, helps reduce noise in database auditing.
2. Now user object which doesn't include password field is sent to client, and 
password field only selected when needed to update or authenticate.  Child 
object is not eagerly loaded.  Client never has salted hash encrypted password 
value of user.

What steps will reproduce the problem?
1. Load any report
2. The server doesn't set the proper no-store no-cache, expires, etc headers on 
the response

What is the expected output? What do you see instead?
1. The correct headers should be set so that browsers don't cache the reports 
(or at least every common attempt should be made, some browsers just don't 
honor it)

What steps will reproduce the problem?
1. Load WebPasswordSafe
2. All text is using American English


What is the expected output? What do you see instead?
1. Would be nice to extract all text and implement i18n so multiple languages 
can be used when rendering client display for different users.

What steps will reproduce the problem?
1. When invoking a web service call, produces the following stacktrace even 
though operation succeeds:
2010-12-02 19:01:15,882 ERROR [http-80-14]: 
java.lang.NullPointerException
    at com.joshdrummond.webpasswordsafe.server.ServerSessionUtil.invalidateSession(ServerSessionUtil.java:42)
    at com.joshdrummond.webpasswordsafe.server.service.LoginServiceImpl.logout(LoginServiceImpl.java:133)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:597)
    at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
    at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:198)
    at $Proxy56.logout(Unknown Source)
    at com.joshdrummond.webpasswordsafe.server.webservice.AddUserJDomEndpoint.invokeInternal(AddUserJDomEndpoint.java:69)


What is the expected output? What do you see instead?
No error.

What steps will reproduce the problem?
1. Edit user and the group membership dual list boxes aren't always 
alphabetically sorted
2. Edit group and the user membership dual list boxes aren't always 
alphabetically sorted


What is the expected output? What do you see instead?
1. The items should be alphabetically sorted even when moving items between 
list boxes and when initially displayed.

What steps will reproduce the problem?
1. Click Reports->Users->PDF

What is the expected output? What do you see instead?
Users report displays, but is missing the column headers (only report title and 
row data shows.  Font overflow maybe?

What version of the product are you using? On what operating system?
0.9 beta installed on a Windows 2003 server

What steps will reproduce the problem?
1. Deploy using MSSQL Server database
2. Try to do any password search
3. Get errors

What is the expected output? What do you see instead?
1. Should be able to search and view passwords without errors

What steps will reproduce the problem?
1. User 1 creates new template, sets it shared flag to true
2. User 2 can use the template when editing permissions on a password, but 
cannot edit that template.

What is the expected output? What do you see instead?
1. Change business logic to allow people to edit templates that others created 
if they are set to be shared.

What steps will reproduce the problem?
1. Add new password with title, tags, and/or notes as 
<script>alert('hi')</script> , then do a password search with that password as 
a result and script will execute when added to search grid.
2. Add a user or group with <script>alert('hi')</script> as the name, then 
create a permission on a password using that user or group and script will 
execute when adding to permission grid.
3. Add new user/group/template/password with <img 
src="https://ssl.gstatic.com/codesite/ph/images/defaultlogo.png"> as the name.  
Now when that user/group/template/password is a result in any list or choice 
box, or grid data, the image will get displayed.

What is the expected output? What do you see instead?
1. Any script, image, etc html should be encoded and escaped properly to not 
execute script or load images.

Oh Ext-GWT!

What steps will reproduce the problem?
1. Currently the GUI doesn't allow the user to pass custom parameters to 
reports easily in a user-friendly way.  For some reports, it would be nice to 
pass parameters to filter data on the reports, such as date ranges, usernames, 
etc.

What is the expected output? What do you see instead?
1. It would be nice in a future version to design a pluggable report layer that 
allows easier integration of custom parameters to reports, such when a jasper 
report that takes custom parameters is chosen, the user is prompted by the 
WebPasswordSafe client to enter them, and then they are passed to the reporting 
engine to produce the final report.

when i deploy to a glassfish server, i get a nice exception.
seems the session handling is a bit different to your tomcat-environment.
i got a hack around but what would be the correct generic solution?

What steps will reproduce the problem?
1. build as in install.txt described
2. deploy to glassfish server v 3.0.1

What do you see instead?
Error 500 and the following exception
[#|2010-12-09T19:32:46.541+0100|SEVERE|glassfish3.0.1|javax.enterprise.system.co
ntainer.web.com.sun.enterprise.web|_ThreadID=24;_ThreadName=http-thread-pool-844
3-(1);|WebModule[/webapp/webpasswordsafe]Exception while dispatching incoming 
RPC call
java.lang.SecurityException: Blocked request without session header (CSRF 
attack?)
        at com.joshdrummond.webpasswordsafe.server.CSRFProtectedGileadRPCServiceExporter.onBeforeRequestDeserialized(CSRFProtectedGileadRPCServiceExporter.java:52)
        at com.google.gwt.user.server.rpc.RemoteServiceServlet.processPost(RemoteServiceServlet.java:238)
        at com.google.gwt.user.server.rpc.AbstractRemoteServiceServlet.doPost(AbstractRemoteServiceServlet.java:62)
        at org.gwtwidgets.server.spring.GWTRPCServiceExporter.handleRequest(GWTRPCServiceExporter.java:389)
        at org.springframework.web.servlet.mvc.HttpRequestHandlerAdapter.handle(HttpRequestHandlerAdapter.java:49)
        at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:875)
        at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:807)
        at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:571)
        at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:511)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:754)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
        at org.apache.catalina.core.StandardWrapper.service(StandardWrapper.java:1523)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:279)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:188)
        at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:641)
        at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:97)
        at com.sun.enterprise.web.PESessionLockingStandardPipeline.invoke(PESessionLockingStandardPipeline.java:85)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:185)
        at org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:325)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:226)
        at com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:165)
        at com.sun.grizzly.http.ProcessorTask.invokeAdapter(ProcessorTask.java:791)
        at com.sun.grizzly.http.ProcessorTask.doProcess(ProcessorTask.java:693)
        at com.sun.grizzly.http.ProcessorTask.process(ProcessorTask.java:954)
        at com.sun.grizzly.http.DefaultProtocolFilter.execute(DefaultProtocolFilter.java:170)
        at com.sun.grizzly.DefaultProtocolChain.executeProtocolFilter(DefaultProtocolChain.java:135)
        at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:102)
        at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:88)
        at com.sun.grizzly.http.HttpProtocolChain.execute(HttpProtocolChain.java:76)
        at com.sun.grizzly.ProtocolChainContextTask.doCall(ProtocolChainContextTask.java:53)
        at com.sun.grizzly.SelectionKeyContextTask.call(SelectionKeyContextTask.java:57)
        at com.sun.grizzly.ContextTask.run(ContextTask.java:69)
        at com.sun.grizzly.util.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:330)
        at com.sun.grizzly.util.AbstractThreadPool$Worker.run(AbstractThreadPool.java:309)
        at java.lang.Thread.run(Thread.java:636)
|#]


What version of the product are you using? On what operating system?
trunk@115
os not relevant reproducable on linux and windows

Please provide any additional information below.
commenting the section as in patch helps


Index: 
src/main/java/com/joshdrummond/webpasswordsafe/server/CSRFProtectedGileadRPCServ
iceExporter.java
===================================================================
--- 
src/main/java/com/joshdrummond/webpasswordsafe/server/CSRFProtectedGileadRPCServ
iceExporter.java    (revision 113)
+++ 
src/main/java/com/joshdrummond/webpasswordsafe/server/CSRFProtectedGileadRPCServ
iceExporter.java    (working copy)
@@ -48,10 +48,10 @@
             // Otherwise the client must provide the id of the session in a header.
             if (session != null && !session.isNew()) {
                 String sessionId = servletRequest.getHeader(Constants.HEADER_KEY_CSRF_TOKEN);
-                if (sessionId == null || 
!sessionId.equals(servletRequest.getSession().getId())) {
-                    throw new SecurityException(
-                        "Blocked request without session header (CSRF 
attack?)");
-                }
+//                if (sessionId == null || 
!sessionId.equals(servletRequest.getSession().getId())) {
+//                    throw new SecurityException(
+//                        "Blocked request without session header (CSRF 
attack?)");
+//                }
             }
         }

What steps will reproduce the problem?
1. When logged in, if you keep the browser idle and the server-side session 
times out, next action you try to perform gives the following error:
"The call failed on the server; see server log for details", you have to 
refresh the page and re-authenticate to proceed.

What is the expected output? What do you see instead?
Either change the error message to tell the user what to do (hit refresh) or 
provide a redirect or link to refresh.  Just be more user-friendly.

What steps will reproduce the problem?
1. Add Password with not yet konwn tag

What is the expected output? What do you see instead?
Updated Taglist on the left is expectet.
The Taglist is not yet updated.
U need to logout and logon.


What version of the product are you using? On what operating system?
trunk @ 108

Please provide any additional information below.

possible solution in attached patch

PS. how to contact you to get involved the project?

What is the expected output? What do you see instead?
1. View/Edit password, add a read-only label to the screen showing the 
date/time and user who last updated the current password value to that screen.  
Helpful in easily determining password's "age" without viewing the password 
history screen and generating an access audit event.

What steps will reproduce the problem?
1. User A save new template that isn't shared
2. User B who is admin role, cannot edit or use that template.


What is the expected output? What do you see instead?
1. By default, someone with admin role using the default authorizer plugin 
should be able to override template sharing access controls for administration 
reasons.

What steps will reproduce the problem?
1. Add password with Tags
2. Add another password with the same tags
3. you have to type tagnames exactly as defined before to match

What version of the product are you using?
trunk @124


It would be very helpful to support the tag selection of existing tags, without 
disabling entering new tags. For example with a "picklist" like on the group or 
user dialog.

What is the expected output? What do you see instead?
1. Create a new report that just dumps all the information in the audit_log 
database table into a viewable report, optionally taking date ranges or user as 
parameters.

What steps will reproduce the problem?
1. Enter a wrong title or user name of a password
2. try to correct it

What is the expected output? What do you see instead?
It should be possible to change the title and user name

What version of the product are you using? On what operating system?
1.0 final

Please provide any additional information below.
It would be nice to have possibility to change user name or title but it should 
avoid unintended change. For example by place a button (...) to open a input 
box for the new value.

What steps will reproduce the problem?
1. Add new user, can enter anything in the email field

What is the expected output? What do you see instead?
1. Should validate that the input is a valid email address format, and give an 
error otherwise.

Since the email address data isn't actually being used for anything in 
webpasswordsafe at the moment, this isn't super critical, however if/when it 
is, it should have valid data to depend on.

What steps will reproduce the problem?
1. Add a new User/Group/Password/Template with a name that has been added 
before, or update an existing one to which another has already been named.  
You'll get an ambiguous 500 error.

What is the expected output? What do you see instead?
1. Check to see if the name is taken and produce a more user-friendly and 
informative error message to the user rather than blindly trying to save it.

What steps will reproduce the problem?
1. Try to deploy using Oracle database
2. Multiple errors starting up creating database tables


What is the expected output? What do you see instead?
1. Create tables and function properly

What steps will reproduce the problem?
1. Edit a template that user has access to
2. Use a tool to tamper the request data when saving before it is sent to 
server, such that you change the template id and various parameters to refer to 
a template that is not shared and the user doesn't have access to.


What is the expected output? What do you see instead?
1. The server should validate that template is allowed to be edited by the user 
and throw an error if it isn't, rather than attempt to save it.

What steps will reproduce the problem?
1. Click Edit User/Group/Template
2. Says to select a user/group/template, however you can multi-select more than 
one user/group/template
3. Click okay but only the first selected item gets edited

What is the expected output? What do you see instead?
1. The list box should only allow single selection to not confuse the user

What steps will reproduce the problem?
1. Currently uses container default (Tomcat 30 minutes) idle timeout.
2. If no session activity occurs for that length of time, an error occurs and 
user and to login again.
3. For a high-risk application such as this, should be something shorter in 
case the screen is left away.

What is the expected output? What do you see instead?
1. Default to something shorter (like 10 minutes) and inform administrator how 
to customize in documentation.

What steps will reproduce the problem?
1. Configure to use the DatabaseAuditLogger implementation
2. Generate an audit event that creates a target or message greater than 100 
characters long, such as performing a search for a very long query or including 
tags with very long names
3. An error occurs because the input is too long for the database, and rolls 
back the entire transaction and gives a 500 error to the client

What is the expected output? What do you see instead?
1. No error should occur and the transaction should return successfully
2. The target and message columns should probably be text types, rather than 
varchar(x) since who knows how long x may be especially when people use the 
audit log in custom developed plugins
3. Furthermore, audit plugins should probably catch and eat any exceptions that 
occur rather than throwing to the parent service and causing the business 
transaction to rollback just because it could log the event.  However there may 
be some cases where if an event cannot be audit logged successfully, it 
shouldn't be allowed to complete successfully.

What steps will reproduce the problem?
1. Open sored Password
2. Try to select the username text
3. Try to copy username to clipboard

Function to copy the username into clipboard would enhance user experience.

What steps will reproduce the problem?
1. It would be nice to allow multiple authentication plugins to handle 
different sets of users.  For example, use LDAP or RSA for normal users, but 
fallback to a local authentication for the administrator user.  Either as 
composite or chained services, or better yet explicitly configure which users 
should force to authenticate against which plugin.

What steps will reproduce the problem?
1. For example, on login dialog box, enter username and password, click Submit 
button multiple times quickly or hit the enter key multiple times quickly, will 
try to sent multiple authentication requests and some plugins (like RSA 
one-time-passwords) will fail on the attempts more than one and lock you out.  
Really should double check all screens and make sure this issue isn't a 
usability problem. 


What is the expected output? What do you see instead?
1. Should disable the submit action until the asynchronous event comes back 
either success or fail, only re-enable then.