githubFork/gitblit.git - Solinfo Gitblit

			@@ -56,34 +56,50 @@
			HttpServletRequest request = ((WebRequest) getRequest()).getHttpServletRequest();
			HttpServletResponse response = ((WebResponse) getResponse()).getHttpServletResponse();

			if (session.isLoggedIn() && !session.isSessionInvalidated()) {
			// already have a session, refresh usermodel to pick up
			// any changes to permissions or roles (issue-186)
			UserModel user = app().users().getUserModel(session.getUser().username);
			// If using container/external servlet authentication, use request attribute
			String authedUser = (String) request.getAttribute(Constants.ATTRIB_AUTHUSER);

			if (user == null \|\| user.disabled) {
			// user was deleted/disabled during session
			app().authentication().logout(request, response, user);
			session.setUser(null);
			session.invalidateNow();
			return;
			// Default to trusting session authentication if not set in request by external processing
			if (StringUtils.isEmpty(authedUser) && session.isLoggedIn()) {
			authedUser = session.getUsername();
			}

			if (!StringUtils.isEmpty(authedUser)) {
			// Avoid session fixation for non-session authentication
			// If the authenticated user is different from the session user, discard
			// the old session entirely, without trusting any session values
			if (!authedUser.equals(session.getUsername())) {
			session.replaceSession();
			}

			// validate cookie during session (issue-361)
			if (user != null && app().settings().getBoolean(Keys.web.allowCookieAuthentication, true)) {
			String requestCookie = app().authentication().getCookie(request);
			if (!StringUtils.isEmpty(requestCookie) && !StringUtils.isEmpty(user.cookie)) {
			if (!requestCookie.equals(user.cookie)) {
			// cookie was changed during our session
			app().authentication().logout(request, response, user);
			session.setUser(null);
			session.invalidateNow();
			return;
			if (!session.isSessionInvalidated()) {
			// Refresh usermodel to pick up any changes to permissions or roles (issue-186)
			UserModel user = app().users().getUserModel(authedUser);

			if (user == null \|\| user.disabled) {
			// user was deleted/disabled during session
			app().authentication().logout(request, response, user);
			session.setUser(null);
			session.invalidateNow();
			return;
			}

			// validate cookie during session (issue-361)
			if (app().settings().getBoolean(Keys.web.allowCookieAuthentication, true)) {
			String requestCookie = app().authentication().getCookie(request);
			if (!StringUtils.isEmpty(requestCookie) && !StringUtils.isEmpty(user.cookie)) {
			if (!requestCookie.equals(user.cookie)) {
			// cookie was changed during our session
			app().authentication().logout(request, response, user);
			session.setUser(null);
			session.invalidateNow();
			return;
			}
			}
			}
			session.setUser(user);
			return;
			}
			session.setUser(user);
			return;
			}

			// try to authenticate by servlet request
			@@ -91,15 +107,16 @@

			// Login the user
			if (user != null) {
			// preserve the authentication type across session replacement
			AuthenticationType authenticationType = (AuthenticationType) request.getSession()
			.getAttribute(Constants.AUTHENTICATION_TYPE);
			AuthenticationType authenticationType = (AuthenticationType) request.getAttribute(Constants.ATTRIB_AUTHTYPE);

			// issue 62: fix session fixation vulnerability
			session.replaceSession();
			// but only if authentication was done in the container.
			// It avoid double change of session, that some authentication method
			// don't like
			if (AuthenticationType.CONTAINER != authenticationType) {
			session.replaceSession();
			}
			session.setUser(user);

			request.getSession().setAttribute(Constants.AUTHENTICATION_TYPE, authenticationType);

			// Set Cookie
			app().authentication().setCookie(request, response, user);