src/org/cacert/gigi/pages/LoginPage.java

   1 package org.cacert.gigi.pages;
   2
   3 import static org.cacert.gigi.Gigi.*;
   4
   5 import java.io.IOException;
   6 import java.security.cert.X509Certificate;
   7 import java.sql.PreparedStatement;
   8 import java.sql.ResultSet;
   9 import java.sql.SQLException;
  10
  11 import javax.servlet.http.HttpServletRequest;
  12 import javax.servlet.http.HttpServletResponse;
  13 import javax.servlet.http.HttpSession;
  14
  15 import org.cacert.gigi.User;
  16 import org.cacert.gigi.database.DatabaseConnection;
  17 import org.cacert.gigi.localisation.Language;
  18 import org.cacert.gigi.util.PasswordHash;
  19
  20 public class LoginPage extends Page {
  21
  22     public static final String LOGIN_RETURNPATH = "login-returnpath";
  23
  24     public LoginPage(String title) {
  25         super(title);
  26     }
  27
  28     @Override
  29     public void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
  30         resp.getWriter().println("<form method='POST' action='/login'>" + "<input type='text' name='username'>" + "<input type='password' name='password'> <input type='submit' value='login'></form>");
  31     }
  32
  33     @Override
  34     public boolean beforeTemplate(HttpServletRequest req, HttpServletResponse resp) throws IOException {
  35         String redir = (String) req.getSession().getAttribute(LOGIN_RETURNPATH);
  36         if (req.getSession().getAttribute("loggedin") == null) {
  37             X509Certificate[] cert = (X509Certificate[]) req.getAttribute("javax.servlet.request.X509Certificate");
  38             if (cert != null && cert[0] != null) {
  39                 tryAuthWithCertificate(req, cert[0]);
  40             }
  41             if (req.getMethod().equals("POST")) {
  42                 tryAuthWithUnpw(req);
  43             }
  44         }
  45
  46         if (req.getSession().getAttribute("loggedin") != null) {
  47             String s = redir;
  48             if (s != null) {
  49                 if ( !s.startsWith("/")) {
  50                     s = "/" + s;
  51                 }
  52                 resp.sendRedirect(s);
  53             } else {
  54                 resp.sendRedirect("/");
  55             }
  56             return true;
  57         }
  58         return false;
  59     }
  60
  61     @Override
  62     public boolean needsLogin() {
  63         return false;
  64     }
  65
  66     private void tryAuthWithUnpw(HttpServletRequest req) {
  67         String un = req.getParameter("username");
  68         String pw = req.getParameter("password");
  69         try {
  70             PreparedStatement ps = DatabaseConnection.getInstance().prepare("SELECT `password`, `id` FROM `users` WHERE `email`=? AND locked='0' AND verified='1'");
  71             ps.setString(1, un);
  72             ResultSet rs = ps.executeQuery();
  73             if (rs.next()) {
  74                 if (PasswordHash.verifyHash(pw, rs.getString(1))) {
  75                     loginSession(req, new User(rs.getInt(2)));
  76                 }
  77             }
  78             rs.close();
  79         } catch (SQLException e) {
  80             e.printStackTrace();
  81         }
  82     }
  83
  84     public static User getUser(HttpServletRequest req) {
  85         return (User) req.getSession().getAttribute(USER);
  86     }
  87
  88     private void tryAuthWithCertificate(HttpServletRequest req, X509Certificate x509Certificate) {
  89         String serial = x509Certificate.getSerialNumber().toString(16).toUpperCase();
  90         try {
  91             PreparedStatement ps = DatabaseConnection.getInstance().prepare("SELECT `memid` FROM `certs` WHERE `serial`=? AND `disablelogin`='0' AND `revoked` = " + "'0000-00-00 00:00:00'");
  92             ps.setString(1, serial);
  93             ResultSet rs = ps.executeQuery();
  94             if (rs.next()) {
  95                 loginSession(req, new User(rs.getInt(1)));
  96             }
  97             rs.close();
  98         } catch (SQLException e) {
  99             e.printStackTrace();
 100         }
 101     }
 102
 103     private void loginSession(HttpServletRequest req, User user) {
 104         req.getSession().invalidate();
 105         HttpSession hs = req.getSession();
 106         hs.setAttribute(LOGGEDIN, true);
 107         hs.setAttribute(Language.SESSION_ATTRIB_NAME, user.getPreferredLocale());
 108         hs.setAttribute(USER, user);
 109     }
 110
 111     @Override
 112     public boolean isPermitted(User u) {
 113         return u == null;
 114     }
 115 }