commit | author | age
|
efdb2b
|
1 |
/* |
JM |
2 |
* Copyright 2013 gitblit.com. |
|
3 |
* |
|
4 |
* Licensed under the Apache License, Version 2.0 (the "License"); |
|
5 |
* you may not use this file except in compliance with the License. |
|
6 |
* You may obtain a copy of the License at |
|
7 |
* |
|
8 |
* http://www.apache.org/licenses/LICENSE-2.0 |
|
9 |
* |
|
10 |
* Unless required by applicable law or agreed to in writing, software |
|
11 |
* distributed under the License is distributed on an "AS IS" BASIS, |
|
12 |
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
|
13 |
* See the License for the specific language governing permissions and |
|
14 |
* limitations under the License. |
|
15 |
*/ |
|
16 |
package com.gitblit.wicket.pages; |
|
17 |
|
|
18 |
import javax.servlet.http.HttpServletRequest; |
|
19 |
import javax.servlet.http.HttpServletResponse; |
|
20 |
|
|
21 |
import org.apache.wicket.PageParameters; |
|
22 |
import org.apache.wicket.markup.html.WebPage; |
|
23 |
import org.apache.wicket.protocol.http.WebRequest; |
|
24 |
import org.apache.wicket.protocol.http.WebResponse; |
|
25 |
|
|
26 |
import com.gitblit.Constants; |
|
27 |
import com.gitblit.Constants.AuthenticationType; |
|
28 |
import com.gitblit.Keys; |
|
29 |
import com.gitblit.models.UserModel; |
|
30 |
import com.gitblit.utils.StringUtils; |
|
31 |
import com.gitblit.wicket.GitBlitWebApp; |
|
32 |
import com.gitblit.wicket.GitBlitWebSession; |
|
33 |
|
|
34 |
public abstract class SessionPage extends WebPage { |
|
35 |
|
|
36 |
public SessionPage() { |
|
37 |
super(); |
|
38 |
login(); |
|
39 |
} |
|
40 |
|
|
41 |
public SessionPage(final PageParameters params) { |
|
42 |
super(params); |
|
43 |
login(); |
|
44 |
} |
|
45 |
|
|
46 |
protected String [] getEncodings() { |
|
47 |
return app().settings().getStrings(Keys.web.blobEncodings).toArray(new String[0]); |
|
48 |
} |
|
49 |
|
|
50 |
protected GitBlitWebApp app() { |
|
51 |
return GitBlitWebApp.get(); |
|
52 |
} |
|
53 |
|
|
54 |
private void login() { |
|
55 |
GitBlitWebSession session = GitBlitWebSession.get(); |
|
56 |
HttpServletRequest request = ((WebRequest) getRequest()).getHttpServletRequest(); |
|
57 |
HttpServletResponse response = ((WebResponse) getResponse()).getHttpServletResponse(); |
|
58 |
|
62e025
|
59 |
// If using container/external servlet authentication, use request attribute |
JJ |
60 |
String authedUser = (String) request.getAttribute(Constants.ATTRIB_AUTHUSER); |
efdb2b
|
61 |
|
62e025
|
62 |
// Default to trusting session authentication if not set in request by external processing |
JJ |
63 |
if (StringUtils.isEmpty(authedUser) && session.isLoggedIn()) { |
|
64 |
authedUser = session.getUsername(); |
|
65 |
} |
|
66 |
|
|
67 |
if (!StringUtils.isEmpty(authedUser)) { |
|
68 |
// Avoid session fixation for non-session authentication |
|
69 |
// If the authenticated user is different from the session user, discard |
|
70 |
// the old session entirely, without trusting any session values |
|
71 |
if (!authedUser.equals(session.getUsername())) { |
|
72 |
session.replaceSession(); |
efdb2b
|
73 |
} |
JM |
74 |
|
62e025
|
75 |
if (!session.isSessionInvalidated()) { |
JJ |
76 |
// Refresh usermodel to pick up any changes to permissions or roles (issue-186) |
|
77 |
UserModel user = app().users().getUserModel(authedUser); |
|
78 |
|
|
79 |
if (user == null || user.disabled) { |
|
80 |
// user was deleted/disabled during session |
|
81 |
app().authentication().logout(request, response, user); |
|
82 |
session.setUser(null); |
|
83 |
session.invalidateNow(); |
|
84 |
return; |
|
85 |
} |
|
86 |
|
|
87 |
// validate cookie during session (issue-361) |
|
88 |
if (app().settings().getBoolean(Keys.web.allowCookieAuthentication, true)) { |
|
89 |
String requestCookie = app().authentication().getCookie(request); |
|
90 |
if (!StringUtils.isEmpty(requestCookie) && !StringUtils.isEmpty(user.cookie)) { |
|
91 |
if (!requestCookie.equals(user.cookie)) { |
|
92 |
// cookie was changed during our session |
|
93 |
app().authentication().logout(request, response, user); |
|
94 |
session.setUser(null); |
|
95 |
session.invalidateNow(); |
|
96 |
return; |
|
97 |
} |
efdb2b
|
98 |
} |
JM |
99 |
} |
62e025
|
100 |
session.setUser(user); |
JJ |
101 |
return; |
efdb2b
|
102 |
} |
JM |
103 |
} |
|
104 |
|
|
105 |
// try to authenticate by servlet request |
|
106 |
UserModel user = app().authentication().authenticate(request); |
|
107 |
|
|
108 |
// Login the user |
|
109 |
if (user != null) { |
62e025
|
110 |
AuthenticationType authenticationType = (AuthenticationType) request.getAttribute(Constants.ATTRIB_AUTHTYPE); |
efdb2b
|
111 |
|
JM |
112 |
// issue 62: fix session fixation vulnerability |
14d630
|
113 |
// but only if authentication was done in the container. |
FB |
114 |
// It avoid double change of session, that some authentication method |
|
115 |
// don't like |
|
116 |
if (AuthenticationType.CONTAINER != authenticationType) { |
|
117 |
session.replaceSession(); |
62e025
|
118 |
} |
efdb2b
|
119 |
session.setUser(user); |
JM |
120 |
|
|
121 |
// Set Cookie |
|
122 |
app().authentication().setCookie(request, response, user); |
|
123 |
|
|
124 |
session.continueRequest(); |
|
125 |
} |
|
126 |
} |
|
127 |
} |