From efdb2b3d0c6f03a9aac9e65892cbc8ff755f246f Mon Sep 17 00:00:00 2001 From: James Moger Date: Thu, 3 Jul 2014 20:19:39 -0400 Subject: [PATCH] Remove Wicket references from non-Wicket packages --- src/main/java/com/gitblit/Constants.java | 2 + .../com/gitblit/auth/RedmineAuthProvider.java | 2 +- .../manager/AuthenticationManager.java | 27 +-- .../java/com/gitblit/servlet/PtServlet.java | 2 +- .../com/gitblit/utils/CompressionUtils.java | 2 +- .../com/gitblit/wicket/GitBlitWebSession.java | 4 - .../com/gitblit/wicket/pages/RootPage.java | 23 +- .../com/gitblit/wicket/pages/SessionPage.java | 222 +++++++++--------- 8 files changed, 142 insertions(+), 142 deletions(-) diff --git a/src/main/java/com/gitblit/Constants.java b/src/main/java/com/gitblit/Constants.java index 3e307537..fa8af25f 100644 --- a/src/main/java/com/gitblit/Constants.java +++ b/src/main/java/com/gitblit/Constants.java @@ -130,6 +130,8 @@ public class Constants { public static final String DEVELOP = "develop"; + public static final String AUTHENTICATION_TYPE = "authentication-type"; + public static String getVersion() { String v = Constants.class.getPackage().getImplementationVersion(); if (v == null) { diff --git a/src/main/java/com/gitblit/auth/RedmineAuthProvider.java b/src/main/java/com/gitblit/auth/RedmineAuthProvider.java index e505a54d..ae4f28ed 100644 --- a/src/main/java/com/gitblit/auth/RedmineAuthProvider.java +++ b/src/main/java/com/gitblit/auth/RedmineAuthProvider.java @@ -19,7 +19,7 @@ import java.io.IOException; import java.io.InputStreamReader; import java.net.HttpURLConnection; -import org.apache.wicket.util.io.IOUtils; +import org.apache.commons.io.IOUtils; import com.gitblit.Constants; import com.gitblit.Constants.AccountType; diff --git a/src/main/java/com/gitblit/manager/AuthenticationManager.java b/src/main/java/com/gitblit/manager/AuthenticationManager.java index bc1857bc..f98f7b64 100644 --- a/src/main/java/com/gitblit/manager/AuthenticationManager.java +++ b/src/main/java/com/gitblit/manager/AuthenticationManager.java @@ -27,8 +27,8 @@ import java.util.concurrent.TimeUnit; import javax.servlet.http.Cookie; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import javax.servlet.http.HttpSession; -import org.apache.wicket.RequestCycle; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -52,7 +52,6 @@ import com.gitblit.utils.Base64; import com.gitblit.utils.HttpUtils; import com.gitblit.utils.StringUtils; import com.gitblit.utils.X509Utils.X509Metadata; -import com.gitblit.wicket.GitBlitWebSession; /** * The authentication manager handles user login & logout. @@ -200,7 +199,7 @@ public class AuthenticationManager implements IAuthenticationManager { UserModel user = userManager.getUserModel(username); if (user != null) { // existing user - flagWicketSession(AuthenticationType.CONTAINER); + flagSession(httpRequest, AuthenticationType.CONTAINER); logger.debug(MessageFormat.format("{0} authenticated by servlet container principal from {1}", user.username, httpRequest.getRemoteAddr())); return validateAuthentication(user, AuthenticationType.CONTAINER); @@ -212,7 +211,7 @@ public class AuthenticationManager implements IAuthenticationManager { user.password = Constants.EXTERNAL_ACCOUNT; user.accountType = AccountType.CONTAINER; userManager.updateUserModel(user); - flagWicketSession(AuthenticationType.CONTAINER); + flagSession(httpRequest, AuthenticationType.CONTAINER); logger.debug(MessageFormat.format("{0} authenticated and created by servlet container principal from {1}", user.username, httpRequest.getRemoteAddr())); return validateAuthentication(user, AuthenticationType.CONTAINER); @@ -233,7 +232,7 @@ public class AuthenticationManager implements IAuthenticationManager { UserModel user = userManager.getUserModel(model.username); X509Metadata metadata = HttpUtils.getCertificateMetadata(httpRequest); if (user != null) { - flagWicketSession(AuthenticationType.CERTIFICATE); + flagSession(httpRequest, AuthenticationType.CERTIFICATE); logger.debug(MessageFormat.format("{0} authenticated by client certificate {1} from {2}", user.username, metadata.serialNumber, httpRequest.getRemoteAddr())); return validateAuthentication(user, AuthenticationType.CERTIFICATE); @@ -255,7 +254,7 @@ public class AuthenticationManager implements IAuthenticationManager { if (!StringUtils.isEmpty(cookie)) { user = userManager.getUserModel(cookie.toCharArray()); if (user != null) { - flagWicketSession(AuthenticationType.COOKIE); + flagSession(httpRequest, AuthenticationType.COOKIE); logger.debug(MessageFormat.format("{0} authenticated by cookie from {1}", user.username, httpRequest.getRemoteAddr())); return validateAuthentication(user, AuthenticationType.COOKIE); @@ -277,7 +276,7 @@ public class AuthenticationManager implements IAuthenticationManager { char[] password = values[1].toCharArray(); user = authenticate(username, password); if (user != null) { - flagWicketSession(AuthenticationType.CREDENTIALS); + flagSession(httpRequest, AuthenticationType.CREDENTIALS); logger.debug(MessageFormat.format("{0} authenticated by BASIC request header from {1}", user.username, httpRequest.getRemoteAddr())); return validateAuthentication(user, AuthenticationType.CREDENTIALS); @@ -342,13 +341,8 @@ public class AuthenticationManager implements IAuthenticationManager { return user; } - protected void flagWicketSession(AuthenticationType authenticationType) { - RequestCycle requestCycle = RequestCycle.get(); - if (requestCycle != null) { - // flag the Wicket session, if this is a Wicket request - GitBlitWebSession session = GitBlitWebSession.get(); - session.authenticationType = authenticationType; - } + protected void flagSession(HttpServletRequest httpRequest, AuthenticationType authenticationType) { + httpRequest.getSession().setAttribute(Constants.AUTHENTICATION_TYPE, authenticationType); } /** @@ -469,8 +463,9 @@ public class AuthenticationManager implements IAuthenticationManager { @Override public void setCookie(HttpServletRequest request, HttpServletResponse response, UserModel user) { if (settings.getBoolean(Keys.web.allowCookieAuthentication, true)) { - GitBlitWebSession session = GitBlitWebSession.get(); - boolean standardLogin = session.authenticationType.isStandard(); + HttpSession session = request.getSession(); + AuthenticationType authenticationType = (AuthenticationType) session.getAttribute(Constants.AUTHENTICATION_TYPE); + boolean standardLogin = authenticationType.isStandard(); if (standardLogin) { Cookie userCookie; diff --git a/src/main/java/com/gitblit/servlet/PtServlet.java b/src/main/java/com/gitblit/servlet/PtServlet.java index e9cbaa5b..f69b444d 100644 --- a/src/main/java/com/gitblit/servlet/PtServlet.java +++ b/src/main/java/com/gitblit/servlet/PtServlet.java @@ -15,6 +15,7 @@ */ package com.gitblit.servlet; +import java.io.ByteArrayOutputStream; import java.io.File; import java.io.FileInputStream; import java.io.IOException; @@ -31,7 +32,6 @@ import org.apache.commons.compress.archivers.zip.ZipArchiveEntry; import org.apache.commons.compress.archivers.zip.ZipArchiveOutputStream; import org.apache.commons.compress.compressors.CompressorOutputStream; import org.apache.commons.compress.compressors.CompressorStreamFactory; -import org.apache.wicket.util.io.ByteArrayOutputStream; import org.eclipse.jgit.lib.FileMode; import com.gitblit.dagger.DaggerServlet; diff --git a/src/main/java/com/gitblit/utils/CompressionUtils.java b/src/main/java/com/gitblit/utils/CompressionUtils.java index 2bf1f130..d4bfbb34 100644 --- a/src/main/java/com/gitblit/utils/CompressionUtils.java +++ b/src/main/java/com/gitblit/utils/CompressionUtils.java @@ -15,6 +15,7 @@ */ package com.gitblit.utils; +import java.io.ByteArrayOutputStream; import java.io.IOException; import java.io.OutputStream; import java.text.MessageFormat; @@ -27,7 +28,6 @@ import org.apache.commons.compress.archivers.zip.ZipArchiveEntry; import org.apache.commons.compress.archivers.zip.ZipArchiveOutputStream; import org.apache.commons.compress.compressors.CompressorException; import org.apache.commons.compress.compressors.CompressorStreamFactory; -import org.apache.wicket.util.io.ByteArrayOutputStream; import org.eclipse.jgit.lib.Constants; import org.eclipse.jgit.lib.FileMode; import org.eclipse.jgit.lib.MutableObjectId; diff --git a/src/main/java/com/gitblit/wicket/GitBlitWebSession.java b/src/main/java/com/gitblit/wicket/GitBlitWebSession.java index b26a1118..31ccf1f5 100644 --- a/src/main/java/com/gitblit/wicket/GitBlitWebSession.java +++ b/src/main/java/com/gitblit/wicket/GitBlitWebSession.java @@ -30,7 +30,6 @@ import org.apache.wicket.protocol.http.WebRequestCycle; import org.apache.wicket.protocol.http.WebSession; import org.apache.wicket.protocol.http.request.WebClientInfo; -import com.gitblit.Constants.AuthenticationType; import com.gitblit.models.UserModel; public final class GitBlitWebSession extends WebSession { @@ -47,12 +46,9 @@ public final class GitBlitWebSession extends WebSession { private AtomicBoolean isForking; - public AuthenticationType authenticationType; - public GitBlitWebSession(Request request) { super(request); isForking = new AtomicBoolean(); - authenticationType = AuthenticationType.CREDENTIALS; } @Override diff --git a/src/main/java/com/gitblit/wicket/pages/RootPage.java b/src/main/java/com/gitblit/wicket/pages/RootPage.java index 43de3b9f..c4d4dd11 100644 --- a/src/main/java/com/gitblit/wicket/pages/RootPage.java +++ b/src/main/java/com/gitblit/wicket/pages/RootPage.java @@ -31,6 +31,9 @@ import java.util.TreeSet; import java.util.concurrent.atomic.AtomicInteger; import java.util.regex.Pattern; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + import org.apache.wicket.MarkupContainer; import org.apache.wicket.PageParameters; import org.apache.wicket.behavior.HeaderContributor; @@ -50,6 +53,7 @@ import org.apache.wicket.protocol.http.WebRequest; import org.apache.wicket.protocol.http.WebResponse; import com.gitblit.Constants; +import com.gitblit.Constants.AuthenticationType; import com.gitblit.Keys; import com.gitblit.extensions.NavLinkExtension; import com.gitblit.extensions.UserMenuExtension; @@ -262,19 +266,22 @@ public abstract class RootPage extends BasePage { private void loginUser(UserModel user) { if (user != null) { + HttpServletRequest request = ((WebRequest) getRequest()).getHttpServletRequest(); + HttpServletResponse response = ((WebResponse) getResponse()).getHttpServletResponse(); + // Set the user into the session GitBlitWebSession session = GitBlitWebSession.get(); + // issue 62: fix session fixation vulnerability session.replaceSession(); session.setUser(user); + request = ((WebRequest) getRequest()).getHttpServletRequest(); + response = ((WebResponse) getResponse()).getHttpServletResponse(); + request.getSession().setAttribute(Constants.AUTHENTICATION_TYPE, AuthenticationType.CREDENTIALS); + // Set Cookie - if (app().settings().getBoolean(Keys.web.allowCookieAuthentication, false)) { - WebRequest request = (WebRequest) getRequestCycle().getRequest(); - WebResponse response = (WebResponse) getRequestCycle().getResponse(); - app().authentication().setCookie(request.getHttpServletRequest(), - response.getHttpServletResponse(), user); - } + app().authentication().setCookie(request, response, user); if (!session.continueRequest()) { PageParameters params = getPageParameters(); @@ -599,7 +606,9 @@ public abstract class RootPage extends BasePage { GitBlitWebSession session = GitBlitWebSession.get(); UserModel user = session.getUser(); boolean editCredentials = app().authentication().supportsCredentialChanges(user); - boolean standardLogin = session.authenticationType.isStandard(); + HttpServletRequest request = ((WebRequest) getRequest()).getHttpServletRequest(); + AuthenticationType authenticationType = (AuthenticationType) request.getSession().getAttribute(Constants.AUTHENTICATION_TYPE); + boolean standardLogin = authenticationType.isStandard(); if (app().settings().getBoolean(Keys.web.allowGravatar, true)) { add(new GravatarImage("username", user, "navbarGravatar", 20, false)); diff --git a/src/main/java/com/gitblit/wicket/pages/SessionPage.java b/src/main/java/com/gitblit/wicket/pages/SessionPage.java index 7717854b..0dda9495 100644 --- a/src/main/java/com/gitblit/wicket/pages/SessionPage.java +++ b/src/main/java/com/gitblit/wicket/pages/SessionPage.java @@ -1,112 +1,110 @@ -/* - * Copyright 2013 gitblit.com. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package com.gitblit.wicket.pages; - -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; - -import org.apache.wicket.PageParameters; -import org.apache.wicket.markup.html.WebPage; -import org.apache.wicket.protocol.http.WebRequest; -import org.apache.wicket.protocol.http.WebResponse; - -import com.gitblit.Keys; -import com.gitblit.models.UserModel; -import com.gitblit.utils.StringUtils; -import com.gitblit.wicket.GitBlitWebApp; -import com.gitblit.wicket.GitBlitWebSession; - -public abstract class SessionPage extends WebPage { - - public SessionPage() { - super(); - login(); - } - - public SessionPage(final PageParameters params) { - super(params); - login(); - } - - protected String [] getEncodings() { - return app().settings().getStrings(Keys.web.blobEncodings).toArray(new String[0]); - } - - protected GitBlitWebApp app() { - return GitBlitWebApp.get(); - } - - private void login() { - GitBlitWebSession session = GitBlitWebSession.get(); - if (session.isLoggedIn() && !session.isSessionInvalidated()) { - // already have a session, refresh usermodel to pick up - // any changes to permissions or roles (issue-186) - UserModel user = app().users().getUserModel(session.getUser().username); - - if (user == null || user.disabled) { - // user was deleted/disabled during session - HttpServletRequest request = ((WebRequest) getRequestCycle().getRequest()) - .getHttpServletRequest(); - HttpServletResponse response = ((WebResponse) getRequestCycle().getResponse()) - .getHttpServletResponse(); - app().authentication().logout(request, response, user); - session.setUser(null); - session.invalidateNow(); - return; - } - - // validate cookie during session (issue-361) - if (user != null && app().settings().getBoolean(Keys.web.allowCookieAuthentication, true)) { - HttpServletRequest request = ((WebRequest) getRequestCycle().getRequest()) - .getHttpServletRequest(); - String requestCookie = app().authentication().getCookie(request); - if (!StringUtils.isEmpty(requestCookie) && !StringUtils.isEmpty(user.cookie)) { - if (!requestCookie.equals(user.cookie)) { - // cookie was changed during our session - HttpServletResponse response = ((WebResponse) getRequestCycle().getResponse()) - .getHttpServletResponse(); - app().authentication().logout(request, response, user); - session.setUser(null); - session.invalidateNow(); - return; - } - } - } - session.setUser(user); - return; - } - - // try to authenticate by servlet request - HttpServletRequest httpRequest = ((WebRequest) getRequestCycle().getRequest()) - .getHttpServletRequest(); - UserModel user = app().authentication().authenticate(httpRequest); - - // Login the user - if (user != null) { - // issue 62: fix session fixation vulnerability - session.replaceSession(); - session.setUser(user); - - // Set Cookie - WebRequest request = (WebRequest) getRequestCycle().getRequest(); - WebResponse response = (WebResponse) getRequestCycle().getResponse(); - app().authentication().setCookie(request.getHttpServletRequest(), - response.getHttpServletResponse(), user); - - session.continueRequest(); - } - } -} +/* + * Copyright 2013 gitblit.com. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.gitblit.wicket.pages; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import org.apache.wicket.PageParameters; +import org.apache.wicket.markup.html.WebPage; +import org.apache.wicket.protocol.http.WebRequest; +import org.apache.wicket.protocol.http.WebResponse; + +import com.gitblit.Constants; +import com.gitblit.Constants.AuthenticationType; +import com.gitblit.Keys; +import com.gitblit.models.UserModel; +import com.gitblit.utils.StringUtils; +import com.gitblit.wicket.GitBlitWebApp; +import com.gitblit.wicket.GitBlitWebSession; + +public abstract class SessionPage extends WebPage { + + public SessionPage() { + super(); + login(); + } + + public SessionPage(final PageParameters params) { + super(params); + login(); + } + + protected String [] getEncodings() { + return app().settings().getStrings(Keys.web.blobEncodings).toArray(new String[0]); + } + + protected GitBlitWebApp app() { + return GitBlitWebApp.get(); + } + + private void login() { + GitBlitWebSession session = GitBlitWebSession.get(); + HttpServletRequest request = ((WebRequest) getRequest()).getHttpServletRequest(); + HttpServletResponse response = ((WebResponse) getResponse()).getHttpServletResponse(); + + if (session.isLoggedIn() && !session.isSessionInvalidated()) { + // already have a session, refresh usermodel to pick up + // any changes to permissions or roles (issue-186) + UserModel user = app().users().getUserModel(session.getUser().username); + + if (user == null || user.disabled) { + // user was deleted/disabled during session + app().authentication().logout(request, response, user); + session.setUser(null); + session.invalidateNow(); + return; + } + + // validate cookie during session (issue-361) + if (user != null && app().settings().getBoolean(Keys.web.allowCookieAuthentication, true)) { + String requestCookie = app().authentication().getCookie(request); + if (!StringUtils.isEmpty(requestCookie) && !StringUtils.isEmpty(user.cookie)) { + if (!requestCookie.equals(user.cookie)) { + // cookie was changed during our session + app().authentication().logout(request, response, user); + session.setUser(null); + session.invalidateNow(); + return; + } + } + } + session.setUser(user); + return; + } + + // try to authenticate by servlet request + UserModel user = app().authentication().authenticate(request); + + // Login the user + if (user != null) { + // preserve the authentication type across session replacement + AuthenticationType authenticationType = (AuthenticationType) request.getSession() + .getAttribute(Constants.AUTHENTICATION_TYPE); + + // issue 62: fix session fixation vulnerability + session.replaceSession(); + session.setUser(user); + + request.getSession().setAttribute(Constants.AUTHENTICATION_TYPE, authenticationType); + + // Set Cookie + app().authentication().setCookie(request, response, user); + + session.continueRequest(); + } + } +} -- 2.39.5