diff options
author | James Moger <james.moger@gitblit.com> | 2014-09-30 10:54:40 -0600 |
---|---|---|
committer | James Moger <james.moger@gitblit.com> | 2014-09-30 10:54:40 -0600 |
commit | a9a16b5bf28f7c275800ba4f3f7c67c4528bc884 (patch) | |
tree | c29fae1625a06184939aa278f2a75b69054c874e | |
parent | 2365822625a0a46b2d25f83b698801cd18e811c0 (diff) | |
parent | efdb2b3d0c6f03a9aac9e65892cbc8ff755f246f (diff) | |
download | gitblit-a9a16b5bf28f7c275800ba4f3f7c67c4528bc884.tar.gz gitblit-a9a16b5bf28f7c275800ba4f3f7c67c4528bc884.zip |
Merged #129 "Eliminate Wicket references from non-Wicket packages"
8 files changed, 142 insertions, 142 deletions
diff --git a/src/main/java/com/gitblit/Constants.java b/src/main/java/com/gitblit/Constants.java index 3e307537..fa8af25f 100644 --- a/src/main/java/com/gitblit/Constants.java +++ b/src/main/java/com/gitblit/Constants.java @@ -130,6 +130,8 @@ public class Constants { public static final String DEVELOP = "develop";
+ public static final String AUTHENTICATION_TYPE = "authentication-type";
+
public static String getVersion() {
String v = Constants.class.getPackage().getImplementationVersion();
if (v == null) {
diff --git a/src/main/java/com/gitblit/auth/RedmineAuthProvider.java b/src/main/java/com/gitblit/auth/RedmineAuthProvider.java index e505a54d..ae4f28ed 100644 --- a/src/main/java/com/gitblit/auth/RedmineAuthProvider.java +++ b/src/main/java/com/gitblit/auth/RedmineAuthProvider.java @@ -19,7 +19,7 @@ import java.io.IOException; import java.io.InputStreamReader; import java.net.HttpURLConnection; -import org.apache.wicket.util.io.IOUtils; +import org.apache.commons.io.IOUtils; import com.gitblit.Constants; import com.gitblit.Constants.AccountType; diff --git a/src/main/java/com/gitblit/manager/AuthenticationManager.java b/src/main/java/com/gitblit/manager/AuthenticationManager.java index bc1857bc..f98f7b64 100644 --- a/src/main/java/com/gitblit/manager/AuthenticationManager.java +++ b/src/main/java/com/gitblit/manager/AuthenticationManager.java @@ -27,8 +27,8 @@ import java.util.concurrent.TimeUnit; import javax.servlet.http.Cookie; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import javax.servlet.http.HttpSession; -import org.apache.wicket.RequestCycle; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -52,7 +52,6 @@ import com.gitblit.utils.Base64; import com.gitblit.utils.HttpUtils; import com.gitblit.utils.StringUtils; import com.gitblit.utils.X509Utils.X509Metadata; -import com.gitblit.wicket.GitBlitWebSession; /** * The authentication manager handles user login & logout. @@ -200,7 +199,7 @@ public class AuthenticationManager implements IAuthenticationManager { UserModel user = userManager.getUserModel(username); if (user != null) { // existing user - flagWicketSession(AuthenticationType.CONTAINER); + flagSession(httpRequest, AuthenticationType.CONTAINER); logger.debug(MessageFormat.format("{0} authenticated by servlet container principal from {1}", user.username, httpRequest.getRemoteAddr())); return validateAuthentication(user, AuthenticationType.CONTAINER); @@ -212,7 +211,7 @@ public class AuthenticationManager implements IAuthenticationManager { user.password = Constants.EXTERNAL_ACCOUNT; user.accountType = AccountType.CONTAINER; userManager.updateUserModel(user); - flagWicketSession(AuthenticationType.CONTAINER); + flagSession(httpRequest, AuthenticationType.CONTAINER); logger.debug(MessageFormat.format("{0} authenticated and created by servlet container principal from {1}", user.username, httpRequest.getRemoteAddr())); return validateAuthentication(user, AuthenticationType.CONTAINER); @@ -233,7 +232,7 @@ public class AuthenticationManager implements IAuthenticationManager { UserModel user = userManager.getUserModel(model.username); X509Metadata metadata = HttpUtils.getCertificateMetadata(httpRequest); if (user != null) { - flagWicketSession(AuthenticationType.CERTIFICATE); + flagSession(httpRequest, AuthenticationType.CERTIFICATE); logger.debug(MessageFormat.format("{0} authenticated by client certificate {1} from {2}", user.username, metadata.serialNumber, httpRequest.getRemoteAddr())); return validateAuthentication(user, AuthenticationType.CERTIFICATE); @@ -255,7 +254,7 @@ public class AuthenticationManager implements IAuthenticationManager { if (!StringUtils.isEmpty(cookie)) { user = userManager.getUserModel(cookie.toCharArray()); if (user != null) { - flagWicketSession(AuthenticationType.COOKIE); + flagSession(httpRequest, AuthenticationType.COOKIE); logger.debug(MessageFormat.format("{0} authenticated by cookie from {1}", user.username, httpRequest.getRemoteAddr())); return validateAuthentication(user, AuthenticationType.COOKIE); @@ -277,7 +276,7 @@ public class AuthenticationManager implements IAuthenticationManager { char[] password = values[1].toCharArray(); user = authenticate(username, password); if (user != null) { - flagWicketSession(AuthenticationType.CREDENTIALS); + flagSession(httpRequest, AuthenticationType.CREDENTIALS); logger.debug(MessageFormat.format("{0} authenticated by BASIC request header from {1}", user.username, httpRequest.getRemoteAddr())); return validateAuthentication(user, AuthenticationType.CREDENTIALS); @@ -342,13 +341,8 @@ public class AuthenticationManager implements IAuthenticationManager { return user; } - protected void flagWicketSession(AuthenticationType authenticationType) { - RequestCycle requestCycle = RequestCycle.get(); - if (requestCycle != null) { - // flag the Wicket session, if this is a Wicket request - GitBlitWebSession session = GitBlitWebSession.get(); - session.authenticationType = authenticationType; - } + protected void flagSession(HttpServletRequest httpRequest, AuthenticationType authenticationType) { + httpRequest.getSession().setAttribute(Constants.AUTHENTICATION_TYPE, authenticationType); } /** @@ -469,8 +463,9 @@ public class AuthenticationManager implements IAuthenticationManager { @Override public void setCookie(HttpServletRequest request, HttpServletResponse response, UserModel user) { if (settings.getBoolean(Keys.web.allowCookieAuthentication, true)) { - GitBlitWebSession session = GitBlitWebSession.get(); - boolean standardLogin = session.authenticationType.isStandard(); + HttpSession session = request.getSession(); + AuthenticationType authenticationType = (AuthenticationType) session.getAttribute(Constants.AUTHENTICATION_TYPE); + boolean standardLogin = authenticationType.isStandard(); if (standardLogin) { Cookie userCookie; diff --git a/src/main/java/com/gitblit/servlet/PtServlet.java b/src/main/java/com/gitblit/servlet/PtServlet.java index e9cbaa5b..f69b444d 100644 --- a/src/main/java/com/gitblit/servlet/PtServlet.java +++ b/src/main/java/com/gitblit/servlet/PtServlet.java @@ -15,6 +15,7 @@ */
package com.gitblit.servlet;
+import java.io.ByteArrayOutputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
@@ -31,7 +32,6 @@ import org.apache.commons.compress.archivers.zip.ZipArchiveEntry; import org.apache.commons.compress.archivers.zip.ZipArchiveOutputStream;
import org.apache.commons.compress.compressors.CompressorOutputStream;
import org.apache.commons.compress.compressors.CompressorStreamFactory;
-import org.apache.wicket.util.io.ByteArrayOutputStream;
import org.eclipse.jgit.lib.FileMode;
import com.gitblit.dagger.DaggerServlet;
diff --git a/src/main/java/com/gitblit/utils/CompressionUtils.java b/src/main/java/com/gitblit/utils/CompressionUtils.java index 2bf1f130..d4bfbb34 100644 --- a/src/main/java/com/gitblit/utils/CompressionUtils.java +++ b/src/main/java/com/gitblit/utils/CompressionUtils.java @@ -15,6 +15,7 @@ */
package com.gitblit.utils;
+import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.OutputStream;
import java.text.MessageFormat;
@@ -27,7 +28,6 @@ import org.apache.commons.compress.archivers.zip.ZipArchiveEntry; import org.apache.commons.compress.archivers.zip.ZipArchiveOutputStream;
import org.apache.commons.compress.compressors.CompressorException;
import org.apache.commons.compress.compressors.CompressorStreamFactory;
-import org.apache.wicket.util.io.ByteArrayOutputStream;
import org.eclipse.jgit.lib.Constants;
import org.eclipse.jgit.lib.FileMode;
import org.eclipse.jgit.lib.MutableObjectId;
diff --git a/src/main/java/com/gitblit/wicket/GitBlitWebSession.java b/src/main/java/com/gitblit/wicket/GitBlitWebSession.java index b26a1118..31ccf1f5 100644 --- a/src/main/java/com/gitblit/wicket/GitBlitWebSession.java +++ b/src/main/java/com/gitblit/wicket/GitBlitWebSession.java @@ -30,7 +30,6 @@ import org.apache.wicket.protocol.http.WebRequestCycle; import org.apache.wicket.protocol.http.WebSession;
import org.apache.wicket.protocol.http.request.WebClientInfo;
-import com.gitblit.Constants.AuthenticationType;
import com.gitblit.models.UserModel;
public final class GitBlitWebSession extends WebSession {
@@ -47,12 +46,9 @@ public final class GitBlitWebSession extends WebSession { private AtomicBoolean isForking;
- public AuthenticationType authenticationType;
-
public GitBlitWebSession(Request request) {
super(request);
isForking = new AtomicBoolean();
- authenticationType = AuthenticationType.CREDENTIALS;
}
@Override
diff --git a/src/main/java/com/gitblit/wicket/pages/RootPage.java b/src/main/java/com/gitblit/wicket/pages/RootPage.java index 43de3b9f..c4d4dd11 100644 --- a/src/main/java/com/gitblit/wicket/pages/RootPage.java +++ b/src/main/java/com/gitblit/wicket/pages/RootPage.java @@ -31,6 +31,9 @@ import java.util.TreeSet; import java.util.concurrent.atomic.AtomicInteger; import java.util.regex.Pattern; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + import org.apache.wicket.MarkupContainer; import org.apache.wicket.PageParameters; import org.apache.wicket.behavior.HeaderContributor; @@ -50,6 +53,7 @@ import org.apache.wicket.protocol.http.WebRequest; import org.apache.wicket.protocol.http.WebResponse; import com.gitblit.Constants; +import com.gitblit.Constants.AuthenticationType; import com.gitblit.Keys; import com.gitblit.extensions.NavLinkExtension; import com.gitblit.extensions.UserMenuExtension; @@ -262,19 +266,22 @@ public abstract class RootPage extends BasePage { private void loginUser(UserModel user) { if (user != null) { + HttpServletRequest request = ((WebRequest) getRequest()).getHttpServletRequest(); + HttpServletResponse response = ((WebResponse) getResponse()).getHttpServletResponse(); + // Set the user into the session GitBlitWebSession session = GitBlitWebSession.get(); + // issue 62: fix session fixation vulnerability session.replaceSession(); session.setUser(user); + request = ((WebRequest) getRequest()).getHttpServletRequest(); + response = ((WebResponse) getResponse()).getHttpServletResponse(); + request.getSession().setAttribute(Constants.AUTHENTICATION_TYPE, AuthenticationType.CREDENTIALS); + // Set Cookie - if (app().settings().getBoolean(Keys.web.allowCookieAuthentication, false)) { - WebRequest request = (WebRequest) getRequestCycle().getRequest(); - WebResponse response = (WebResponse) getRequestCycle().getResponse(); - app().authentication().setCookie(request.getHttpServletRequest(), - response.getHttpServletResponse(), user); - } + app().authentication().setCookie(request, response, user); if (!session.continueRequest()) { PageParameters params = getPageParameters(); @@ -599,7 +606,9 @@ public abstract class RootPage extends BasePage { GitBlitWebSession session = GitBlitWebSession.get(); UserModel user = session.getUser(); boolean editCredentials = app().authentication().supportsCredentialChanges(user); - boolean standardLogin = session.authenticationType.isStandard(); + HttpServletRequest request = ((WebRequest) getRequest()).getHttpServletRequest(); + AuthenticationType authenticationType = (AuthenticationType) request.getSession().getAttribute(Constants.AUTHENTICATION_TYPE); + boolean standardLogin = authenticationType.isStandard(); if (app().settings().getBoolean(Keys.web.allowGravatar, true)) { add(new GravatarImage("username", user, "navbarGravatar", 20, false)); diff --git a/src/main/java/com/gitblit/wicket/pages/SessionPage.java b/src/main/java/com/gitblit/wicket/pages/SessionPage.java index 7717854b..0dda9495 100644 --- a/src/main/java/com/gitblit/wicket/pages/SessionPage.java +++ b/src/main/java/com/gitblit/wicket/pages/SessionPage.java @@ -1,112 +1,110 @@ -/*
- * Copyright 2013 gitblit.com.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package com.gitblit.wicket.pages;
-
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-import org.apache.wicket.PageParameters;
-import org.apache.wicket.markup.html.WebPage;
-import org.apache.wicket.protocol.http.WebRequest;
-import org.apache.wicket.protocol.http.WebResponse;
-
-import com.gitblit.Keys;
-import com.gitblit.models.UserModel;
-import com.gitblit.utils.StringUtils;
-import com.gitblit.wicket.GitBlitWebApp;
-import com.gitblit.wicket.GitBlitWebSession;
-
-public abstract class SessionPage extends WebPage {
-
- public SessionPage() {
- super();
- login();
- }
-
- public SessionPage(final PageParameters params) {
- super(params);
- login();
- }
-
- protected String [] getEncodings() {
- return app().settings().getStrings(Keys.web.blobEncodings).toArray(new String[0]);
- }
-
- protected GitBlitWebApp app() {
- return GitBlitWebApp.get();
- }
-
- private void login() {
- GitBlitWebSession session = GitBlitWebSession.get();
- if (session.isLoggedIn() && !session.isSessionInvalidated()) {
- // already have a session, refresh usermodel to pick up
- // any changes to permissions or roles (issue-186)
- UserModel user = app().users().getUserModel(session.getUser().username);
-
- if (user == null || user.disabled) {
- // user was deleted/disabled during session
- HttpServletRequest request = ((WebRequest) getRequestCycle().getRequest())
- .getHttpServletRequest();
- HttpServletResponse response = ((WebResponse) getRequestCycle().getResponse())
- .getHttpServletResponse();
- app().authentication().logout(request, response, user);
- session.setUser(null);
- session.invalidateNow();
- return;
- }
-
- // validate cookie during session (issue-361)
- if (user != null && app().settings().getBoolean(Keys.web.allowCookieAuthentication, true)) {
- HttpServletRequest request = ((WebRequest) getRequestCycle().getRequest())
- .getHttpServletRequest();
- String requestCookie = app().authentication().getCookie(request);
- if (!StringUtils.isEmpty(requestCookie) && !StringUtils.isEmpty(user.cookie)) {
- if (!requestCookie.equals(user.cookie)) {
- // cookie was changed during our session
- HttpServletResponse response = ((WebResponse) getRequestCycle().getResponse())
- .getHttpServletResponse();
- app().authentication().logout(request, response, user);
- session.setUser(null);
- session.invalidateNow();
- return;
- }
- }
- }
- session.setUser(user);
- return;
- }
-
- // try to authenticate by servlet request
- HttpServletRequest httpRequest = ((WebRequest) getRequestCycle().getRequest())
- .getHttpServletRequest();
- UserModel user = app().authentication().authenticate(httpRequest);
-
- // Login the user
- if (user != null) {
- // issue 62: fix session fixation vulnerability
- session.replaceSession();
- session.setUser(user);
-
- // Set Cookie
- WebRequest request = (WebRequest) getRequestCycle().getRequest();
- WebResponse response = (WebResponse) getRequestCycle().getResponse();
- app().authentication().setCookie(request.getHttpServletRequest(),
- response.getHttpServletResponse(), user);
-
- session.continueRequest();
- }
- }
-}
+/* + * Copyright 2013 gitblit.com. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.gitblit.wicket.pages; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import org.apache.wicket.PageParameters; +import org.apache.wicket.markup.html.WebPage; +import org.apache.wicket.protocol.http.WebRequest; +import org.apache.wicket.protocol.http.WebResponse; + +import com.gitblit.Constants; +import com.gitblit.Constants.AuthenticationType; +import com.gitblit.Keys; +import com.gitblit.models.UserModel; +import com.gitblit.utils.StringUtils; +import com.gitblit.wicket.GitBlitWebApp; +import com.gitblit.wicket.GitBlitWebSession; + +public abstract class SessionPage extends WebPage { + + public SessionPage() { + super(); + login(); + } + + public SessionPage(final PageParameters params) { + super(params); + login(); + } + + protected String [] getEncodings() { + return app().settings().getStrings(Keys.web.blobEncodings).toArray(new String[0]); + } + + protected GitBlitWebApp app() { + return GitBlitWebApp.get(); + } + + private void login() { + GitBlitWebSession session = GitBlitWebSession.get(); + HttpServletRequest request = ((WebRequest) getRequest()).getHttpServletRequest(); + HttpServletResponse response = ((WebResponse) getResponse()).getHttpServletResponse(); + + if (session.isLoggedIn() && !session.isSessionInvalidated()) { + // already have a session, refresh usermodel to pick up + // any changes to permissions or roles (issue-186) + UserModel user = app().users().getUserModel(session.getUser().username); + + if (user == null || user.disabled) { + // user was deleted/disabled during session + app().authentication().logout(request, response, user); + session.setUser(null); + session.invalidateNow(); + return; + } + + // validate cookie during session (issue-361) + if (user != null && app().settings().getBoolean(Keys.web.allowCookieAuthentication, true)) { + String requestCookie = app().authentication().getCookie(request); + if (!StringUtils.isEmpty(requestCookie) && !StringUtils.isEmpty(user.cookie)) { + if (!requestCookie.equals(user.cookie)) { + // cookie was changed during our session + app().authentication().logout(request, response, user); + session.setUser(null); + session.invalidateNow(); + return; + } + } + } + session.setUser(user); + return; + } + + // try to authenticate by servlet request + UserModel user = app().authentication().authenticate(request); + + // Login the user + if (user != null) { + // preserve the authentication type across session replacement + AuthenticationType authenticationType = (AuthenticationType) request.getSession() + .getAttribute(Constants.AUTHENTICATION_TYPE); + + // issue 62: fix session fixation vulnerability + session.replaceSession(); + session.setUser(user); + + request.getSession().setAttribute(Constants.AUTHENTICATION_TYPE, authenticationType); + + // Set Cookie + app().authentication().setCookie(request, response, user); + + session.continueRequest(); + } + } +} |