Add possibility to remember password for shared databases.

[obraliar]

Issue: #1703. (completition)

Store last used connection in the "open remote database dialog"

Screenshot:

• Screenshots added (for bigger UI changes)
• Manually tested changed features in running JabRef

[koppor]

Is it possible to use another node for storing? The whole preference tree gets exported. Therefore, this should be located somewhere else @matthiasgeiger

[obraliar]

Done.

[koppor]

Could you use some unique system properties such as the login name, serial number of Windows or something as additional encryption key? - If you use that too, maybe the preferences can be exported completely.

As alternative, on Windows, maybe the Windows Credential Store can be used? On Linux, the key store. On Mac?

[matthiasgeiger]

Maybe this Preferences userPrefs = Preferences.userRoot().node( "/com/tutego/insel" ); as used here http://openbook.rheinwerk-verlag.de/javainsel/javainsel_11_009.html could be used to create another registry node just for the password which is then not exported by JabRef.

// Edit: Of course it must be outside "/net/sf/jabref" ... ;-)

[boceckts]

The password should only be set when there is a password available and the checkbox to remember the password is checked so please add && sharedDatabaseRememberPassword.

[obraliar]

See: https://github.com/JabRef/jabref/pull/1846/files#diff-bf287bbdc594ec6ec66a15154e141110R316. If the checkbox is not select the pref is going to be cleared.

[boceckts]

Only minor coments from me. Once they are done and the conflicts are reseolved, it looks good to me 👍

[Siedlerchr]

Password Hashing is the solution! (It should have come earlier to my mind)
https://paragonie.com/blog/2016/02/how-safely-store-password-in-2016#java

[obraliar]

@matthiasgeiger Unfortunately it does not work. I used for testing private final Preferences internalPrefs = Preferences.userRoot().node("/bla/bla1/security"); If I export the preferences, the following nodes appear again:

  1 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
  2 <!DOCTYPE preferences SYSTEM "http://java.sun.com/dtd/preferences.dtd">
  3 <preferences EXTERNAL_XML_VERSION="1.0">
  4   <root type="user">
  5     <map/>
  6     <node name="net">
  7       <map/>
  8       <node name="sf">
  9         <map/>
 10         <node name="jabref">
 11           <map>
 12           <!-- ... -->
 13           </map>
 14           <node name="bibtexKeyPattern">
 15             <map/>
 16           </node>
 17           <node name="bibtexkeypatterns">
 18             <map/>
 19           </node>
 20           <node name="gui">
 21             <map/>
 22             <node name="shared">
 23               <map>
 24                 <entry key="sharedDatabasePassword" value="kJicIWFbSjTjw5QYiENFLA=="/>
 25               </map>
 26             </node>
 27           </node>
 28           <node name="labelPattern">
 29             <map/>
 30           </node>
 31           <node name="logic">
 32             <map/>
 33             <node name="labelpattern">
 34               <map/>
 35             </node>
 36           </node>
 37         </node>
 38       </node>
 39     </node>
 40   </root>
 41 </preferences>

As another solution we could add new SharedDatabasePreferences().clear(); into JabRefPreferences.exportPreferences(String filename).

[matthiasgeiger]

@obraliar I think that the exported key is a remnant of previously saved settings.

If you are using windows use regedit to delete the keys in the node HKEY_CURRENT_USER\SOFTWARE\JavaSoft\Prefs\net\sf\jabref\gui\shared

Your addition should be placed in HKEY_CURRENT_USER\SOFTWARE\JavaSoft\Prefs\bla\bla1\security

[obraliar]

@Siedlerchr There should be a possibility to decrypt the password again as this is going to be sent to DBMS. Could you explain what to do with hashing?

[obraliar]

@matthiasgeiger 👍 I'm using Linux (Debian) and there you have to remove ~/.java/.userPrefs/net/sf from file system. Now it works very well!
Now using: private final Preferences internalPrefs = Preferences.userRoot().node("/net/sf/security/jabref");

[obraliar]

@koppor What about using the MAC address?

[matthiasgeiger]

I think the suggestion is now obsolote as exporting the prefs without the password is now possible. Maybe we should add a comment in the help file that the password is saved on the local hard disk - then a user can decide whether he wants to save it or not...

Regarding the prefs node: As we want to move the package from "net.sf" to "org" eventually in the future it would be perhaps better to use Preferences.getUserNodeForPackage(JabRefMain.class).parent().node("jabref-pwdstorage") to use a relative approach.

[obraliar]

@matthiasgeiger I agree cause the safest way is not to use the function "remember password" as this is generally a security gap due to symetric encryption.

[Siedlerchr]

Forget about the Hashing. I didn't think about that you need it in plaintex to send to the db..

[koppor]

@matthiasgeiger I would nevertheless keep a simple encryption to make it a bit harder to access the password.

[obraliar]

@JabRef/developers Could someone look at this PR and possibly merge it in, please?
Reason: @koppor is offline for a week.

[stefan-kolb]

LGTM 👍

[Siedlerchr]

Change the class in getLog to the actual class name (OpenSharedDatabaseDialog)
Otherwise logs shows wrong class.

[obraliar]

Done.

[Siedlerchr]

Generally good work, if you address the comments, then we can merge it in 👍

[stefan-kolb]

Why is the logger protected here?

[obraliar]

Done. Copy & paste from DBMSProcessor 🙈.

[obraliar]

All issues have been fixed.