githubFork/gitblit.git - Solinfo Gitblit

parent: a8cac83f | patch | commit | ignore whitespace

Merged #187 "Restrict Gitblit cookie to the context path"

James Moger

2014-09-25 54cc7d7c2483d7ca100a5db47f4e1e98bd97c7fe

Merged #187 "Restrict Gitblit cookie to the context path"

7 files modified

	src/main/java/com/gitblit/manager/AuthenticationManager.java	37 ●●●●● patch \| view \| raw \| blame \| history
	src/main/java/com/gitblit/manager/GitblitManager.java	12 ●●●●● patch \| view \| raw \| blame \| history
	src/main/java/com/gitblit/manager/IAuthenticationManager.java	22 ●●●●● patch \| view \| raw \| blame \| history
	src/main/java/com/gitblit/wicket/pages/ChangePasswordPage.java	5 ●●●●● patch \| view \| raw \| blame \| history
	src/main/java/com/gitblit/wicket/pages/LogoutPage.java	3 ●●●●● patch \| view \| raw \| blame \| history
	src/main/java/com/gitblit/wicket/pages/RootPage.java	5 ●●●●● patch \| view \| raw \| blame \| history
	src/main/java/com/gitblit/wicket/pages/SessionPage.java	10 ●●●●● patch \| view \| raw \| blame \| history

 src/main/java/com/gitblit/manager/AuthenticationManager.java

@@ -454,7 +454,20 @@
     * @param user
     */
    @Override
    @Deprecated
    public void setCookie(HttpServletResponse response, UserModel user) {
        setCookie(null, response, user);
    }

    /**
     * Sets a cookie for the specified user.
     *
     * @param request
     * @param response
     * @param user
     */
    @Override
    public void setCookie(HttpServletRequest request, HttpServletResponse response, UserModel user) {
        if (settings.getBoolean(Keys.web.allowCookieAuthentication, true)) {
            GitBlitWebSession session = GitBlitWebSession.get();
            boolean standardLogin = session.authenticationType.isStandard();
@@ -477,7 +490,13 @@
                        userCookie.setMaxAge((int) TimeUnit.DAYS.toSeconds(7));
                    }
                }
                userCookie.setPath("/");
                String path = "/";
                if (request != null) {
                    if (!StringUtils.isEmpty(request.getContextPath())) {
                        path = request.getContextPath();
                    }
                }
                userCookie.setPath(path);
                response.addCookie(userCookie);
            }
        }
@@ -486,11 +505,25 @@
    /**
     * Logout a user.
     *
     * @param response
     * @param user
     */
    @Override
    @Deprecated
    public void logout(HttpServletResponse response, UserModel user) {
        setCookie(response,  null);
        setCookie(null, response,  null);
    }

    /**
     * Logout a user.
     *
     * @param request
     * @param response
     * @param user
     */
    @Override
    public void logout(HttpServletRequest request, HttpServletResponse response, UserModel user) {
        setCookie(request, response,  null);
    }

    /**

 src/main/java/com/gitblit/manager/GitblitManager.java

@@ -736,16 +736,28 @@
    }

    @Override
    @Deprecated
    public void setCookie(HttpServletResponse response, UserModel user) {
        authenticationManager.setCookie(response, user);
    }

    @Override
    public void setCookie(HttpServletRequest request, HttpServletResponse response, UserModel user) {
        authenticationManager.setCookie(request, response, user);
    }

    @Override
    @Deprecated
    public void logout(HttpServletResponse response, UserModel user) {
        authenticationManager.logout(response, user);
    }

    @Override
    public void logout(HttpServletRequest request, HttpServletResponse response, UserModel user) {
        authenticationManager.logout(request, response, user);
    }

    @Override
    public boolean supportsCredentialChanges(UserModel user) {
        return authenticationManager.supportsCredentialChanges(user);
    }

 src/main/java/com/gitblit/manager/IAuthenticationManager.java

@@ -85,7 +85,18 @@
     * @param user
     * @since 1.4.0
     */
    @Deprecated
    void setCookie(HttpServletResponse response, UserModel user);

    /**
     * Sets a cookie for the specified user.
     *
     * @param request
     * @param response
     * @param user
     * @since 1.6.1
     */
    void setCookie(HttpServletRequest request, HttpServletResponse response, UserModel user);

    /**
     * Logout a user.
@@ -93,9 +104,20 @@
     * @param user
     * @since 1.4.0
     */
    @Deprecated
    void logout(HttpServletResponse response, UserModel user);

    /**
     * Logout a user.
     *
     * @param request
     * @param response
     * @param user
     * @since 1.6.1
     */
    void logout(HttpServletRequest request, HttpServletResponse response, UserModel user);

    /**
     * Does the user service support changes to credentials?
     *
     * @return true or false

 src/main/java/com/gitblit/wicket/pages/ChangePasswordPage.java

@@ -23,6 +23,7 @@
import org.apache.wicket.markup.html.form.StatelessForm;

import org.apache.wicket.model.IModel;

import org.apache.wicket.model.Model;

import org.apache.wicket.protocol.http.WebRequest;

import org.apache.wicket.protocol.http.WebResponse;



import com.gitblit.GitBlitException;

@@ -99,8 +100,10 @@
                try {

                    app().gitblit().reviseUser(user.username, user);

                    if (app().settings().getBoolean(Keys.web.allowCookieAuthentication, false)) {

                        WebRequest request = (WebRequest) getRequestCycle().getRequest();

                        WebResponse response = (WebResponse) getRequestCycle().getResponse();

                        app().authentication().setCookie(response.getHttpServletResponse(), user);

                        app().authentication().setCookie(request.getHttpServletRequest(),

                                response.getHttpServletResponse(), user);

                    }

                } catch (GitBlitException e) {

                    error(e.getMessage());


 src/main/java/com/gitblit/wicket/pages/LogoutPage.java

@@ -27,7 +27,8 @@
        super();

        GitBlitWebSession session = GitBlitWebSession.get();

        UserModel user = session.getUser();

        app().authentication().logout(((WebResponse) getResponse()).getHttpServletResponse(), user);

        app().authentication().logout(((WebRequest) getRequest()).getHttpServletRequest(),

                ((WebResponse) getResponse()).getHttpServletResponse(), user);

        session.invalidate();



        /*


 src/main/java/com/gitblit/wicket/pages/RootPage.java

@@ -46,6 +46,7 @@
import org.apache.wicket.markup.repeater.data.ListDataProvider;
import org.apache.wicket.model.IModel;
import org.apache.wicket.model.Model;
import org.apache.wicket.protocol.http.WebRequest;
import org.apache.wicket.protocol.http.WebResponse;

import com.gitblit.Constants;
@@ -269,8 +270,10 @@

            // Set Cookie
            if (app().settings().getBoolean(Keys.web.allowCookieAuthentication, false)) {
                WebRequest request = (WebRequest) getRequestCycle().getRequest();
                WebResponse response = (WebResponse) getRequestCycle().getResponse();
                app().authentication().setCookie(response.getHttpServletResponse(), user);
                app().authentication().setCookie(request.getHttpServletRequest(),
                        response.getHttpServletResponse(), user);
            }

            if (!session.continueRequest()) {

 src/main/java/com/gitblit/wicket/pages/SessionPage.java

@@ -58,9 +58,11 @@


            if (user == null || user.disabled) {

                // user was deleted/disabled during session

                HttpServletRequest request = ((WebRequest) getRequestCycle().getRequest())

                        .getHttpServletRequest();

                HttpServletResponse response = ((WebResponse) getRequestCycle().getResponse())

                        .getHttpServletResponse();

                app().authentication().logout(response, user);

                app().authentication().logout(request, response, user);

                session.setUser(null);

                session.invalidateNow();

                return;

@@ -76,7 +78,7 @@
                        // cookie was changed during our session

                        HttpServletResponse response = ((WebResponse) getRequestCycle().getResponse())

                                .getHttpServletResponse();

                        app().authentication().logout(response, user);

                        app().authentication().logout(request, response, user);

                        session.setUser(null);

                        session.invalidateNow();

                        return;

@@ -99,8 +101,10 @@
            session.setUser(user);



            // Set Cookie

            WebRequest request = (WebRequest) getRequestCycle().getRequest();

            WebResponse response = (WebResponse) getRequestCycle().getResponse();

            app().authentication().setCookie(response.getHttpServletResponse(), user);

            app().authentication().setCookie(request.getHttpServletRequest(),

                    response.getHttpServletResponse(), user);



            session.continueRequest();

        }

			@@ -454,7 +454,20 @@
			* @param user
			*/
			@Override
			@Deprecated
			public void setCookie(HttpServletResponse response, UserModel user) {
			setCookie(null, response, user);
			}

			/**
			* Sets a cookie for the specified user.
			*
			* @param request
			* @param response
			* @param user
			*/
			@Override
			public void setCookie(HttpServletRequest request, HttpServletResponse response, UserModel user) {
			if (settings.getBoolean(Keys.web.allowCookieAuthentication, true)) {
			GitBlitWebSession session = GitBlitWebSession.get();
			boolean standardLogin = session.authenticationType.isStandard();
			@@ -477,7 +490,13 @@
			userCookie.setMaxAge((int) TimeUnit.DAYS.toSeconds(7));
			}
			}
			userCookie.setPath("/");
			String path = "/";
			if (request != null) {
			if (!StringUtils.isEmpty(request.getContextPath())) {
			path = request.getContextPath();
			}
			}
			userCookie.setPath(path);
			response.addCookie(userCookie);
			}
			}
			@@ -486,11 +505,25 @@
			/**
			* Logout a user.
			*
			* @param response
			* @param user
			*/
			@Override
			@Deprecated
			public void logout(HttpServletResponse response, UserModel user) {
			setCookie(response, null);
			setCookie(null, response, null);
			}

			/**
			* Logout a user.
			*
			* @param request
			* @param response
			* @param user
			*/
			@Override
			public void logout(HttpServletRequest request, HttpServletResponse response, UserModel user) {
			setCookie(request, response, null);
			}

			/**

			@@ -736,16 +736,28 @@
			}

			@Override
			@Deprecated
			public void setCookie(HttpServletResponse response, UserModel user) {
			authenticationManager.setCookie(response, user);
			}

			@Override
			public void setCookie(HttpServletRequest request, HttpServletResponse response, UserModel user) {
			authenticationManager.setCookie(request, response, user);
			}

			@Override
			@Deprecated
			public void logout(HttpServletResponse response, UserModel user) {
			authenticationManager.logout(response, user);
			}

			@Override
			public void logout(HttpServletRequest request, HttpServletResponse response, UserModel user) {
			authenticationManager.logout(request, response, user);
			}

			@Override
			public boolean supportsCredentialChanges(UserModel user) {
			return authenticationManager.supportsCredentialChanges(user);
			}

			@@ -85,7 +85,18 @@
			* @param user
			* @since 1.4.0
			*/
			@Deprecated
			void setCookie(HttpServletResponse response, UserModel user);

			/**
			* Sets a cookie for the specified user.
			*
			* @param request
			* @param response
			* @param user
			* @since 1.6.1
			*/
			void setCookie(HttpServletRequest request, HttpServletResponse response, UserModel user);

			/**
			* Logout a user.
			@@ -93,9 +104,20 @@
			* @param user
			* @since 1.4.0
			*/
			@Deprecated
			void logout(HttpServletResponse response, UserModel user);

			/**
			* Logout a user.
			*
			* @param request
			* @param response
			* @param user
			* @since 1.6.1
			*/
			void logout(HttpServletRequest request, HttpServletResponse response, UserModel user);

			/**
			* Does the user service support changes to credentials?
			*
			* @return true or false

			@@ -23,6 +23,7 @@
			import org.apache.wicket.markup.html.form.StatelessForm;
			import org.apache.wicket.model.IModel;
			import org.apache.wicket.model.Model;
			import org.apache.wicket.protocol.http.WebRequest;
			import org.apache.wicket.protocol.http.WebResponse;

			import com.gitblit.GitBlitException;
			@@ -99,8 +100,10 @@
			try {
			app().gitblit().reviseUser(user.username, user);
			if (app().settings().getBoolean(Keys.web.allowCookieAuthentication, false)) {
			WebRequest request = (WebRequest) getRequestCycle().getRequest();
			WebResponse response = (WebResponse) getRequestCycle().getResponse();
			app().authentication().setCookie(response.getHttpServletResponse(), user);
			app().authentication().setCookie(request.getHttpServletRequest(),
			response.getHttpServletResponse(), user);
			}
			} catch (GitBlitException e) {
			error(e.getMessage());

			@@ -27,7 +27,8 @@
			super();
			GitBlitWebSession session = GitBlitWebSession.get();
			UserModel user = session.getUser();
			app().authentication().logout(((WebResponse) getResponse()).getHttpServletResponse(), user);
			app().authentication().logout(((WebRequest) getRequest()).getHttpServletRequest(),
			((WebResponse) getResponse()).getHttpServletResponse(), user);
			session.invalidate();

			/*

			@@ -46,6 +46,7 @@
			import org.apache.wicket.markup.repeater.data.ListDataProvider;
			import org.apache.wicket.model.IModel;
			import org.apache.wicket.model.Model;
			import org.apache.wicket.protocol.http.WebRequest;
			import org.apache.wicket.protocol.http.WebResponse;

			import com.gitblit.Constants;
			@@ -269,8 +270,10 @@

			// Set Cookie
			if (app().settings().getBoolean(Keys.web.allowCookieAuthentication, false)) {
			WebRequest request = (WebRequest) getRequestCycle().getRequest();
			WebResponse response = (WebResponse) getRequestCycle().getResponse();
			app().authentication().setCookie(response.getHttpServletResponse(), user);
			app().authentication().setCookie(request.getHttpServletRequest(),
			response.getHttpServletResponse(), user);
			}

			if (!session.continueRequest()) {

			@@ -58,9 +58,11 @@

			if (user == null \|\| user.disabled) {
			// user was deleted/disabled during session
			HttpServletRequest request = ((WebRequest) getRequestCycle().getRequest())
			.getHttpServletRequest();
			HttpServletResponse response = ((WebResponse) getRequestCycle().getResponse())
			.getHttpServletResponse();
			app().authentication().logout(response, user);
			app().authentication().logout(request, response, user);
			session.setUser(null);
			session.invalidateNow();
			return;
			@@ -76,7 +78,7 @@
			// cookie was changed during our session
			HttpServletResponse response = ((WebResponse) getRequestCycle().getResponse())
			.getHttpServletResponse();
			app().authentication().logout(response, user);
			app().authentication().logout(request, response, user);
			session.setUser(null);
			session.invalidateNow();
			return;
			@@ -99,8 +101,10 @@
			session.setUser(user);

			// Set Cookie
			WebRequest request = (WebRequest) getRequestCycle().getRequest();
			WebResponse response = (WebResponse) getRequestCycle().getResponse();
			app().authentication().setCookie(response.getHttpServletResponse(), user);
			app().authentication().setCookie(request.getHttpServletRequest(),
			response.getHttpServletResponse(), user);

			session.continueRequest();
			}