| commit | author | age | ||
| 04a985 | 1 | /* |
| JM | 2 | * Copyright 2013 gitblit.com. |
| 3 | * | |
| 4 | * Licensed under the Apache License, Version 2.0 (the "License"); | |
| 5 | * you may not use this file except in compliance with the License. | |
| 6 | * You may obtain a copy of the License at | |
| 7 | * | |
| 8 | * http://www.apache.org/licenses/LICENSE-2.0 | |
| 9 | * | |
| 10 | * Unless required by applicable law or agreed to in writing, software | |
| 11 | * distributed under the License is distributed on an "AS IS" BASIS, | |
| 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
| 13 | * See the License for the specific language governing permissions and | |
| 14 | * limitations under the License. | |
| 15 | */ | |
| 16 | package com.gitblit.manager; | |
| 17 | ||
| 18 | import java.nio.charset.Charset; | |
| 19 | import java.security.Principal; | |
| 20 | import java.text.MessageFormat; | |
| 21 | import java.util.ArrayList; | |
| 22 | import java.util.HashMap; | |
| 23 | import java.util.List; | |
| 24 | import java.util.Map; | |
| 7ab32b | 25 | import java.util.concurrent.TimeUnit; |
| 04a985 | 26 | |
| JM | 27 | import javax.servlet.http.Cookie; |
| 28 | import javax.servlet.http.HttpServletRequest; | |
| 29 | import javax.servlet.http.HttpServletResponse; | |
| 30 | ||
| 31 | import org.apache.wicket.RequestCycle; | |
| 32 | import org.slf4j.Logger; | |
| 33 | import org.slf4j.LoggerFactory; | |
| 34 | ||
| 35 | import com.gitblit.Constants; | |
| 36 | import com.gitblit.Constants.AccountType; | |
| 37 | import com.gitblit.Constants.AuthenticationType; | |
| 38 | import com.gitblit.IStoredSettings; | |
| 39 | import com.gitblit.Keys; | |
| 40 | import com.gitblit.auth.AuthenticationProvider; | |
| 41 | import com.gitblit.auth.AuthenticationProvider.UsernamePasswordAuthenticationProvider; | |
| 42 | import com.gitblit.auth.HtpasswdAuthProvider; | |
| 43 | import com.gitblit.auth.LdapAuthProvider; | |
| 44 | import com.gitblit.auth.PAMAuthProvider; | |
| 45 | import com.gitblit.auth.RedmineAuthProvider; | |
| 46 | import com.gitblit.auth.SalesforceAuthProvider; | |
| 47 | import com.gitblit.auth.WindowsAuthProvider; | |
| 48 | import com.gitblit.models.TeamModel; | |
| 49 | import com.gitblit.models.UserModel; | |
| bcc8a0 | 50 | import com.gitblit.transport.ssh.SshKey; |
| 04a985 | 51 | import com.gitblit.utils.Base64; |
| JM | 52 | import com.gitblit.utils.HttpUtils; |
| 53 | import com.gitblit.utils.StringUtils; | |
| 54 | import com.gitblit.utils.X509Utils.X509Metadata; | |
| 55 | import com.gitblit.wicket.GitBlitWebSession; | |
| 56 | ||
| 57 | /** | |
| 58 | * The authentication manager handles user login & logout. | |
| 59 | * | |
| 60 | * @author James Moger | |
| 61 | * | |
| 62 | */ | |
| 63 | public class AuthenticationManager implements IAuthenticationManager { | |
| 64 | ||
| 65 | private final Logger logger = LoggerFactory.getLogger(getClass()); | |
| 66 | ||
| 67 | private final IStoredSettings settings; | |
| 68 | ||
| 69 | private final IRuntimeManager runtimeManager; | |
| 70 | ||
| 71 | private final IUserManager userManager; | |
| 72 | ||
| 73 | private final List<AuthenticationProvider> authenticationProviders; | |
| 74 | ||
| 75 | private final Map<String, Class<? extends AuthenticationProvider>> providerNames; | |
| 76 | ||
| 77 | private final Map<String, String> legacyRedirects; | |
| 78 | ||
| 79 | public AuthenticationManager( | |
| 80 | IRuntimeManager runtimeManager, | |
| 81 | IUserManager userManager) { | |
| 82 | ||
| 83 | this.settings = runtimeManager.getSettings(); | |
| 84 | this.runtimeManager = runtimeManager; | |
| 85 | this.userManager = userManager; | |
| 86 | this.authenticationProviders = new ArrayList<AuthenticationProvider>(); | |
| 87 | ||
| 88 | // map of shortcut provider names | |
| 89 | providerNames = new HashMap<String, Class<? extends AuthenticationProvider>>(); | |
| 90 | providerNames.put("htpasswd", HtpasswdAuthProvider.class); | |
| 91 | providerNames.put("ldap", LdapAuthProvider.class); | |
| 92 | providerNames.put("pam", PAMAuthProvider.class); | |
| 93 | providerNames.put("redmine", RedmineAuthProvider.class); | |
| 94 | providerNames.put("salesforce", SalesforceAuthProvider.class); | |
| 95 | providerNames.put("windows", WindowsAuthProvider.class); | |
| 96 | ||
| 97 | // map of legacy external user services | |
| 98 | legacyRedirects = new HashMap<String, String>(); | |
| 99 | legacyRedirects.put("com.gitblit.HtpasswdUserService", "htpasswd"); | |
| 100 | legacyRedirects.put("com.gitblit.LdapUserService", "ldap"); | |
| 101 | legacyRedirects.put("com.gitblit.PAMUserService", "pam"); | |
| 102 | legacyRedirects.put("com.gitblit.RedmineUserService", "redmine"); | |
| 103 | legacyRedirects.put("com.gitblit.SalesforceUserService", "salesforce"); | |
| 104 | legacyRedirects.put("com.gitblit.WindowsUserService", "windows"); | |
| 105 | } | |
| 106 | ||
| 107 | @Override | |
| 108 | public AuthenticationManager start() { | |
| 109 | // automatically adjust legacy configurations | |
| 110 | String realm = settings.getString(Keys.realm.userService, "${baseFolder}/users.conf"); | |
| 111 | if (legacyRedirects.containsKey(realm)) { | |
| 112 | logger.warn(""); | |
| 088b6f | 113 | logger.warn(Constants.BORDER2); |
| 04a985 | 114 | logger.warn(" IUserService '{}' is obsolete!", realm); |
| JM | 115 | logger.warn(" Please set '{}={}'", "realm.authenticationProviders", legacyRedirects.get(realm)); |
| 088b6f | 116 | logger.warn(Constants.BORDER2); |
| 04a985 | 117 | logger.warn(""); |
| JM | 118 | |
| 119 | // conditionally override specified authentication providers | |
| 120 | if (StringUtils.isEmpty(settings.getString(Keys.realm.authenticationProviders, null))) { | |
| 121 | settings.overrideSetting(Keys.realm.authenticationProviders, legacyRedirects.get(realm)); | |
| 122 | } | |
| 123 | } | |
| 124 | ||
| 125 | // instantiate and setup specified authentication providers | |
| 126 | List<String> providers = settings.getStrings(Keys.realm.authenticationProviders); | |
| 127 | if (providers.isEmpty()) { | |
| 128 | logger.info("External authentication disabled."); | |
| 129 | } else { | |
| 130 | for (String provider : providers) { | |
| 131 | try { | |
| 132 | Class<?> authClass; | |
| 133 | if (providerNames.containsKey(provider)) { | |
| 134 | // map the name -> class | |
| 135 | authClass = providerNames.get(provider); | |
| 136 | } else { | |
| 137 | // reflective lookup | |
| 138 | authClass = Class.forName(provider); | |
| 139 | } | |
| 140 | logger.info("setting up {}", authClass.getName()); | |
| 141 | AuthenticationProvider authImpl = (AuthenticationProvider) authClass.newInstance(); | |
| 142 | authImpl.setup(runtimeManager, userManager); | |
| 143 | authenticationProviders.add(authImpl); | |
| 144 | } catch (Exception e) { | |
| 145 | logger.error("", e); | |
| 146 | } | |
| 147 | } | |
| 148 | } | |
| 149 | return this; | |
| 150 | } | |
| 151 | ||
| 152 | @Override | |
| 153 | public AuthenticationManager stop() { | |
| 6659fa | 154 | for (AuthenticationProvider provider : authenticationProviders) { |
| JM | 155 | try { |
| 156 | provider.stop(); | |
| 157 | } catch (Exception e) { | |
| 158 | logger.error("Failed to stop " + provider.getClass().getSimpleName(), e); | |
| 159 | } | |
| 160 | } | |
| 04a985 | 161 | return this; |
| JM | 162 | } |
| bcc8a0 | 163 | |
| b4a63a | 164 | public void addAuthenticationProvider(AuthenticationProvider prov) { |
| JM | 165 | authenticationProviders.add(prov); |
| 166 | } | |
| 04a985 | 167 | |
| JM | 168 | /** |
| 169 | * Authenticate a user based on HTTP request parameters. | |
| 170 | * | |
| 171 | * Authentication by X509Certificate is tried first and then by cookie. | |
| 172 | * | |
| 173 | * @param httpRequest | |
| 174 | * @return a user object or null | |
| 175 | */ | |
| 176 | @Override | |
| 177 | public UserModel authenticate(HttpServletRequest httpRequest) { | |
| 178 | return authenticate(httpRequest, false); | |
| 179 | } | |
| 180 | ||
| 181 | /** | |
| 182 | * Authenticate a user based on HTTP request parameters. | |
| 183 | * | |
| 184 | * Authentication by servlet container principal, X509Certificate, cookie, | |
| 185 | * and finally BASIC header. | |
| 186 | * | |
| 187 | * @param httpRequest | |
| 188 | * @param requiresCertificate | |
| 189 | * @return a user object or null | |
| 190 | */ | |
| 191 | @Override | |
| 192 | public UserModel authenticate(HttpServletRequest httpRequest, boolean requiresCertificate) { | |
| 193 | // try to authenticate by servlet container principal | |
| 194 | if (!requiresCertificate) { | |
| 195 | Principal principal = httpRequest.getUserPrincipal(); | |
| 196 | if (principal != null) { | |
| 197 | String username = principal.getName(); | |
| 198 | if (!StringUtils.isEmpty(username)) { | |
| 23e08c | 199 | boolean internalAccount = userManager.isInternalAccount(username); |
| 04a985 | 200 | UserModel user = userManager.getUserModel(username); |
| JM | 201 | if (user != null) { |
| 202 | // existing user | |
| 203 | flagWicketSession(AuthenticationType.CONTAINER); | |
| 204 | logger.debug(MessageFormat.format("{0} authenticated by servlet container principal from {1}", | |
| 205 | user.username, httpRequest.getRemoteAddr())); | |
| 9aa119 | 206 | return validateAuthentication(user, AuthenticationType.CONTAINER); |
| 04a985 | 207 | } else if (settings.getBoolean(Keys.realm.container.autoCreateAccounts, false) |
| JM | 208 | && !internalAccount) { |
| 209 | // auto-create user from an authenticated container principal | |
| 210 | user = new UserModel(username.toLowerCase()); | |
| 211 | user.displayName = username; | |
| 212 | user.password = Constants.EXTERNAL_ACCOUNT; | |
| 213 | user.accountType = AccountType.CONTAINER; | |
| 214 | userManager.updateUserModel(user); | |
| 215 | flagWicketSession(AuthenticationType.CONTAINER); | |
| 216 | logger.debug(MessageFormat.format("{0} authenticated and created by servlet container principal from {1}", | |
| 217 | user.username, httpRequest.getRemoteAddr())); | |
| 9aa119 | 218 | return validateAuthentication(user, AuthenticationType.CONTAINER); |
| 04a985 | 219 | } else if (!internalAccount) { |
| JM | 220 | logger.warn(MessageFormat.format("Failed to find UserModel for {0}, attempted servlet container authentication from {1}", |
| 221 | principal.getName(), httpRequest.getRemoteAddr())); | |
| 222 | } | |
| 223 | } | |
| 224 | } | |
| 225 | } | |
| 226 | ||
| 227 | // try to authenticate by certificate | |
| 228 | boolean checkValidity = settings.getBoolean(Keys.git.enforceCertificateValidity, true); | |
| 229 | String [] oids = settings.getStrings(Keys.git.certificateUsernameOIDs).toArray(new String[0]); | |
| 230 | UserModel model = HttpUtils.getUserModelFromCertificate(httpRequest, checkValidity, oids); | |
| 231 | if (model != null) { | |
| 232 | // grab real user model and preserve certificate serial number | |
| 233 | UserModel user = userManager.getUserModel(model.username); | |
| 234 | X509Metadata metadata = HttpUtils.getCertificateMetadata(httpRequest); | |
| 235 | if (user != null) { | |
| 236 | flagWicketSession(AuthenticationType.CERTIFICATE); | |
| 237 | logger.debug(MessageFormat.format("{0} authenticated by client certificate {1} from {2}", | |
| 238 | user.username, metadata.serialNumber, httpRequest.getRemoteAddr())); | |
| 9aa119 | 239 | return validateAuthentication(user, AuthenticationType.CERTIFICATE); |
| 04a985 | 240 | } else { |
| JM | 241 | logger.warn(MessageFormat.format("Failed to find UserModel for {0}, attempted client certificate ({1}) authentication from {2}", |
| 242 | model.username, metadata.serialNumber, httpRequest.getRemoteAddr())); | |
| 243 | } | |
| 244 | } | |
| 245 | ||
| 246 | if (requiresCertificate) { | |
| 247 | // caller requires client certificate authentication (e.g. git servlet) | |
| 248 | return null; | |
| 249 | } | |
| 250 | ||
| 7ab32b | 251 | UserModel user = null; |
| JM | 252 | |
| 04a985 | 253 | // try to authenticate by cookie |
| 7ab32b | 254 | String cookie = getCookie(httpRequest); |
| JM | 255 | if (!StringUtils.isEmpty(cookie)) { |
| 256 | user = userManager.getUserModel(cookie.toCharArray()); | |
| 257 | if (user != null) { | |
| 258 | flagWicketSession(AuthenticationType.COOKIE); | |
| 259 | logger.debug(MessageFormat.format("{0} authenticated by cookie from {1}", | |
| 04a985 | 260 | user.username, httpRequest.getRemoteAddr())); |
| 9aa119 | 261 | return validateAuthentication(user, AuthenticationType.COOKIE); |
| 7ab32b | 262 | } |
| 04a985 | 263 | } |
| JM | 264 | |
| 265 | // try to authenticate by BASIC | |
| 266 | final String authorization = httpRequest.getHeader("Authorization"); | |
| 267 | if (authorization != null && authorization.startsWith("Basic")) { | |
| 268 | // Authorization: Basic base64credentials | |
| 269 | String base64Credentials = authorization.substring("Basic".length()).trim(); | |
| 270 | String credentials = new String(Base64.decode(base64Credentials), | |
| 271 | Charset.forName("UTF-8")); | |
| 272 | // credentials = username:password | |
| 273 | final String[] values = credentials.split(":", 2); | |
| 274 | ||
| 275 | if (values.length == 2) { | |
| 276 | String username = values[0]; | |
| 277 | char[] password = values[1].toCharArray(); | |
| 278 | user = authenticate(username, password); | |
| 279 | if (user != null) { | |
| 280 | flagWicketSession(AuthenticationType.CREDENTIALS); | |
| 281 | logger.debug(MessageFormat.format("{0} authenticated by BASIC request header from {1}", | |
| 282 | user.username, httpRequest.getRemoteAddr())); | |
| 9aa119 | 283 | return validateAuthentication(user, AuthenticationType.CREDENTIALS); |
| 04a985 | 284 | } else { |
| JM | 285 | logger.warn(MessageFormat.format("Failed login attempt for {0}, invalid credentials from {1}", |
| 286 | username, httpRequest.getRemoteAddr())); | |
| 287 | } | |
| 288 | } | |
| 289 | } | |
| 290 | return null; | |
| 9aa119 | 291 | } |
| JM | 292 | |
| 293 | /** | |
| 44e2ee | 294 | * Authenticate a user based on a public key. |
| e3b636 | 295 | * |
| 44e2ee | 296 | * This implementation assumes that the authentication has already take place |
| JM | 297 | * (e.g. SSHDaemon) and that this is a validation/verification of the user. |
| 298 | * | |
| 299 | * @param username | |
| 300 | * @param key | |
| e3b636 | 301 | * @return a user object or null |
| DO | 302 | */ |
| 303 | @Override | |
| bcc8a0 | 304 | public UserModel authenticate(String username, SshKey key) { |
| e3b636 | 305 | if (username != null) { |
| DO | 306 | if (!StringUtils.isEmpty(username)) { |
| 307 | UserModel user = userManager.getUserModel(username); | |
| 308 | if (user != null) { | |
| 309 | // existing user | |
| 44e2ee | 310 | logger.debug(MessageFormat.format("{0} authenticated by {1} public key", |
| JM | 311 | user.username, key.getAlgorithm())); |
| 312 | return validateAuthentication(user, AuthenticationType.PUBLIC_KEY); | |
| e3b636 | 313 | } |
| 44e2ee | 314 | logger.warn(MessageFormat.format("Failed to find UserModel for {0} during public key authentication", |
| JM | 315 | username)); |
| e3b636 | 316 | } |
| DO | 317 | } else { |
| 44e2ee | 318 | logger.warn("Empty user passed to AuthenticationManager.authenticate!"); |
| e3b636 | 319 | } |
| DO | 320 | return null; |
| 321 | } | |
| 322 | ||
| 323 | ||
| 324 | /** | |
| 9aa119 | 325 | * This method allows the authentication manager to reject authentication |
| JM | 326 | * attempts. It is called after the username/secret have been verified to |
| 327 | * ensure that the authentication technique has been logged. | |
| 328 | * | |
| 329 | * @param user | |
| 330 | * @return | |
| 331 | */ | |
| 332 | protected UserModel validateAuthentication(UserModel user, AuthenticationType type) { | |
| 333 | if (user == null) { | |
| 334 | return null; | |
| 335 | } | |
| 336 | if (user.disabled) { | |
| 337 | // user has been disabled | |
| 338 | logger.warn("Rejected {} authentication attempt by disabled account \"{}\"", | |
| 339 | type, user.username); | |
| 340 | return null; | |
| 341 | } | |
| 342 | return user; | |
| 04a985 | 343 | } |
| JM | 344 | |
| 345 | protected void flagWicketSession(AuthenticationType authenticationType) { | |
| 346 | RequestCycle requestCycle = RequestCycle.get(); | |
| 347 | if (requestCycle != null) { | |
| 348 | // flag the Wicket session, if this is a Wicket request | |
| 349 | GitBlitWebSession session = GitBlitWebSession.get(); | |
| 350 | session.authenticationType = authenticationType; | |
| 351 | } | |
| 352 | } | |
| 353 | ||
| 354 | /** | |
| 355 | * Authenticate a user based on a username and password. | |
| 356 | * | |
| 357 | * @see IUserService.authenticate(String, char[]) | |
| 358 | * @param username | |
| 359 | * @param password | |
| 360 | * @return a user object or null | |
| 361 | */ | |
| 362 | @Override | |
| 363 | public UserModel authenticate(String username, char[] password) { | |
| 364 | if (StringUtils.isEmpty(username)) { | |
| 365 | // can not authenticate empty username | |
| 366 | return null; | |
| 367 | } | |
| 368 | ||
| 369 | String usernameDecoded = StringUtils.decodeUsername(username); | |
| 370 | String pw = new String(password); | |
| 371 | if (StringUtils.isEmpty(pw)) { | |
| 372 | // can not authenticate empty password | |
| 373 | return null; | |
| 374 | } | |
| 375 | ||
| 376 | UserModel user = userManager.getUserModel(usernameDecoded); | |
| 1293c2 | 377 | |
| JM | 378 | // try local authentication |
| 379 | if (user != null && user.isLocalAccount()) { | |
| b4a63a | 380 | return authenticateLocal(user, password); |
| 04a985 | 381 | } |
| JM | 382 | |
| 383 | // try registered external authentication providers | |
| b4a63a | 384 | for (AuthenticationProvider provider : authenticationProviders) { |
| JM | 385 | if (provider instanceof UsernamePasswordAuthenticationProvider) { |
| 386 | UserModel returnedUser = provider.authenticate(usernameDecoded, password); | |
| 387 | if (returnedUser != null) { | |
| 388 | // user authenticated | |
| 389 | returnedUser.accountType = provider.getAccountType(); | |
| 390 | return validateAuthentication(returnedUser, AuthenticationType.CREDENTIALS); | |
| 04a985 | 391 | } |
| JM | 392 | } |
| 393 | } | |
| bcc8a0 | 394 | |
| b4a63a | 395 | // could not authenticate locally or with a provider |
| JM | 396 | return null; |
| 397 | } | |
| bcc8a0 | 398 | |
| b4a63a | 399 | /** |
| JM | 400 | * Returns a UserModel if local authentication succeeds. |
| bcc8a0 | 401 | * |
| b4a63a | 402 | * @param user |
| JM | 403 | * @param password |
| 404 | * @return a UserModel if local authentication succeeds, null otherwise | |
| 405 | */ | |
| 406 | protected UserModel authenticateLocal(UserModel user, char [] password) { | |
| 407 | UserModel returnedUser = null; | |
| 408 | if (user.password.startsWith(StringUtils.MD5_TYPE)) { | |
| 409 | // password digest | |
| 410 | String md5 = StringUtils.MD5_TYPE + StringUtils.getMD5(new String(password)); | |
| 411 | if (user.password.equalsIgnoreCase(md5)) { | |
| 412 | returnedUser = user; | |
| 413 | } | |
| 414 | } else if (user.password.startsWith(StringUtils.COMBINED_MD5_TYPE)) { | |
| 415 | // username+password digest | |
| 416 | String md5 = StringUtils.COMBINED_MD5_TYPE | |
| 417 | + StringUtils.getMD5(user.username.toLowerCase() + new String(password)); | |
| 418 | if (user.password.equalsIgnoreCase(md5)) { | |
| 419 | returnedUser = user; | |
| 420 | } | |
| 421 | } else if (user.password.equals(new String(password))) { | |
| 422 | // plain-text password | |
| 423 | returnedUser = user; | |
| 424 | } | |
| 425 | return validateAuthentication(returnedUser, AuthenticationType.CREDENTIALS); | |
| 04a985 | 426 | } |
| JM | 427 | |
| 428 | /** | |
| 7ab32b | 429 | * Returns the Gitlbit cookie in the request. |
| JM | 430 | * |
| 431 | * @param request | |
| 432 | * @return the Gitblit cookie for the request or null if not found | |
| 433 | */ | |
| 434 | @Override | |
| 435 | public String getCookie(HttpServletRequest request) { | |
| 436 | if (settings.getBoolean(Keys.web.allowCookieAuthentication, true)) { | |
| 437 | Cookie[] cookies = request.getCookies(); | |
| 438 | if (cookies != null && cookies.length > 0) { | |
| 439 | for (Cookie cookie : cookies) { | |
| 440 | if (cookie.getName().equals(Constants.NAME)) { | |
| 441 | String value = cookie.getValue(); | |
| 442 | return value; | |
| 443 | } | |
| 444 | } | |
| 445 | } | |
| 446 | } | |
| 447 | return null; | |
| 448 | } | |
| 449 | ||
| 450 | /** | |
| 04a985 | 451 | * Sets a cookie for the specified user. |
| JM | 452 | * |
| 453 | * @param response | |
| 454 | * @param user | |
| 455 | */ | |
| 456 | @Override | |
| ec7ed8 | 457 | @Deprecated |
| 04a985 | 458 | public void setCookie(HttpServletResponse response, UserModel user) { |
| ec7ed8 | 459 | setCookie(null, response, user); |
| JM | 460 | } |
| 461 | ||
| 462 | /** | |
| 463 | * Sets a cookie for the specified user. | |
| 464 | * | |
| 465 | * @param request | |
| 466 | * @param response | |
| 467 | * @param user | |
| 468 | */ | |
| 469 | @Override | |
| 470 | public void setCookie(HttpServletRequest request, HttpServletResponse response, UserModel user) { | |
| 04a985 | 471 | if (settings.getBoolean(Keys.web.allowCookieAuthentication, true)) { |
| JM | 472 | GitBlitWebSession session = GitBlitWebSession.get(); |
| 473 | boolean standardLogin = session.authenticationType.isStandard(); | |
| 474 | ||
| 475 | if (standardLogin) { | |
| 476 | Cookie userCookie; | |
| 477 | if (user == null) { | |
| 478 | // clear cookie for logout | |
| 479 | userCookie = new Cookie(Constants.NAME, ""); | |
| 480 | } else { | |
| 481 | // set cookie for login | |
| 482 | String cookie = userManager.getCookie(user); | |
| 483 | if (StringUtils.isEmpty(cookie)) { | |
| 484 | // create empty cookie | |
| 485 | userCookie = new Cookie(Constants.NAME, ""); | |
| 486 | } else { | |
| 487 | // create real cookie | |
| 488 | userCookie = new Cookie(Constants.NAME, cookie); | |
| 7ab32b | 489 | // expire the cookie in 7 days |
| JM | 490 | userCookie.setMaxAge((int) TimeUnit.DAYS.toSeconds(7)); |
| 04a985 | 491 | } |
| JM | 492 | } |
| ec7ed8 | 493 | String path = "/"; |
| JM | 494 | if (request != null) { |
| 495 | if (!StringUtils.isEmpty(request.getContextPath())) { | |
| 496 | path = request.getContextPath(); | |
| 497 | } | |
| 498 | } | |
| 499 | userCookie.setPath(path); | |
| 04a985 | 500 | response.addCookie(userCookie); |
| JM | 501 | } |
| 502 | } | |
| 503 | } | |
| 504 | ||
| 505 | /** | |
| 506 | * Logout a user. | |
| 507 | * | |
| ec7ed8 | 508 | * @param response |
| 04a985 | 509 | * @param user |
| JM | 510 | */ |
| 511 | @Override | |
| ec7ed8 | 512 | @Deprecated |
| 04a985 | 513 | public void logout(HttpServletResponse response, UserModel user) { |
| ec7ed8 | 514 | setCookie(null, response, null); |
| JM | 515 | } |
| 516 | ||
| 517 | /** | |
| 518 | * Logout a user. | |
| 519 | * | |
| 520 | * @param request | |
| 521 | * @param response | |
| 522 | * @param user | |
| 523 | */ | |
| 524 | @Override | |
| 525 | public void logout(HttpServletRequest request, HttpServletResponse response, UserModel user) { | |
| 526 | setCookie(request, response, null); | |
| 04a985 | 527 | } |
| JM | 528 | |
| 529 | /** | |
| 530 | * Returns true if the user's credentials can be changed. | |
| 531 | * | |
| 532 | * @param user | |
| 533 | * @return true if the user service supports credential changes | |
| 534 | */ | |
| 535 | @Override | |
| 536 | public boolean supportsCredentialChanges(UserModel user) { | |
| 537 | return (user != null && user.isLocalAccount()) || findProvider(user).supportsCredentialChanges(); | |
| 538 | } | |
| 539 | ||
| 540 | /** | |
| 541 | * Returns true if the user's display name can be changed. | |
| 542 | * | |
| 543 | * @param user | |
| 544 | * @return true if the user service supports display name changes | |
| 545 | */ | |
| 546 | @Override | |
| 547 | public boolean supportsDisplayNameChanges(UserModel user) { | |
| 548 | return (user != null && user.isLocalAccount()) || findProvider(user).supportsDisplayNameChanges(); | |
| 549 | } | |
| 550 | ||
| 551 | /** | |
| 552 | * Returns true if the user's email address can be changed. | |
| 553 | * | |
| 554 | * @param user | |
| 555 | * @return true if the user service supports email address changes | |
| 556 | */ | |
| 557 | @Override | |
| 558 | public boolean supportsEmailAddressChanges(UserModel user) { | |
| 559 | return (user != null && user.isLocalAccount()) || findProvider(user).supportsEmailAddressChanges(); | |
| 560 | } | |
| 561 | ||
| 562 | /** | |
| 563 | * Returns true if the user's team memberships can be changed. | |
| 564 | * | |
| 565 | * @param user | |
| 566 | * @return true if the user service supports team membership changes | |
| 567 | */ | |
| 568 | @Override | |
| 569 | public boolean supportsTeamMembershipChanges(UserModel user) { | |
| 570 | return (user != null && user.isLocalAccount()) || findProvider(user).supportsTeamMembershipChanges(); | |
| 571 | } | |
| 572 | ||
| 573 | /** | |
| 574 | * Returns true if the team memberships can be changed. | |
| 575 | * | |
| 576 | * @param user | |
| 577 | * @return true if the team membership can be changed | |
| 578 | */ | |
| 579 | @Override | |
| 580 | public boolean supportsTeamMembershipChanges(TeamModel team) { | |
| 581 | return (team != null && team.isLocalTeam()) || findProvider(team).supportsTeamMembershipChanges(); | |
| 582 | } | |
| 583 | ||
| 584 | protected AuthenticationProvider findProvider(UserModel user) { | |
| 585 | for (AuthenticationProvider provider : authenticationProviders) { | |
| 586 | if (provider.getAccountType().equals(user.accountType)) { | |
| 587 | return provider; | |
| 588 | } | |
| 589 | } | |
| 590 | return AuthenticationProvider.NULL_PROVIDER; | |
| 591 | } | |
| 592 | ||
| 593 | protected AuthenticationProvider findProvider(TeamModel team) { | |
| 594 | for (AuthenticationProvider provider : authenticationProviders) { | |
| 595 | if (provider.getAccountType().equals(team.accountType)) { | |
| 596 | return provider; | |
| 597 | } | |
| 598 | } | |
| 599 | return AuthenticationProvider.NULL_PROVIDER; | |
| 600 | } | |
| 601 | } | |
