src/org/cacert/gigi/pages/LoginPage.java

   1 package org.cacert.gigi.pages;
   2
   3 import static org.cacert.gigi.Gigi.LOGGEDIN;
   4 import static org.cacert.gigi.Gigi.USER;
   5
   6 import java.io.IOException;
   7 import java.security.cert.X509Certificate;
   8 import java.sql.PreparedStatement;
   9 import java.sql.ResultSet;
  10 import java.sql.SQLException;
  11
  12 import javax.servlet.http.HttpServletRequest;
  13 import javax.servlet.http.HttpServletResponse;
  14 import javax.servlet.http.HttpSession;
  15
  16 import org.cacert.gigi.User;
  17 import org.cacert.gigi.database.DatabaseConnection;
  18 import org.cacert.gigi.util.PasswordHash;
  19
  20 public class LoginPage extends Page {
  21         public static final String LOGIN_RETURNPATH = "login-returnpath";
  22
  23         public LoginPage(String title) {
  24                 super(title);
  25         }
  26
  27         @Override
  28         public void doGet(HttpServletRequest req, HttpServletResponse resp)
  29                         throws IOException {
  30                 resp.getWriter()
  31                                 .println(
  32                                                 "<form method='POST' action='/login'>"
  33                                                                 + "<input type='text' name='username'>"
  34                                                                 + "<input type='password' name='password'> <input type='submit' value='login'></form>");
  35         }
  36
  37         @Override
  38         public boolean beforeTemplate(HttpServletRequest req,
  39                         HttpServletResponse resp) throws IOException {
  40                 String redir = (String) req.getSession().getAttribute(LOGIN_RETURNPATH);
  41                 if (req.getSession().getAttribute("loggedin") == null) {
  42                         X509Certificate[] cert = (X509Certificate[]) req
  43                                         .getAttribute("javax.servlet.request.X509Certificate");
  44                         if (cert != null && cert[0] != null) {
  45                                 tryAuthWithCertificate(req, cert[0]);
  46                         }
  47                         if (req.getMethod().equals("POST")) {
  48                                 tryAuthWithUnpw(req);
  49                         }
  50                 }
  51
  52                 if (req.getSession().getAttribute("loggedin") != null) {
  53                         String s = redir;
  54                         if (s != null) {
  55                                 if (!s.startsWith("/")) {
  56                                         s = "/" + s;
  57                                 }
  58                                 resp.sendRedirect(s);
  59                         } else {
  60                                 resp.sendRedirect("/");
  61                         }
  62                         return true;
  63                 }
  64                 return false;
  65         }
  66         @Override
  67         public boolean needsLogin() {
  68                 return false;
  69         }
  70         private void tryAuthWithUnpw(HttpServletRequest req) {
  71                 String un = req.getParameter("username");
  72                 String pw = req.getParameter("password");
  73                 try {
  74                         PreparedStatement ps = DatabaseConnection
  75                                         .getInstance()
  76                                         .prepare(
  77                                                         "SELECT `password`, `id` FROM `users` WHERE `email`=? AND locked='0' AND verified='1'");
  78                         ps.setString(1, un);
  79                         ResultSet rs = ps.executeQuery();
  80                         if (rs.next()) {
  81                                 if (PasswordHash.verifyHash(pw, rs.getString(1))) {
  82                                         req.getSession().invalidate();
  83                                         HttpSession hs = req.getSession();
  84                                         hs.setAttribute(LOGGEDIN, true);
  85                                         hs.setAttribute(USER, new User(rs.getInt(2)));
  86                                 }
  87                         }
  88                         rs.close();
  89                 } catch (SQLException e) {
  90                         e.printStackTrace();
  91                 }
  92         }
  93         public static User getUser(HttpServletRequest req) {
  94                 return (User) req.getSession().getAttribute(USER);
  95         }
  96         private void tryAuthWithCertificate(HttpServletRequest req,
  97                         X509Certificate x509Certificate) {
  98                 String serial = x509Certificate.getSerialNumber().toString(16)
  99                                 .toUpperCase();
 100                 try {
 101                         PreparedStatement ps = DatabaseConnection
 102                                         .getInstance()
 103                                         .prepare(
 104                                                         "SELECT `memid` FROM `emailcerts` WHERE `serial`=? AND `disablelogin`='0' AND `revoked` = "
 105                                                                         + "'0000-00-00 00:00:00'");
 106                         ps.setString(1, serial);
 107                         ResultSet rs = ps.executeQuery();
 108                         if (rs.next()) {
 109                                 req.getSession().invalidate();
 110                                 HttpSession hs = req.getSession();
 111                                 hs.setAttribute(LOGGEDIN, true);
 112                                 hs.setAttribute(USER, new User(rs.getInt(1)));
 113                         }
 114                         rs.close();
 115                 } catch (SQLException e) {
 116                         e.printStackTrace();
 117                 }
 118         }
 119 }