From efdb2b3d0c6f03a9aac9e65892cbc8ff755f246f Mon Sep 17 00:00:00 2001
From: James Moger <james.moger@gitblit.com>
Date: Tue, 30 Sep 2014 12:40:12 -0400
Subject: [PATCH] Remove Wicket references from non-Wicket packages
---
src/main/java/com/gitblit/servlet/PtServlet.java | 2
src/main/java/com/gitblit/auth/RedmineAuthProvider.java | 2
src/main/java/com/gitblit/wicket/pages/SessionPage.java | 222 ++++++++++++++++++++++----------------------
src/main/java/com/gitblit/wicket/GitBlitWebSession.java | 4
src/main/java/com/gitblit/Constants.java | 2
src/main/java/com/gitblit/manager/AuthenticationManager.java | 27 ++---
src/main/java/com/gitblit/utils/CompressionUtils.java | 2
src/main/java/com/gitblit/wicket/pages/RootPage.java | 23 +++-
8 files changed, 142 insertions(+), 142 deletions(-)
diff --git a/src/main/java/com/gitblit/Constants.java b/src/main/java/com/gitblit/Constants.java
index 3e30753..fa8af25 100644
--- a/src/main/java/com/gitblit/Constants.java
+++ b/src/main/java/com/gitblit/Constants.java
@@ -130,6 +130,8 @@
public static final String DEVELOP = "develop";
+ public static final String AUTHENTICATION_TYPE = "authentication-type";
+
public static String getVersion() {
String v = Constants.class.getPackage().getImplementationVersion();
if (v == null) {
diff --git a/src/main/java/com/gitblit/auth/RedmineAuthProvider.java b/src/main/java/com/gitblit/auth/RedmineAuthProvider.java
index e505a54..ae4f28e 100644
--- a/src/main/java/com/gitblit/auth/RedmineAuthProvider.java
+++ b/src/main/java/com/gitblit/auth/RedmineAuthProvider.java
@@ -19,7 +19,7 @@
import java.io.InputStreamReader;
import java.net.HttpURLConnection;
-import org.apache.wicket.util.io.IOUtils;
+import org.apache.commons.io.IOUtils;
import com.gitblit.Constants;
import com.gitblit.Constants.AccountType;
diff --git a/src/main/java/com/gitblit/manager/AuthenticationManager.java b/src/main/java/com/gitblit/manager/AuthenticationManager.java
index bc1857b..f98f7b6 100644
--- a/src/main/java/com/gitblit/manager/AuthenticationManager.java
+++ b/src/main/java/com/gitblit/manager/AuthenticationManager.java
@@ -27,8 +27,8 @@
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
-import org.apache.wicket.RequestCycle;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -52,7 +52,6 @@
import com.gitblit.utils.HttpUtils;
import com.gitblit.utils.StringUtils;
import com.gitblit.utils.X509Utils.X509Metadata;
-import com.gitblit.wicket.GitBlitWebSession;
/**
* The authentication manager handles user login & logout.
@@ -200,7 +199,7 @@
UserModel user = userManager.getUserModel(username);
if (user != null) {
// existing user
- flagWicketSession(AuthenticationType.CONTAINER);
+ flagSession(httpRequest, AuthenticationType.CONTAINER);
logger.debug(MessageFormat.format("{0} authenticated by servlet container principal from {1}",
user.username, httpRequest.getRemoteAddr()));
return validateAuthentication(user, AuthenticationType.CONTAINER);
@@ -212,7 +211,7 @@
user.password = Constants.EXTERNAL_ACCOUNT;
user.accountType = AccountType.CONTAINER;
userManager.updateUserModel(user);
- flagWicketSession(AuthenticationType.CONTAINER);
+ flagSession(httpRequest, AuthenticationType.CONTAINER);
logger.debug(MessageFormat.format("{0} authenticated and created by servlet container principal from {1}",
user.username, httpRequest.getRemoteAddr()));
return validateAuthentication(user, AuthenticationType.CONTAINER);
@@ -233,7 +232,7 @@
UserModel user = userManager.getUserModel(model.username);
X509Metadata metadata = HttpUtils.getCertificateMetadata(httpRequest);
if (user != null) {
- flagWicketSession(AuthenticationType.CERTIFICATE);
+ flagSession(httpRequest, AuthenticationType.CERTIFICATE);
logger.debug(MessageFormat.format("{0} authenticated by client certificate {1} from {2}",
user.username, metadata.serialNumber, httpRequest.getRemoteAddr()));
return validateAuthentication(user, AuthenticationType.CERTIFICATE);
@@ -255,7 +254,7 @@
if (!StringUtils.isEmpty(cookie)) {
user = userManager.getUserModel(cookie.toCharArray());
if (user != null) {
- flagWicketSession(AuthenticationType.COOKIE);
+ flagSession(httpRequest, AuthenticationType.COOKIE);
logger.debug(MessageFormat.format("{0} authenticated by cookie from {1}",
user.username, httpRequest.getRemoteAddr()));
return validateAuthentication(user, AuthenticationType.COOKIE);
@@ -277,7 +276,7 @@
char[] password = values[1].toCharArray();
user = authenticate(username, password);
if (user != null) {
- flagWicketSession(AuthenticationType.CREDENTIALS);
+ flagSession(httpRequest, AuthenticationType.CREDENTIALS);
logger.debug(MessageFormat.format("{0} authenticated by BASIC request header from {1}",
user.username, httpRequest.getRemoteAddr()));
return validateAuthentication(user, AuthenticationType.CREDENTIALS);
@@ -342,13 +341,8 @@
return user;
}
- protected void flagWicketSession(AuthenticationType authenticationType) {
- RequestCycle requestCycle = RequestCycle.get();
- if (requestCycle != null) {
- // flag the Wicket session, if this is a Wicket request
- GitBlitWebSession session = GitBlitWebSession.get();
- session.authenticationType = authenticationType;
- }
+ protected void flagSession(HttpServletRequest httpRequest, AuthenticationType authenticationType) {
+ httpRequest.getSession().setAttribute(Constants.AUTHENTICATION_TYPE, authenticationType);
}
/**
@@ -469,8 +463,9 @@
@Override
public void setCookie(HttpServletRequest request, HttpServletResponse response, UserModel user) {
if (settings.getBoolean(Keys.web.allowCookieAuthentication, true)) {
- GitBlitWebSession session = GitBlitWebSession.get();
- boolean standardLogin = session.authenticationType.isStandard();
+ HttpSession session = request.getSession();
+ AuthenticationType authenticationType = (AuthenticationType) session.getAttribute(Constants.AUTHENTICATION_TYPE);
+ boolean standardLogin = authenticationType.isStandard();
if (standardLogin) {
Cookie userCookie;
diff --git a/src/main/java/com/gitblit/servlet/PtServlet.java b/src/main/java/com/gitblit/servlet/PtServlet.java
index e9cbaa5..f69b444 100644
--- a/src/main/java/com/gitblit/servlet/PtServlet.java
+++ b/src/main/java/com/gitblit/servlet/PtServlet.java
@@ -15,6 +15,7 @@
*/
package com.gitblit.servlet;
+import java.io.ByteArrayOutputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
@@ -31,7 +32,6 @@
import org.apache.commons.compress.archivers.zip.ZipArchiveOutputStream;
import org.apache.commons.compress.compressors.CompressorOutputStream;
import org.apache.commons.compress.compressors.CompressorStreamFactory;
-import org.apache.wicket.util.io.ByteArrayOutputStream;
import org.eclipse.jgit.lib.FileMode;
import com.gitblit.dagger.DaggerServlet;
diff --git a/src/main/java/com/gitblit/utils/CompressionUtils.java b/src/main/java/com/gitblit/utils/CompressionUtils.java
index 2bf1f13..d4bfbb3 100644
--- a/src/main/java/com/gitblit/utils/CompressionUtils.java
+++ b/src/main/java/com/gitblit/utils/CompressionUtils.java
@@ -15,6 +15,7 @@
*/
package com.gitblit.utils;
+import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.OutputStream;
import java.text.MessageFormat;
@@ -27,7 +28,6 @@
import org.apache.commons.compress.archivers.zip.ZipArchiveOutputStream;
import org.apache.commons.compress.compressors.CompressorException;
import org.apache.commons.compress.compressors.CompressorStreamFactory;
-import org.apache.wicket.util.io.ByteArrayOutputStream;
import org.eclipse.jgit.lib.Constants;
import org.eclipse.jgit.lib.FileMode;
import org.eclipse.jgit.lib.MutableObjectId;
diff --git a/src/main/java/com/gitblit/wicket/GitBlitWebSession.java b/src/main/java/com/gitblit/wicket/GitBlitWebSession.java
index b26a111..31ccf1f 100644
--- a/src/main/java/com/gitblit/wicket/GitBlitWebSession.java
+++ b/src/main/java/com/gitblit/wicket/GitBlitWebSession.java
@@ -30,7 +30,6 @@
import org.apache.wicket.protocol.http.WebSession;
import org.apache.wicket.protocol.http.request.WebClientInfo;
-import com.gitblit.Constants.AuthenticationType;
import com.gitblit.models.UserModel;
public final class GitBlitWebSession extends WebSession {
@@ -47,12 +46,9 @@
private AtomicBoolean isForking;
- public AuthenticationType authenticationType;
-
public GitBlitWebSession(Request request) {
super(request);
isForking = new AtomicBoolean();
- authenticationType = AuthenticationType.CREDENTIALS;
}
@Override
diff --git a/src/main/java/com/gitblit/wicket/pages/RootPage.java b/src/main/java/com/gitblit/wicket/pages/RootPage.java
index 43de3b9..c4d4dd1 100644
--- a/src/main/java/com/gitblit/wicket/pages/RootPage.java
+++ b/src/main/java/com/gitblit/wicket/pages/RootPage.java
@@ -31,6 +31,9 @@
import java.util.concurrent.atomic.AtomicInteger;
import java.util.regex.Pattern;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
import org.apache.wicket.MarkupContainer;
import org.apache.wicket.PageParameters;
import org.apache.wicket.behavior.HeaderContributor;
@@ -50,6 +53,7 @@
import org.apache.wicket.protocol.http.WebResponse;
import com.gitblit.Constants;
+import com.gitblit.Constants.AuthenticationType;
import com.gitblit.Keys;
import com.gitblit.extensions.NavLinkExtension;
import com.gitblit.extensions.UserMenuExtension;
@@ -262,19 +266,22 @@
private void loginUser(UserModel user) {
if (user != null) {
+ HttpServletRequest request = ((WebRequest) getRequest()).getHttpServletRequest();
+ HttpServletResponse response = ((WebResponse) getResponse()).getHttpServletResponse();
+
// Set the user into the session
GitBlitWebSession session = GitBlitWebSession.get();
+
// issue 62: fix session fixation vulnerability
session.replaceSession();
session.setUser(user);
+ request = ((WebRequest) getRequest()).getHttpServletRequest();
+ response = ((WebResponse) getResponse()).getHttpServletResponse();
+ request.getSession().setAttribute(Constants.AUTHENTICATION_TYPE, AuthenticationType.CREDENTIALS);
+
// Set Cookie
- if (app().settings().getBoolean(Keys.web.allowCookieAuthentication, false)) {
- WebRequest request = (WebRequest) getRequestCycle().getRequest();
- WebResponse response = (WebResponse) getRequestCycle().getResponse();
- app().authentication().setCookie(request.getHttpServletRequest(),
- response.getHttpServletResponse(), user);
- }
+ app().authentication().setCookie(request, response, user);
if (!session.continueRequest()) {
PageParameters params = getPageParameters();
@@ -599,7 +606,9 @@
GitBlitWebSession session = GitBlitWebSession.get();
UserModel user = session.getUser();
boolean editCredentials = app().authentication().supportsCredentialChanges(user);
- boolean standardLogin = session.authenticationType.isStandard();
+ HttpServletRequest request = ((WebRequest) getRequest()).getHttpServletRequest();
+ AuthenticationType authenticationType = (AuthenticationType) request.getSession().getAttribute(Constants.AUTHENTICATION_TYPE);
+ boolean standardLogin = authenticationType.isStandard();
if (app().settings().getBoolean(Keys.web.allowGravatar, true)) {
add(new GravatarImage("username", user, "navbarGravatar", 20, false));
diff --git a/src/main/java/com/gitblit/wicket/pages/SessionPage.java b/src/main/java/com/gitblit/wicket/pages/SessionPage.java
index 7717854..0dda949 100644
--- a/src/main/java/com/gitblit/wicket/pages/SessionPage.java
+++ b/src/main/java/com/gitblit/wicket/pages/SessionPage.java
@@ -1,112 +1,110 @@
-/*
- * Copyright 2013 gitblit.com.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package com.gitblit.wicket.pages;
-
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-import org.apache.wicket.PageParameters;
-import org.apache.wicket.markup.html.WebPage;
-import org.apache.wicket.protocol.http.WebRequest;
-import org.apache.wicket.protocol.http.WebResponse;
-
-import com.gitblit.Keys;
-import com.gitblit.models.UserModel;
-import com.gitblit.utils.StringUtils;
-import com.gitblit.wicket.GitBlitWebApp;
-import com.gitblit.wicket.GitBlitWebSession;
-
-public abstract class SessionPage extends WebPage {
-
- public SessionPage() {
- super();
- login();
- }
-
- public SessionPage(final PageParameters params) {
- super(params);
- login();
- }
-
- protected String [] getEncodings() {
- return app().settings().getStrings(Keys.web.blobEncodings).toArray(new String[0]);
- }
-
- protected GitBlitWebApp app() {
- return GitBlitWebApp.get();
- }
-
- private void login() {
- GitBlitWebSession session = GitBlitWebSession.get();
- if (session.isLoggedIn() && !session.isSessionInvalidated()) {
- // already have a session, refresh usermodel to pick up
- // any changes to permissions or roles (issue-186)
- UserModel user = app().users().getUserModel(session.getUser().username);
-
- if (user == null || user.disabled) {
- // user was deleted/disabled during session
- HttpServletRequest request = ((WebRequest) getRequestCycle().getRequest())
- .getHttpServletRequest();
- HttpServletResponse response = ((WebResponse) getRequestCycle().getResponse())
- .getHttpServletResponse();
- app().authentication().logout(request, response, user);
- session.setUser(null);
- session.invalidateNow();
- return;
- }
-
- // validate cookie during session (issue-361)
- if (user != null && app().settings().getBoolean(Keys.web.allowCookieAuthentication, true)) {
- HttpServletRequest request = ((WebRequest) getRequestCycle().getRequest())
- .getHttpServletRequest();
- String requestCookie = app().authentication().getCookie(request);
- if (!StringUtils.isEmpty(requestCookie) && !StringUtils.isEmpty(user.cookie)) {
- if (!requestCookie.equals(user.cookie)) {
- // cookie was changed during our session
- HttpServletResponse response = ((WebResponse) getRequestCycle().getResponse())
- .getHttpServletResponse();
- app().authentication().logout(request, response, user);
- session.setUser(null);
- session.invalidateNow();
- return;
- }
- }
- }
- session.setUser(user);
- return;
- }
-
- // try to authenticate by servlet request
- HttpServletRequest httpRequest = ((WebRequest) getRequestCycle().getRequest())
- .getHttpServletRequest();
- UserModel user = app().authentication().authenticate(httpRequest);
-
- // Login the user
- if (user != null) {
- // issue 62: fix session fixation vulnerability
- session.replaceSession();
- session.setUser(user);
-
- // Set Cookie
- WebRequest request = (WebRequest) getRequestCycle().getRequest();
- WebResponse response = (WebResponse) getRequestCycle().getResponse();
- app().authentication().setCookie(request.getHttpServletRequest(),
- response.getHttpServletResponse(), user);
-
- session.continueRequest();
- }
- }
-}
+/*
+ * Copyright 2013 gitblit.com.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.gitblit.wicket.pages;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.wicket.PageParameters;
+import org.apache.wicket.markup.html.WebPage;
+import org.apache.wicket.protocol.http.WebRequest;
+import org.apache.wicket.protocol.http.WebResponse;
+
+import com.gitblit.Constants;
+import com.gitblit.Constants.AuthenticationType;
+import com.gitblit.Keys;
+import com.gitblit.models.UserModel;
+import com.gitblit.utils.StringUtils;
+import com.gitblit.wicket.GitBlitWebApp;
+import com.gitblit.wicket.GitBlitWebSession;
+
+public abstract class SessionPage extends WebPage {
+
+ public SessionPage() {
+ super();
+ login();
+ }
+
+ public SessionPage(final PageParameters params) {
+ super(params);
+ login();
+ }
+
+ protected String [] getEncodings() {
+ return app().settings().getStrings(Keys.web.blobEncodings).toArray(new String[0]);
+ }
+
+ protected GitBlitWebApp app() {
+ return GitBlitWebApp.get();
+ }
+
+ private void login() {
+ GitBlitWebSession session = GitBlitWebSession.get();
+ HttpServletRequest request = ((WebRequest) getRequest()).getHttpServletRequest();
+ HttpServletResponse response = ((WebResponse) getResponse()).getHttpServletResponse();
+
+ if (session.isLoggedIn() && !session.isSessionInvalidated()) {
+ // already have a session, refresh usermodel to pick up
+ // any changes to permissions or roles (issue-186)
+ UserModel user = app().users().getUserModel(session.getUser().username);
+
+ if (user == null || user.disabled) {
+ // user was deleted/disabled during session
+ app().authentication().logout(request, response, user);
+ session.setUser(null);
+ session.invalidateNow();
+ return;
+ }
+
+ // validate cookie during session (issue-361)
+ if (user != null && app().settings().getBoolean(Keys.web.allowCookieAuthentication, true)) {
+ String requestCookie = app().authentication().getCookie(request);
+ if (!StringUtils.isEmpty(requestCookie) && !StringUtils.isEmpty(user.cookie)) {
+ if (!requestCookie.equals(user.cookie)) {
+ // cookie was changed during our session
+ app().authentication().logout(request, response, user);
+ session.setUser(null);
+ session.invalidateNow();
+ return;
+ }
+ }
+ }
+ session.setUser(user);
+ return;
+ }
+
+ // try to authenticate by servlet request
+ UserModel user = app().authentication().authenticate(request);
+
+ // Login the user
+ if (user != null) {
+ // preserve the authentication type across session replacement
+ AuthenticationType authenticationType = (AuthenticationType) request.getSession()
+ .getAttribute(Constants.AUTHENTICATION_TYPE);
+
+ // issue 62: fix session fixation vulnerability
+ session.replaceSession();
+ session.setUser(user);
+
+ request.getSession().setAttribute(Constants.AUTHENTICATION_TYPE, authenticationType);
+
+ // Set Cookie
+ app().authentication().setCookie(request, response, user);
+
+ session.continueRequest();
+ }
+ }
+}
--
Gitblit v1.9.1