src/org/cacert/gigi/pages/LoginPage.java

   1 package org.cacert.gigi.pages;
   2
   3 import static org.cacert.gigi.Gigi.LOGGEDIN;
   4 import static org.cacert.gigi.Gigi.USER;
   5
   6 import java.io.IOException;
   7 import java.security.cert.X509Certificate;
   8 import java.sql.PreparedStatement;
   9 import java.sql.ResultSet;
  10 import java.sql.SQLException;
  11
  12 import javax.servlet.http.HttpServletRequest;
  13 import javax.servlet.http.HttpServletResponse;
  14 import javax.servlet.http.HttpSession;
  15
  16 import org.cacert.gigi.User;
  17 import org.cacert.gigi.database.DatabaseConnection;
  18 import org.cacert.gigi.util.PasswordHash;
  19
  20 public class LoginPage extends Page {
  21         public static final String LOGIN_RETURNPATH = "login-returnpath";
  22
  23         public LoginPage(String title) {
  24                 super(title);
  25         }
  26
  27         @Override
  28         public void doGet(HttpServletRequest req, HttpServletResponse resp)
  29                         throws IOException {
  30                 resp.getWriter()
  31                                 .println(
  32                                                 "<form method='POST' action='/login'>"
  33                                                                 + "<input type='text' name='username'>"
  34                                                                 + "<input type='password' name='password'> <input type='submit' value='login'></form>");
  35         }
  36
  37         @Override
  38         public boolean beforeTemplate(HttpServletRequest req,
  39                         HttpServletResponse resp) throws IOException {
  40                 if (req.getSession().getAttribute("loggedin") == null) {
  41                         X509Certificate[] cert = (X509Certificate[]) req
  42                                         .getAttribute("javax.servlet.request.X509Certificate");
  43                         if (cert != null && cert[0] != null) {
  44                                 tryAuthWithCertificate(req, cert[0]);
  45                         }
  46                         if (req.getMethod().equals("POST")) {
  47                                 tryAuthWithUnpw(req);
  48                         }
  49                 }
  50
  51                 if (req.getSession().getAttribute("loggedin") != null) {
  52                         String s = (String) req.getSession().getAttribute(LOGIN_RETURNPATH);
  53                         if (s != null) {
  54                                 if (!s.startsWith("/")) {
  55                                         s = "/" + s;
  56                                 }
  57                                 resp.sendRedirect(s);
  58                         } else {
  59                                 resp.sendRedirect("/");
  60                         }
  61                         return true;
  62                 }
  63                 return false;
  64         }
  65         @Override
  66         public boolean needsLogin() {
  67                 return false;
  68         }
  69         private void tryAuthWithUnpw(HttpServletRequest req) {
  70                 String un = req.getParameter("username");
  71                 String pw = req.getParameter("password");
  72                 try {
  73                         PreparedStatement ps = DatabaseConnection
  74                                         .getInstance()
  75                                         .prepare(
  76                                                         "SELECT `password`, `id` FROM `users` WHERE `email`=? AND locked='0' AND verified='1'");
  77                         ps.setString(1, un);
  78                         ResultSet rs = ps.executeQuery();
  79                         if (rs.next()) {
  80                                 if (PasswordHash.verifyHash(pw, rs.getString(1))) {
  81                                         req.getSession().invalidate();
  82                                         HttpSession hs = req.getSession();
  83                                         hs.setAttribute(LOGGEDIN, true);
  84                                         hs.setAttribute(USER, new User(rs.getInt(2)));
  85                                 }
  86                         }
  87                         rs.close();
  88                 } catch (SQLException e) {
  89                         e.printStackTrace();
  90                 }
  91         }
  92         public static User getUser(HttpServletRequest req) {
  93                 return (User) req.getSession().getAttribute(USER);
  94         }
  95         private void tryAuthWithCertificate(HttpServletRequest req,
  96                         X509Certificate x509Certificate) {
  97                 String serial = x509Certificate.getSerialNumber().toString(16)
  98                                 .toUpperCase();
  99                 try {
 100                         PreparedStatement ps = DatabaseConnection
 101                                         .getInstance()
 102                                         .prepare(
 103                                                         "SELECT `memid` FROM `emailcerts` WHERE `serial`=? AND `disablelogin`='0' AND `revoked` = "
 104                                                                         + "'0000-00-00 00:00:00'");
 105                         ps.setString(1, serial);
 106                         ResultSet rs = ps.executeQuery();
 107                         if (rs.next()) {
 108                                 req.getSession().invalidate();
 109                                 HttpSession hs = req.getSession();
 110                                 hs.setAttribute(LOGGEDIN, true);
 111                                 hs.setAttribute(USER, new User(rs.getInt(1)));
 112                         }
 113                         rs.close();
 114                 } catch (SQLException e) {
 115                         e.printStackTrace();
 116                 }
 117         }
 118 }