| src/main/java/com/gitblit/Constants.java | ●●●●● patch | view | raw | blame | history | |
| src/main/java/com/gitblit/auth/RedmineAuthProvider.java | ●●●●● patch | view | raw | blame | history | |
| src/main/java/com/gitblit/manager/AuthenticationManager.java | ●●●●● patch | view | raw | blame | history | |
| src/main/java/com/gitblit/servlet/PtServlet.java | ●●●●● patch | view | raw | blame | history | |
| src/main/java/com/gitblit/utils/CompressionUtils.java | ●●●●● patch | view | raw | blame | history | |
| src/main/java/com/gitblit/wicket/GitBlitWebSession.java | ●●●●● patch | view | raw | blame | history | |
| src/main/java/com/gitblit/wicket/pages/RootPage.java | ●●●●● patch | view | raw | blame | history | |
| src/main/java/com/gitblit/wicket/pages/SessionPage.java | ●●●●● patch | view | raw | blame | history |
src/main/java/com/gitblit/Constants.java
@@ -130,6 +130,8 @@ public static final String DEVELOP = "develop"; public static final String AUTHENTICATION_TYPE = "authentication-type"; public static String getVersion() { String v = Constants.class.getPackage().getImplementationVersion(); if (v == null) { src/main/java/com/gitblit/auth/RedmineAuthProvider.java
@@ -19,7 +19,7 @@ import java.io.InputStreamReader; import java.net.HttpURLConnection; import org.apache.wicket.util.io.IOUtils; import org.apache.commons.io.IOUtils; import com.gitblit.Constants; import com.gitblit.Constants.AccountType; src/main/java/com/gitblit/manager/AuthenticationManager.java
@@ -27,8 +27,8 @@ import javax.servlet.http.Cookie; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; import org.apache.wicket.RequestCycle; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -52,7 +52,6 @@ import com.gitblit.utils.HttpUtils; import com.gitblit.utils.StringUtils; import com.gitblit.utils.X509Utils.X509Metadata; import com.gitblit.wicket.GitBlitWebSession; /** * The authentication manager handles user login & logout. @@ -200,7 +199,7 @@ UserModel user = userManager.getUserModel(username); if (user != null) { // existing user flagWicketSession(AuthenticationType.CONTAINER); flagSession(httpRequest, AuthenticationType.CONTAINER); logger.debug(MessageFormat.format("{0} authenticated by servlet container principal from {1}", user.username, httpRequest.getRemoteAddr())); return validateAuthentication(user, AuthenticationType.CONTAINER); @@ -212,7 +211,7 @@ user.password = Constants.EXTERNAL_ACCOUNT; user.accountType = AccountType.CONTAINER; userManager.updateUserModel(user); flagWicketSession(AuthenticationType.CONTAINER); flagSession(httpRequest, AuthenticationType.CONTAINER); logger.debug(MessageFormat.format("{0} authenticated and created by servlet container principal from {1}", user.username, httpRequest.getRemoteAddr())); return validateAuthentication(user, AuthenticationType.CONTAINER); @@ -233,7 +232,7 @@ UserModel user = userManager.getUserModel(model.username); X509Metadata metadata = HttpUtils.getCertificateMetadata(httpRequest); if (user != null) { flagWicketSession(AuthenticationType.CERTIFICATE); flagSession(httpRequest, AuthenticationType.CERTIFICATE); logger.debug(MessageFormat.format("{0} authenticated by client certificate {1} from {2}", user.username, metadata.serialNumber, httpRequest.getRemoteAddr())); return validateAuthentication(user, AuthenticationType.CERTIFICATE); @@ -255,7 +254,7 @@ if (!StringUtils.isEmpty(cookie)) { user = userManager.getUserModel(cookie.toCharArray()); if (user != null) { flagWicketSession(AuthenticationType.COOKIE); flagSession(httpRequest, AuthenticationType.COOKIE); logger.debug(MessageFormat.format("{0} authenticated by cookie from {1}", user.username, httpRequest.getRemoteAddr())); return validateAuthentication(user, AuthenticationType.COOKIE); @@ -277,7 +276,7 @@ char[] password = values[1].toCharArray(); user = authenticate(username, password); if (user != null) { flagWicketSession(AuthenticationType.CREDENTIALS); flagSession(httpRequest, AuthenticationType.CREDENTIALS); logger.debug(MessageFormat.format("{0} authenticated by BASIC request header from {1}", user.username, httpRequest.getRemoteAddr())); return validateAuthentication(user, AuthenticationType.CREDENTIALS); @@ -342,13 +341,8 @@ return user; } protected void flagWicketSession(AuthenticationType authenticationType) { RequestCycle requestCycle = RequestCycle.get(); if (requestCycle != null) { // flag the Wicket session, if this is a Wicket request GitBlitWebSession session = GitBlitWebSession.get(); session.authenticationType = authenticationType; } protected void flagSession(HttpServletRequest httpRequest, AuthenticationType authenticationType) { httpRequest.getSession().setAttribute(Constants.AUTHENTICATION_TYPE, authenticationType); } /** @@ -469,8 +463,9 @@ @Override public void setCookie(HttpServletRequest request, HttpServletResponse response, UserModel user) { if (settings.getBoolean(Keys.web.allowCookieAuthentication, true)) { GitBlitWebSession session = GitBlitWebSession.get(); boolean standardLogin = session.authenticationType.isStandard(); HttpSession session = request.getSession(); AuthenticationType authenticationType = (AuthenticationType) session.getAttribute(Constants.AUTHENTICATION_TYPE); boolean standardLogin = authenticationType.isStandard(); if (standardLogin) { Cookie userCookie; src/main/java/com/gitblit/servlet/PtServlet.java
@@ -15,6 +15,7 @@ */ package com.gitblit.servlet; import java.io.ByteArrayOutputStream; import java.io.File; import java.io.FileInputStream; import java.io.IOException; @@ -31,7 +32,6 @@ import org.apache.commons.compress.archivers.zip.ZipArchiveOutputStream; import org.apache.commons.compress.compressors.CompressorOutputStream; import org.apache.commons.compress.compressors.CompressorStreamFactory; import org.apache.wicket.util.io.ByteArrayOutputStream; import org.eclipse.jgit.lib.FileMode; import com.gitblit.dagger.DaggerServlet; src/main/java/com/gitblit/utils/CompressionUtils.java
@@ -15,6 +15,7 @@ */ package com.gitblit.utils; import java.io.ByteArrayOutputStream; import java.io.IOException; import java.io.OutputStream; import java.text.MessageFormat; @@ -27,7 +28,6 @@ import org.apache.commons.compress.archivers.zip.ZipArchiveOutputStream; import org.apache.commons.compress.compressors.CompressorException; import org.apache.commons.compress.compressors.CompressorStreamFactory; import org.apache.wicket.util.io.ByteArrayOutputStream; import org.eclipse.jgit.lib.Constants; import org.eclipse.jgit.lib.FileMode; import org.eclipse.jgit.lib.MutableObjectId; src/main/java/com/gitblit/wicket/GitBlitWebSession.java
@@ -30,7 +30,6 @@ import org.apache.wicket.protocol.http.WebSession; import org.apache.wicket.protocol.http.request.WebClientInfo; import com.gitblit.Constants.AuthenticationType; import com.gitblit.models.UserModel; public final class GitBlitWebSession extends WebSession { @@ -47,12 +46,9 @@ private AtomicBoolean isForking; public AuthenticationType authenticationType; public GitBlitWebSession(Request request) { super(request); isForking = new AtomicBoolean(); authenticationType = AuthenticationType.CREDENTIALS; } @Override src/main/java/com/gitblit/wicket/pages/RootPage.java
@@ -31,6 +31,9 @@ import java.util.concurrent.atomic.AtomicInteger; import java.util.regex.Pattern; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.apache.wicket.MarkupContainer; import org.apache.wicket.PageParameters; import org.apache.wicket.behavior.HeaderContributor; @@ -50,6 +53,7 @@ import org.apache.wicket.protocol.http.WebResponse; import com.gitblit.Constants; import com.gitblit.Constants.AuthenticationType; import com.gitblit.Keys; import com.gitblit.extensions.NavLinkExtension; import com.gitblit.extensions.UserMenuExtension; @@ -262,19 +266,22 @@ private void loginUser(UserModel user) { if (user != null) { HttpServletRequest request = ((WebRequest) getRequest()).getHttpServletRequest(); HttpServletResponse response = ((WebResponse) getResponse()).getHttpServletResponse(); // Set the user into the session GitBlitWebSession session = GitBlitWebSession.get(); // issue 62: fix session fixation vulnerability session.replaceSession(); session.setUser(user); request = ((WebRequest) getRequest()).getHttpServletRequest(); response = ((WebResponse) getResponse()).getHttpServletResponse(); request.getSession().setAttribute(Constants.AUTHENTICATION_TYPE, AuthenticationType.CREDENTIALS); // Set Cookie if (app().settings().getBoolean(Keys.web.allowCookieAuthentication, false)) { WebRequest request = (WebRequest) getRequestCycle().getRequest(); WebResponse response = (WebResponse) getRequestCycle().getResponse(); app().authentication().setCookie(request.getHttpServletRequest(), response.getHttpServletResponse(), user); } app().authentication().setCookie(request, response, user); if (!session.continueRequest()) { PageParameters params = getPageParameters(); @@ -599,7 +606,9 @@ GitBlitWebSession session = GitBlitWebSession.get(); UserModel user = session.getUser(); boolean editCredentials = app().authentication().supportsCredentialChanges(user); boolean standardLogin = session.authenticationType.isStandard(); HttpServletRequest request = ((WebRequest) getRequest()).getHttpServletRequest(); AuthenticationType authenticationType = (AuthenticationType) request.getSession().getAttribute(Constants.AUTHENTICATION_TYPE); boolean standardLogin = authenticationType.isStandard(); if (app().settings().getBoolean(Keys.web.allowGravatar, true)) { add(new GravatarImage("username", user, "navbarGravatar", 20, false)); src/main/java/com/gitblit/wicket/pages/SessionPage.java
@@ -1,112 +1,110 @@ /* * Copyright 2013 gitblit.com. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package com.gitblit.wicket.pages; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.apache.wicket.PageParameters; import org.apache.wicket.markup.html.WebPage; import org.apache.wicket.protocol.http.WebRequest; import org.apache.wicket.protocol.http.WebResponse; import com.gitblit.Keys; import com.gitblit.models.UserModel; import com.gitblit.utils.StringUtils; import com.gitblit.wicket.GitBlitWebApp; import com.gitblit.wicket.GitBlitWebSession; public abstract class SessionPage extends WebPage { public SessionPage() { super(); login(); } public SessionPage(final PageParameters params) { super(params); login(); } protected String [] getEncodings() { return app().settings().getStrings(Keys.web.blobEncodings).toArray(new String[0]); } protected GitBlitWebApp app() { return GitBlitWebApp.get(); } private void login() { GitBlitWebSession session = GitBlitWebSession.get(); if (session.isLoggedIn() && !session.isSessionInvalidated()) { // already have a session, refresh usermodel to pick up // any changes to permissions or roles (issue-186) UserModel user = app().users().getUserModel(session.getUser().username); if (user == null || user.disabled) { // user was deleted/disabled during session HttpServletRequest request = ((WebRequest) getRequestCycle().getRequest()) .getHttpServletRequest(); HttpServletResponse response = ((WebResponse) getRequestCycle().getResponse()) .getHttpServletResponse(); app().authentication().logout(request, response, user); session.setUser(null); session.invalidateNow(); return; } // validate cookie during session (issue-361) if (user != null && app().settings().getBoolean(Keys.web.allowCookieAuthentication, true)) { HttpServletRequest request = ((WebRequest) getRequestCycle().getRequest()) .getHttpServletRequest(); String requestCookie = app().authentication().getCookie(request); if (!StringUtils.isEmpty(requestCookie) && !StringUtils.isEmpty(user.cookie)) { if (!requestCookie.equals(user.cookie)) { // cookie was changed during our session HttpServletResponse response = ((WebResponse) getRequestCycle().getResponse()) .getHttpServletResponse(); app().authentication().logout(request, response, user); session.setUser(null); session.invalidateNow(); return; } } } session.setUser(user); return; } // try to authenticate by servlet request HttpServletRequest httpRequest = ((WebRequest) getRequestCycle().getRequest()) .getHttpServletRequest(); UserModel user = app().authentication().authenticate(httpRequest); // Login the user if (user != null) { // issue 62: fix session fixation vulnerability session.replaceSession(); session.setUser(user); // Set Cookie WebRequest request = (WebRequest) getRequestCycle().getRequest(); WebResponse response = (WebResponse) getRequestCycle().getResponse(); app().authentication().setCookie(request.getHttpServletRequest(), response.getHttpServletResponse(), user); session.continueRequest(); } } } /* * Copyright 2013 gitblit.com. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package com.gitblit.wicket.pages; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.apache.wicket.PageParameters; import org.apache.wicket.markup.html.WebPage; import org.apache.wicket.protocol.http.WebRequest; import org.apache.wicket.protocol.http.WebResponse; import com.gitblit.Constants; import com.gitblit.Constants.AuthenticationType; import com.gitblit.Keys; import com.gitblit.models.UserModel; import com.gitblit.utils.StringUtils; import com.gitblit.wicket.GitBlitWebApp; import com.gitblit.wicket.GitBlitWebSession; public abstract class SessionPage extends WebPage { public SessionPage() { super(); login(); } public SessionPage(final PageParameters params) { super(params); login(); } protected String [] getEncodings() { return app().settings().getStrings(Keys.web.blobEncodings).toArray(new String[0]); } protected GitBlitWebApp app() { return GitBlitWebApp.get(); } private void login() { GitBlitWebSession session = GitBlitWebSession.get(); HttpServletRequest request = ((WebRequest) getRequest()).getHttpServletRequest(); HttpServletResponse response = ((WebResponse) getResponse()).getHttpServletResponse(); if (session.isLoggedIn() && !session.isSessionInvalidated()) { // already have a session, refresh usermodel to pick up // any changes to permissions or roles (issue-186) UserModel user = app().users().getUserModel(session.getUser().username); if (user == null || user.disabled) { // user was deleted/disabled during session app().authentication().logout(request, response, user); session.setUser(null); session.invalidateNow(); return; } // validate cookie during session (issue-361) if (user != null && app().settings().getBoolean(Keys.web.allowCookieAuthentication, true)) { String requestCookie = app().authentication().getCookie(request); if (!StringUtils.isEmpty(requestCookie) && !StringUtils.isEmpty(user.cookie)) { if (!requestCookie.equals(user.cookie)) { // cookie was changed during our session app().authentication().logout(request, response, user); session.setUser(null); session.invalidateNow(); return; } } } session.setUser(user); return; } // try to authenticate by servlet request UserModel user = app().authentication().authenticate(request); // Login the user if (user != null) { // preserve the authentication type across session replacement AuthenticationType authenticationType = (AuthenticationType) request.getSession() .getAttribute(Constants.AUTHENTICATION_TYPE); // issue 62: fix session fixation vulnerability session.replaceSession(); session.setUser(user); request.getSession().setAttribute(Constants.AUTHENTICATION_TYPE, authenticationType); // Set Cookie app().authentication().setCookie(request, response, user); session.continueRequest(); } } }
