Zzzz/Book-management-system
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

add logging

Browse Source
This commit is contained in:
Zzzz
2026-04-28 18:37:26 +08:00
parent cc32c222a4
commit 781ce4697e
4 changed files with 58 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.trellis/spec/backend/database-guidelines.md
+8
View File
@@ -630,6 +630,14 @@ reports/dashboard.jsp <- ReportServlet <- ReportService <- ReportDao <- books/re
- `users.username`: unique login identifier submitted by `LoginServlet`.
- `users.password_hash`: PBKDF2 hash in
`pbkdf2_sha256$iterations$saltBase64$hashBase64` format.
- Local scaffold demo users must have documented, known initial passwords for
new deployments: `admin/admin123`, `librarian/librarian123`, and
`reader/reader123`. Their `schema.sql` hashes must verify through
`PasswordHasher.verify` and must be treated as local/demo-only credentials,
never production credentials.
- `schema.sql` uses `INSERT IGNORE` for demo `users` rows. Replaying the schema
must not be assumed to reset existing account passwords; README reset
guidance must call this out explicitly.
- `users.role_code`: foreign key to `roles.code`; supported scaffold values
are `administrator`, `librarian`, and `reader`.
- `users.active`: only rows with `active = 1` can authenticate.
.trellis/tasks/04-28-windows-login-diagnostic-logs/prd.md
+12
View File
@@ -27,6 +27,11 @@ Add safe server-side diagnostic logs to the login/authentication path so a Windo
* Preserve the current user-facing Chinese error message and login behavior.
* Keep the implementation in the existing Servlet + service + DAO + JDBC stack.
* Prefer `java.util.logging` patterns already used in the project.
* Document and seed explicit local/demo initial credentials so new deployments are not blocked by unrecoverable password hashes:
* `admin` / `admin123`
* `librarian` / `librarian123`
* `reader` / `reader123`
* Make clear that these demo passwords are for local scaffold verification only and must be changed or removed before non-local/production use.
## Acceptance Criteria
@@ -36,6 +41,9 @@ Add safe server-side diagnostic logs to the login/authentication path so a Windo
* [x] No log statement outputs a raw password, password hash, salt, or database password.
* [x] Existing login success/failure behavior remains unchanged for users.
* [x] `mvn test` or the closest available Maven verification command succeeds.
* [x] README lists the local/demo initial login accounts and passwords with an explicit non-production warning.
* [x] `schema.sql` seed user hashes verify against the documented demo passwords for new deployments.
* [x] Existing deployments have a documented SQL reset path or warning explaining that `INSERT IGNORE` will not overwrite existing user rows.
## Definition Of Done
@@ -68,3 +76,7 @@ Add safe server-side diagnostic logs to the login/authentication path so a Windo
* `/home/sjy/.sdkman/candidates/maven/current/bin/mvn package` passed with `BUILD SUCCESS` and produced `target/library-management.war`.
* `git diff --check` passed.
* Sensitive logger scan only found boolean password state fields, `password=<redacted>`, and `password-mismatch` category labels.
* Verification completed at 2026-04-28 18:33 +0800:
* `PasswordHasher.verify` returned `true` for `admin/admin123`, `librarian/librarian123`, and `reader/reader123` against the updated `schema.sql` PBKDF2 hashes.
* `/home/sjy/.sdkman/candidates/maven/current/bin/mvn verify` passed with `BUILD SUCCESS`.
* `git diff --check` passed.