| commit | author | age | ||
| 0f3cb2 | 1 | /* |
| JM | 2 | * Copyright 2013 gitblit.com. |
| 3 | * | |
| 4 | * Licensed under the Apache License, Version 2.0 (the "License"); | |
| 5 | * you may not use this file except in compliance with the License. | |
| 6 | * You may obtain a copy of the License at | |
| 7 | * | |
| 8 | * http://www.apache.org/licenses/LICENSE-2.0 | |
| 9 | * | |
| 10 | * Unless required by applicable law or agreed to in writing, software | |
| 11 | * distributed under the License is distributed on an "AS IS" BASIS, | |
| 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
| 13 | * See the License for the specific language governing permissions and | |
| 14 | * limitations under the License. | |
| 15 | */ | |
| 16 | package com.gitblit.wicket.pages; | |
| 17 | ||
| 18 | import javax.servlet.http.HttpServletRequest; | |
| 7ab32b | 19 | import javax.servlet.http.HttpServletResponse; |
| 0f3cb2 | 20 | |
| JM | 21 | import org.apache.wicket.PageParameters; |
| 22 | import org.apache.wicket.markup.html.WebPage; | |
| 23 | import org.apache.wicket.protocol.http.WebRequest; | |
| 24 | import org.apache.wicket.protocol.http.WebResponse; | |
| 25 | ||
| 99d0d4 | 26 | import com.gitblit.Keys; |
| 0f3cb2 | 27 | import com.gitblit.models.UserModel; |
| 7ab32b | 28 | import com.gitblit.utils.StringUtils; |
| 99d0d4 | 29 | import com.gitblit.wicket.GitBlitWebApp; |
| 0f3cb2 | 30 | import com.gitblit.wicket.GitBlitWebSession; |
| JM | 31 | |
| 32 | public abstract class SessionPage extends WebPage { | |
| 33 | ||
| 34 | public SessionPage() { | |
| 35 | super(); | |
| 36 | login(); | |
| 37 | } | |
| 38 | ||
| 39 | public SessionPage(final PageParameters params) { | |
| 40 | super(params); | |
| 41 | login(); | |
| 42 | } | |
| 43 | ||
| 99d0d4 | 44 | protected String [] getEncodings() { |
| JM | 45 | return app().settings().getStrings(Keys.web.blobEncodings).toArray(new String[0]); |
| 46 | } | |
| 47 | ||
| 48 | protected GitBlitWebApp app() { | |
| 49 | return GitBlitWebApp.get(); | |
| 50 | } | |
| 51 | ||
| 0f3cb2 | 52 | private void login() { |
| JM | 53 | GitBlitWebSession session = GitBlitWebSession.get(); |
| 54 | if (session.isLoggedIn() && !session.isSessionInvalidated()) { | |
| 55 | // already have a session, refresh usermodel to pick up | |
| 56 | // any changes to permissions or roles (issue-186) | |
| 99d0d4 | 57 | UserModel user = app().users().getUserModel(session.getUser().username); |
| 7ab32b | 58 | |
| 68fb17 | 59 | if (user == null || user.disabled) { |
| JM | 60 | // user was deleted/disabled during session |
| ec7ed8 | 61 | HttpServletRequest request = ((WebRequest) getRequestCycle().getRequest()) |
| JM | 62 | .getHttpServletRequest(); |
| 9aa119 | 63 | HttpServletResponse response = ((WebResponse) getRequestCycle().getResponse()) |
| JM | 64 | .getHttpServletResponse(); |
| ec7ed8 | 65 | app().authentication().logout(request, response, user); |
| 9aa119 | 66 | session.setUser(null); |
| JM | 67 | session.invalidateNow(); |
| 68 | return; | |
| 69 | } | |
| 70 | ||
| 7ab32b | 71 | // validate cookie during session (issue-361) |
| 0ff4df | 72 | if (user != null && app().settings().getBoolean(Keys.web.allowCookieAuthentication, true)) { |
| 7ab32b | 73 | HttpServletRequest request = ((WebRequest) getRequestCycle().getRequest()) |
| JM | 74 | .getHttpServletRequest(); |
| 75 | String requestCookie = app().authentication().getCookie(request); | |
| 76 | if (!StringUtils.isEmpty(requestCookie) && !StringUtils.isEmpty(user.cookie)) { | |
| 77 | if (!requestCookie.equals(user.cookie)) { | |
| 78 | // cookie was changed during our session | |
| 79 | HttpServletResponse response = ((WebResponse) getRequestCycle().getResponse()) | |
| 80 | .getHttpServletResponse(); | |
| ec7ed8 | 81 | app().authentication().logout(request, response, user); |
| 7ab32b | 82 | session.setUser(null); |
| JM | 83 | session.invalidateNow(); |
| 84 | return; | |
| 85 | } | |
| 86 | } | |
| 87 | } | |
| 0f3cb2 | 88 | session.setUser(user); |
| JM | 89 | return; |
| 90 | } | |
| 91 | ||
| 92 | // try to authenticate by servlet request | |
| 93 | HttpServletRequest httpRequest = ((WebRequest) getRequestCycle().getRequest()) | |
| 94 | .getHttpServletRequest(); | |
| 04a985 | 95 | UserModel user = app().authentication().authenticate(httpRequest); |
| 0f3cb2 | 96 | |
| JM | 97 | // Login the user |
| 98 | if (user != null) { | |
| 99 | // issue 62: fix session fixation vulnerability | |
| 100 | session.replaceSession(); | |
| 101 | session.setUser(user); | |
| 102 | ||
| 103 | // Set Cookie | |
| ec7ed8 | 104 | WebRequest request = (WebRequest) getRequestCycle().getRequest(); |
| 0f3cb2 | 105 | WebResponse response = (WebResponse) getRequestCycle().getResponse(); |
| ec7ed8 | 106 | app().authentication().setCookie(request.getHttpServletRequest(), |
| JM | 107 | response.getHttpServletResponse(), user); |
| 0f3cb2 | 108 | |
| JM | 109 | session.continueRequest(); |
| 110 | } | |
| 111 | } | |
| 112 | } | |
