commit | author | age
|
efdb2b
|
1 |
/* |
JM |
2 |
* Copyright 2013 gitblit.com. |
|
3 |
* |
|
4 |
* Licensed under the Apache License, Version 2.0 (the "License"); |
|
5 |
* you may not use this file except in compliance with the License. |
|
6 |
* You may obtain a copy of the License at |
|
7 |
* |
|
8 |
* http://www.apache.org/licenses/LICENSE-2.0 |
|
9 |
* |
|
10 |
* Unless required by applicable law or agreed to in writing, software |
|
11 |
* distributed under the License is distributed on an "AS IS" BASIS, |
|
12 |
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
|
13 |
* See the License for the specific language governing permissions and |
|
14 |
* limitations under the License. |
|
15 |
*/ |
|
16 |
package com.gitblit.wicket.pages; |
|
17 |
|
|
18 |
import javax.servlet.http.HttpServletRequest; |
|
19 |
import javax.servlet.http.HttpServletResponse; |
|
20 |
|
|
21 |
import org.apache.wicket.PageParameters; |
|
22 |
import org.apache.wicket.markup.html.WebPage; |
|
23 |
import org.apache.wicket.protocol.http.WebRequest; |
|
24 |
import org.apache.wicket.protocol.http.WebResponse; |
|
25 |
|
|
26 |
import com.gitblit.Constants; |
|
27 |
import com.gitblit.Constants.AuthenticationType; |
|
28 |
import com.gitblit.Keys; |
|
29 |
import com.gitblit.models.UserModel; |
|
30 |
import com.gitblit.utils.StringUtils; |
|
31 |
import com.gitblit.wicket.GitBlitWebApp; |
|
32 |
import com.gitblit.wicket.GitBlitWebSession; |
|
33 |
|
|
34 |
public abstract class SessionPage extends WebPage { |
|
35 |
|
|
36 |
public SessionPage() { |
|
37 |
super(); |
|
38 |
login(); |
|
39 |
} |
|
40 |
|
|
41 |
public SessionPage(final PageParameters params) { |
|
42 |
super(params); |
|
43 |
login(); |
|
44 |
} |
|
45 |
|
|
46 |
protected String [] getEncodings() { |
|
47 |
return app().settings().getStrings(Keys.web.blobEncodings).toArray(new String[0]); |
|
48 |
} |
|
49 |
|
|
50 |
protected GitBlitWebApp app() { |
|
51 |
return GitBlitWebApp.get(); |
|
52 |
} |
|
53 |
|
|
54 |
private void login() { |
|
55 |
GitBlitWebSession session = GitBlitWebSession.get(); |
|
56 |
HttpServletRequest request = ((WebRequest) getRequest()).getHttpServletRequest(); |
|
57 |
HttpServletResponse response = ((WebResponse) getResponse()).getHttpServletResponse(); |
|
58 |
|
|
59 |
if (session.isLoggedIn() && !session.isSessionInvalidated()) { |
|
60 |
// already have a session, refresh usermodel to pick up |
|
61 |
// any changes to permissions or roles (issue-186) |
|
62 |
UserModel user = app().users().getUserModel(session.getUser().username); |
|
63 |
|
|
64 |
if (user == null || user.disabled) { |
|
65 |
// user was deleted/disabled during session |
|
66 |
app().authentication().logout(request, response, user); |
|
67 |
session.setUser(null); |
|
68 |
session.invalidateNow(); |
|
69 |
return; |
|
70 |
} |
|
71 |
|
|
72 |
// validate cookie during session (issue-361) |
|
73 |
if (user != null && app().settings().getBoolean(Keys.web.allowCookieAuthentication, true)) { |
|
74 |
String requestCookie = app().authentication().getCookie(request); |
|
75 |
if (!StringUtils.isEmpty(requestCookie) && !StringUtils.isEmpty(user.cookie)) { |
|
76 |
if (!requestCookie.equals(user.cookie)) { |
|
77 |
// cookie was changed during our session |
|
78 |
app().authentication().logout(request, response, user); |
|
79 |
session.setUser(null); |
|
80 |
session.invalidateNow(); |
|
81 |
return; |
|
82 |
} |
|
83 |
} |
|
84 |
} |
|
85 |
session.setUser(user); |
|
86 |
return; |
|
87 |
} |
|
88 |
|
|
89 |
// try to authenticate by servlet request |
|
90 |
UserModel user = app().authentication().authenticate(request); |
|
91 |
|
|
92 |
// Login the user |
|
93 |
if (user != null) { |
|
94 |
// preserve the authentication type across session replacement |
|
95 |
AuthenticationType authenticationType = (AuthenticationType) request.getSession() |
|
96 |
.getAttribute(Constants.AUTHENTICATION_TYPE); |
|
97 |
|
|
98 |
// issue 62: fix session fixation vulnerability |
|
99 |
session.replaceSession(); |
|
100 |
session.setUser(user); |
|
101 |
|
|
102 |
request.getSession().setAttribute(Constants.AUTHENTICATION_TYPE, authenticationType); |
|
103 |
|
|
104 |
// Set Cookie |
|
105 |
app().authentication().setCookie(request, response, user); |
|
106 |
|
|
107 |
session.continueRequest(); |
|
108 |
} |
|
109 |
} |
|
110 |
} |