| commit | author | age | ||
| efdb2b | 1 | /* |
| JM | 2 | * Copyright 2013 gitblit.com. |
| 3 | * | |
| 4 | * Licensed under the Apache License, Version 2.0 (the "License"); | |
| 5 | * you may not use this file except in compliance with the License. | |
| 6 | * You may obtain a copy of the License at | |
| 7 | * | |
| 8 | * http://www.apache.org/licenses/LICENSE-2.0 | |
| 9 | * | |
| 10 | * Unless required by applicable law or agreed to in writing, software | |
| 11 | * distributed under the License is distributed on an "AS IS" BASIS, | |
| 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
| 13 | * See the License for the specific language governing permissions and | |
| 14 | * limitations under the License. | |
| 15 | */ | |
| 16 | package com.gitblit.wicket.pages; | |
| 17 | ||
| 18 | import javax.servlet.http.HttpServletRequest; | |
| 19 | import javax.servlet.http.HttpServletResponse; | |
| 20 | ||
| 21 | import org.apache.wicket.PageParameters; | |
| 22 | import org.apache.wicket.markup.html.WebPage; | |
| 23 | import org.apache.wicket.protocol.http.WebRequest; | |
| 24 | import org.apache.wicket.protocol.http.WebResponse; | |
| 25 | ||
| 26 | import com.gitblit.Constants; | |
| 27 | import com.gitblit.Constants.AuthenticationType; | |
| 28 | import com.gitblit.Keys; | |
| 29 | import com.gitblit.models.UserModel; | |
| 30 | import com.gitblit.utils.StringUtils; | |
| 31 | import com.gitblit.wicket.GitBlitWebApp; | |
| 32 | import com.gitblit.wicket.GitBlitWebSession; | |
| 33 | ||
| 34 | public abstract class SessionPage extends WebPage { | |
| 35 | ||
| 36 | public SessionPage() { | |
| 37 | super(); | |
| 38 | login(); | |
| 39 | } | |
| 40 | ||
| 41 | public SessionPage(final PageParameters params) { | |
| 42 | super(params); | |
| 43 | login(); | |
| 44 | } | |
| 45 | ||
| 46 | protected String [] getEncodings() { | |
| 47 | return app().settings().getStrings(Keys.web.blobEncodings).toArray(new String[0]); | |
| 48 | } | |
| 49 | ||
| 50 | protected GitBlitWebApp app() { | |
| 51 | return GitBlitWebApp.get(); | |
| 52 | } | |
| 53 | ||
| 54 | private void login() { | |
| 55 | GitBlitWebSession session = GitBlitWebSession.get(); | |
| 56 | HttpServletRequest request = ((WebRequest) getRequest()).getHttpServletRequest(); | |
| 57 | HttpServletResponse response = ((WebResponse) getResponse()).getHttpServletResponse(); | |
| 58 | ||
| 62e025 | 59 | // If using container/external servlet authentication, use request attribute |
| JJ | 60 | String authedUser = (String) request.getAttribute(Constants.ATTRIB_AUTHUSER); |
| efdb2b | 61 | |
| 62e025 | 62 | // Default to trusting session authentication if not set in request by external processing |
| JJ | 63 | if (StringUtils.isEmpty(authedUser) && session.isLoggedIn()) { |
| 64 | authedUser = session.getUsername(); | |
| 65 | } | |
| 66 | ||
| 67 | if (!StringUtils.isEmpty(authedUser)) { | |
| 68 | // Avoid session fixation for non-session authentication | |
| 69 | // If the authenticated user is different from the session user, discard | |
| 70 | // the old session entirely, without trusting any session values | |
| 71 | if (!authedUser.equals(session.getUsername())) { | |
| 72 | session.replaceSession(); | |
| efdb2b | 73 | } |
| JM | 74 | |
| 62e025 | 75 | if (!session.isSessionInvalidated()) { |
| JJ | 76 | // Refresh usermodel to pick up any changes to permissions or roles (issue-186) |
| 77 | UserModel user = app().users().getUserModel(authedUser); | |
| 78 | ||
| 79 | if (user == null || user.disabled) { | |
| 80 | // user was deleted/disabled during session | |
| 81 | app().authentication().logout(request, response, user); | |
| 82 | session.setUser(null); | |
| 83 | session.invalidateNow(); | |
| 84 | return; | |
| 85 | } | |
| 86 | ||
| 87 | // validate cookie during session (issue-361) | |
| 88 | if (app().settings().getBoolean(Keys.web.allowCookieAuthentication, true)) { | |
| 89 | String requestCookie = app().authentication().getCookie(request); | |
| 90 | if (!StringUtils.isEmpty(requestCookie) && !StringUtils.isEmpty(user.cookie)) { | |
| 91 | if (!requestCookie.equals(user.cookie)) { | |
| 92 | // cookie was changed during our session | |
| 93 | app().authentication().logout(request, response, user); | |
| 94 | session.setUser(null); | |
| 95 | session.invalidateNow(); | |
| 96 | return; | |
| 97 | } | |
| efdb2b | 98 | } |
| JM | 99 | } |
| 62e025 | 100 | session.setUser(user); |
| JJ | 101 | return; |
| efdb2b | 102 | } |
| JM | 103 | } |
| 104 | ||
| 105 | // try to authenticate by servlet request | |
| 106 | UserModel user = app().authentication().authenticate(request); | |
| 107 | ||
| 108 | // Login the user | |
| 109 | if (user != null) { | |
| 62e025 | 110 | AuthenticationType authenticationType = (AuthenticationType) request.getAttribute(Constants.ATTRIB_AUTHTYPE); |
| efdb2b | 111 | |
| JM | 112 | // issue 62: fix session fixation vulnerability |
| 14d630 | 113 | // but only if authentication was done in the container. |
| FB | 114 | // It avoid double change of session, that some authentication method |
| 115 | // don't like | |
| 116 | if (AuthenticationType.CONTAINER != authenticationType) { | |
| 117 | session.replaceSession(); | |
| 62e025 | 118 | } |
| efdb2b | 119 | session.setUser(user); |
| JM | 120 | |
| 121 | // Set Cookie | |
| 122 | app().authentication().setCookie(request, response, user); | |
| 123 | ||
| 124 | session.continueRequest(); | |
| 125 | } | |
| 126 | } | |
| 127 | } | |
