From efdb2b3d0c6f03a9aac9e65892cbc8ff755f246f Mon Sep 17 00:00:00 2001 From: James Moger Date: Thu, 3 Jul 2014 20:19:39 -0400 Subject: Remove Wicket references from non-Wicket packages --- .../java/com/gitblit/wicket/GitBlitWebSession.java | 4 - .../java/com/gitblit/wicket/pages/RootPage.java | 23 ++- .../java/com/gitblit/wicket/pages/SessionPage.java | 222 ++++++++++----------- 3 files changed, 126 insertions(+), 123 deletions(-) (limited to 'src/main/java/com/gitblit/wicket') diff --git a/src/main/java/com/gitblit/wicket/GitBlitWebSession.java b/src/main/java/com/gitblit/wicket/GitBlitWebSession.java index b26a1118..31ccf1f5 100644 --- a/src/main/java/com/gitblit/wicket/GitBlitWebSession.java +++ b/src/main/java/com/gitblit/wicket/GitBlitWebSession.java @@ -30,7 +30,6 @@ import org.apache.wicket.protocol.http.WebRequestCycle; import org.apache.wicket.protocol.http.WebSession; import org.apache.wicket.protocol.http.request.WebClientInfo; -import com.gitblit.Constants.AuthenticationType; import com.gitblit.models.UserModel; public final class GitBlitWebSession extends WebSession { @@ -47,12 +46,9 @@ public final class GitBlitWebSession extends WebSession { private AtomicBoolean isForking; - public AuthenticationType authenticationType; - public GitBlitWebSession(Request request) { super(request); isForking = new AtomicBoolean(); - authenticationType = AuthenticationType.CREDENTIALS; } @Override diff --git a/src/main/java/com/gitblit/wicket/pages/RootPage.java b/src/main/java/com/gitblit/wicket/pages/RootPage.java index 43de3b9f..c4d4dd11 100644 --- a/src/main/java/com/gitblit/wicket/pages/RootPage.java +++ b/src/main/java/com/gitblit/wicket/pages/RootPage.java @@ -31,6 +31,9 @@ import java.util.TreeSet; import java.util.concurrent.atomic.AtomicInteger; import java.util.regex.Pattern; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + import org.apache.wicket.MarkupContainer; import org.apache.wicket.PageParameters; import org.apache.wicket.behavior.HeaderContributor; @@ -50,6 +53,7 @@ import org.apache.wicket.protocol.http.WebRequest; import org.apache.wicket.protocol.http.WebResponse; import com.gitblit.Constants; +import com.gitblit.Constants.AuthenticationType; import com.gitblit.Keys; import com.gitblit.extensions.NavLinkExtension; import com.gitblit.extensions.UserMenuExtension; @@ -262,19 +266,22 @@ public abstract class RootPage extends BasePage { private void loginUser(UserModel user) { if (user != null) { + HttpServletRequest request = ((WebRequest) getRequest()).getHttpServletRequest(); + HttpServletResponse response = ((WebResponse) getResponse()).getHttpServletResponse(); + // Set the user into the session GitBlitWebSession session = GitBlitWebSession.get(); + // issue 62: fix session fixation vulnerability session.replaceSession(); session.setUser(user); + request = ((WebRequest) getRequest()).getHttpServletRequest(); + response = ((WebResponse) getResponse()).getHttpServletResponse(); + request.getSession().setAttribute(Constants.AUTHENTICATION_TYPE, AuthenticationType.CREDENTIALS); + // Set Cookie - if (app().settings().getBoolean(Keys.web.allowCookieAuthentication, false)) { - WebRequest request = (WebRequest) getRequestCycle().getRequest(); - WebResponse response = (WebResponse) getRequestCycle().getResponse(); - app().authentication().setCookie(request.getHttpServletRequest(), - response.getHttpServletResponse(), user); - } + app().authentication().setCookie(request, response, user); if (!session.continueRequest()) { PageParameters params = getPageParameters(); @@ -599,7 +606,9 @@ public abstract class RootPage extends BasePage { GitBlitWebSession session = GitBlitWebSession.get(); UserModel user = session.getUser(); boolean editCredentials = app().authentication().supportsCredentialChanges(user); - boolean standardLogin = session.authenticationType.isStandard(); + HttpServletRequest request = ((WebRequest) getRequest()).getHttpServletRequest(); + AuthenticationType authenticationType = (AuthenticationType) request.getSession().getAttribute(Constants.AUTHENTICATION_TYPE); + boolean standardLogin = authenticationType.isStandard(); if (app().settings().getBoolean(Keys.web.allowGravatar, true)) { add(new GravatarImage("username", user, "navbarGravatar", 20, false)); diff --git a/src/main/java/com/gitblit/wicket/pages/SessionPage.java b/src/main/java/com/gitblit/wicket/pages/SessionPage.java index 7717854b..0dda9495 100644 --- a/src/main/java/com/gitblit/wicket/pages/SessionPage.java +++ b/src/main/java/com/gitblit/wicket/pages/SessionPage.java @@ -1,112 +1,110 @@ -/* - * Copyright 2013 gitblit.com. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package com.gitblit.wicket.pages; - -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; - -import org.apache.wicket.PageParameters; -import org.apache.wicket.markup.html.WebPage; -import org.apache.wicket.protocol.http.WebRequest; -import org.apache.wicket.protocol.http.WebResponse; - -import com.gitblit.Keys; -import com.gitblit.models.UserModel; -import com.gitblit.utils.StringUtils; -import com.gitblit.wicket.GitBlitWebApp; -import com.gitblit.wicket.GitBlitWebSession; - -public abstract class SessionPage extends WebPage { - - public SessionPage() { - super(); - login(); - } - - public SessionPage(final PageParameters params) { - super(params); - login(); - } - - protected String [] getEncodings() { - return app().settings().getStrings(Keys.web.blobEncodings).toArray(new String[0]); - } - - protected GitBlitWebApp app() { - return GitBlitWebApp.get(); - } - - private void login() { - GitBlitWebSession session = GitBlitWebSession.get(); - if (session.isLoggedIn() && !session.isSessionInvalidated()) { - // already have a session, refresh usermodel to pick up - // any changes to permissions or roles (issue-186) - UserModel user = app().users().getUserModel(session.getUser().username); - - if (user == null || user.disabled) { - // user was deleted/disabled during session - HttpServletRequest request = ((WebRequest) getRequestCycle().getRequest()) - .getHttpServletRequest(); - HttpServletResponse response = ((WebResponse) getRequestCycle().getResponse()) - .getHttpServletResponse(); - app().authentication().logout(request, response, user); - session.setUser(null); - session.invalidateNow(); - return; - } - - // validate cookie during session (issue-361) - if (user != null && app().settings().getBoolean(Keys.web.allowCookieAuthentication, true)) { - HttpServletRequest request = ((WebRequest) getRequestCycle().getRequest()) - .getHttpServletRequest(); - String requestCookie = app().authentication().getCookie(request); - if (!StringUtils.isEmpty(requestCookie) && !StringUtils.isEmpty(user.cookie)) { - if (!requestCookie.equals(user.cookie)) { - // cookie was changed during our session - HttpServletResponse response = ((WebResponse) getRequestCycle().getResponse()) - .getHttpServletResponse(); - app().authentication().logout(request, response, user); - session.setUser(null); - session.invalidateNow(); - return; - } - } - } - session.setUser(user); - return; - } - - // try to authenticate by servlet request - HttpServletRequest httpRequest = ((WebRequest) getRequestCycle().getRequest()) - .getHttpServletRequest(); - UserModel user = app().authentication().authenticate(httpRequest); - - // Login the user - if (user != null) { - // issue 62: fix session fixation vulnerability - session.replaceSession(); - session.setUser(user); - - // Set Cookie - WebRequest request = (WebRequest) getRequestCycle().getRequest(); - WebResponse response = (WebResponse) getRequestCycle().getResponse(); - app().authentication().setCookie(request.getHttpServletRequest(), - response.getHttpServletResponse(), user); - - session.continueRequest(); - } - } -} +/* + * Copyright 2013 gitblit.com. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.gitblit.wicket.pages; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import org.apache.wicket.PageParameters; +import org.apache.wicket.markup.html.WebPage; +import org.apache.wicket.protocol.http.WebRequest; +import org.apache.wicket.protocol.http.WebResponse; + +import com.gitblit.Constants; +import com.gitblit.Constants.AuthenticationType; +import com.gitblit.Keys; +import com.gitblit.models.UserModel; +import com.gitblit.utils.StringUtils; +import com.gitblit.wicket.GitBlitWebApp; +import com.gitblit.wicket.GitBlitWebSession; + +public abstract class SessionPage extends WebPage { + + public SessionPage() { + super(); + login(); + } + + public SessionPage(final PageParameters params) { + super(params); + login(); + } + + protected String [] getEncodings() { + return app().settings().getStrings(Keys.web.blobEncodings).toArray(new String[0]); + } + + protected GitBlitWebApp app() { + return GitBlitWebApp.get(); + } + + private void login() { + GitBlitWebSession session = GitBlitWebSession.get(); + HttpServletRequest request = ((WebRequest) getRequest()).getHttpServletRequest(); + HttpServletResponse response = ((WebResponse) getResponse()).getHttpServletResponse(); + + if (session.isLoggedIn() && !session.isSessionInvalidated()) { + // already have a session, refresh usermodel to pick up + // any changes to permissions or roles (issue-186) + UserModel user = app().users().getUserModel(session.getUser().username); + + if (user == null || user.disabled) { + // user was deleted/disabled during session + app().authentication().logout(request, response, user); + session.setUser(null); + session.invalidateNow(); + return; + } + + // validate cookie during session (issue-361) + if (user != null && app().settings().getBoolean(Keys.web.allowCookieAuthentication, true)) { + String requestCookie = app().authentication().getCookie(request); + if (!StringUtils.isEmpty(requestCookie) && !StringUtils.isEmpty(user.cookie)) { + if (!requestCookie.equals(user.cookie)) { + // cookie was changed during our session + app().authentication().logout(request, response, user); + session.setUser(null); + session.invalidateNow(); + return; + } + } + } + session.setUser(user); + return; + } + + // try to authenticate by servlet request + UserModel user = app().authentication().authenticate(request); + + // Login the user + if (user != null) { + // preserve the authentication type across session replacement + AuthenticationType authenticationType = (AuthenticationType) request.getSession() + .getAttribute(Constants.AUTHENTICATION_TYPE); + + // issue 62: fix session fixation vulnerability + session.replaceSession(); + session.setUser(user); + + request.getSession().setAttribute(Constants.AUTHENTICATION_TYPE, authenticationType); + + // Set Cookie + app().authentication().setCookie(request, response, user); + + session.continueRequest(); + } + } +} -- cgit v1.2.3