mirrors
/
gitblit
spogulis no https://github.com/gitblit/gitblit.git
Vērot 1
Pievienot zvaigznīti 0
Atdalīts 0
Kods Problēmas 0 Laidieni 43 Vikivietne Aktivitāte
Nevar pievienot vairāk kā 25 tēmas Tēmai ir jāsākas ar burtu vai ciparu, tā var saturēt domu zīmes ('-') un var būt līdz 35 simboliem gara.
3271 Revīzija
11 Atzari
Koks: b33a5d7c09
Atzari Tagi
${ item.name }
Izveidot atzaru ${ searchTerm }
no 'b33a5d7c09'
${ noResults }
gitblit/src/main/java/com/gitblit/wicket/pages/SessionPage.java

SessionPage.java 4.2KB
Neapstrādāts Vainot Vēsture

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128 
  1. /*

  2.  * Copyright 2013 gitblit.com.

  3.  *

  4.  * Licensed under the Apache License, Version 2.0 (the "License");

  5.  * you may not use this file except in compliance with the License.

  6.  * You may obtain a copy of the License at

  7.  *

  8.  *     http://www.apache.org/licenses/LICENSE-2.0

  9.  *

  10.  * Unless required by applicable law or agreed to in writing, software

  11.  * distributed under the License is distributed on an "AS IS" BASIS,

  12.  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  13.  * See the License for the specific language governing permissions and

  14.  * limitations under the License.

  15.  */

  16. package com.gitblit.wicket.pages;

  17. 

  18. import javax.servlet.http.HttpServletRequest;

  19. import javax.servlet.http.HttpServletResponse;

  20. 

  21. import org.apache.wicket.PageParameters;

  22. import org.apache.wicket.markup.html.WebPage;

  23. import org.apache.wicket.protocol.http.WebRequest;

  24. import org.apache.wicket.protocol.http.WebResponse;

  25. 

  26. import com.gitblit.Constants;

  27. import com.gitblit.Constants.AuthenticationType;

  28. import com.gitblit.Keys;

  29. import com.gitblit.models.UserModel;

  30. import com.gitblit.utils.StringUtils;

  31. import com.gitblit.wicket.GitBlitWebApp;

  32. import com.gitblit.wicket.GitBlitWebSession;

  33. 

  34. public abstract class SessionPage extends WebPage {

  35. 

  36. 	public SessionPage() {

  37. 		super();

  38. 		login();

  39. 	}

  40. 

  41. 	public SessionPage(final PageParameters params) {

  42. 		super(params);

  43. 		login();

  44. 	}

  45. 

  46. 	protected String [] getEncodings() {

  47. 		return app().settings().getStrings(Keys.web.blobEncodings).toArray(new String[0]);

  48. 	}

  49. 

  50. 	protected GitBlitWebApp app() {

  51. 		return GitBlitWebApp.get();

  52. 	}

  53. 

  54. 	private void login() {

  55. 		GitBlitWebSession session = GitBlitWebSession.get();

  56. 		HttpServletRequest request = ((WebRequest) getRequest()).getHttpServletRequest();

  57. 		HttpServletResponse response = ((WebResponse) getResponse()).getHttpServletResponse();

  58. 

  59. 		// If using container/external servlet authentication, use request attribute

  60. 		String authedUser = (String) request.getAttribute(Constants.ATTRIB_AUTHUSER);

  61. 

  62. 		// Default to trusting session authentication if not set in request by external processing

  63. 		if (StringUtils.isEmpty(authedUser) && session.isLoggedIn()) {

  64. 			authedUser = session.getUsername();

  65. 		}

  66. 

  67. 		if (!StringUtils.isEmpty(authedUser)) {

  68. 			// Avoid session fixation for non-session authentication

  69. 			// If the authenticated user is different from the session user, discard

  70. 			// the old session entirely, without trusting any session values

  71. 			if (!authedUser.equals(session.getUsername())) {

  72. 				session.replaceSession();

  73. 			}

  74. 

  75. 			if (!session.isSessionInvalidated()) {

  76. 				// Refresh usermodel to pick up any changes to permissions or roles (issue-186)

  77. 				UserModel user = app().users().getUserModel(authedUser);

  78. 

  79. 				if (user == null || user.disabled) {

  80. 					// user was deleted/disabled during session

  81. 					app().authentication().logout(request, response, user);

  82. 					session.setUser(null);

  83. 					session.invalidateNow();

  84. 					return;

  85. 				}

  86. 

  87. 				// validate cookie during session (issue-361)

  88. 				if (app().settings().getBoolean(Keys.web.allowCookieAuthentication, true)) {

  89. 					String requestCookie = app().authentication().getCookie(request);

  90. 					if (!StringUtils.isEmpty(requestCookie) && !StringUtils.isEmpty(user.cookie)) {

  91. 						if (!requestCookie.equals(user.cookie)) {

  92. 							// cookie was changed during our session

  93. 							app().authentication().logout(request, response, user);

  94. 							session.setUser(null);

  95. 							session.invalidateNow();

  96. 							return;

  97. 						}

  98. 					}

  99. 				}

  100. 				session.setUser(user);

  101. 				session.continueRequest();

  102. 				return;

  103. 			}

  104. 		}

  105. 

  106. 		// try to authenticate by servlet request

  107. 		UserModel user = app().authentication().authenticate(request);

  108. 

  109. 		// Login the user

  110. 		if (user != null) {

  111. 			AuthenticationType authenticationType = (AuthenticationType) request.getAttribute(Constants.ATTRIB_AUTHTYPE);

  112. 

  113. 			// issue 62: fix session fixation vulnerability

  114. 			// but only if authentication was done in the container.

  115. 			// It avoid double change of session, that some authentication method

  116. 			// don't like

  117. 			if (AuthenticationType.CONTAINER != authenticationType) {

  118. 				session.replaceSession();

  119. 			}

  120. 			session.setUser(user);

  121. 

  122. 			// Set Cookie

  123. 			app().authentication().setCookie(request, response, user);

  124. 

  125. 			session.continueRequest();

  126. 		}

  127. 	}

  128. }