src/org/cacert/gigi/pages/LoginPage.java

   1 package org.cacert.gigi.pages;
   2
   3 import static org.cacert.gigi.Gigi.*;
   4
   5 import java.io.IOException;
   6 import java.security.cert.X509Certificate;
   7
   8 import javax.servlet.http.HttpServletRequest;
   9 import javax.servlet.http.HttpServletResponse;
  10 import javax.servlet.http.HttpSession;
  11
  12 import org.cacert.gigi.database.DatabaseConnection;
  13 import org.cacert.gigi.database.GigiPreparedStatement;
  14 import org.cacert.gigi.database.GigiResultSet;
  15 import org.cacert.gigi.dbObjects.Group;
  16 import org.cacert.gigi.dbObjects.User;
  17 import org.cacert.gigi.localisation.Language;
  18 import org.cacert.gigi.util.PasswordHash;
  19
  20 public class LoginPage extends Page {
  21
  22     public static final String LOGIN_RETURNPATH = "login-returnpath";
  23
  24     public LoginPage(String title) {
  25         super(title);
  26     }
  27
  28     @Override
  29     public void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
  30         resp.getWriter().println("<form method='POST' action='/login'>" + "<input type='text' name='username'>" + "<input type='password' name='password'> <input type='submit' value='login'></form>");
  31     }
  32
  33     @Override
  34     public boolean beforeTemplate(HttpServletRequest req, HttpServletResponse resp) throws IOException {
  35         String redir = (String) req.getSession().getAttribute(LOGIN_RETURNPATH);
  36         if (req.getSession().getAttribute("loggedin") == null) {
  37             X509Certificate[] cert = (X509Certificate[]) req.getAttribute("javax.servlet.request.X509Certificate");
  38             if (cert != null && cert[0] != null) {
  39                 tryAuthWithCertificate(req, cert[0]);
  40             }
  41             if (req.getMethod().equals("POST")) {
  42                 tryAuthWithUnpw(req);
  43             }
  44         }
  45
  46         if (req.getSession().getAttribute("loggedin") != null) {
  47             String s = redir;
  48             if (s != null) {
  49                 if ( !s.startsWith("/")) {
  50                     s = "/" + s;
  51                 }
  52                 resp.sendRedirect(s);
  53             } else {
  54                 resp.sendRedirect("/");
  55             }
  56             return true;
  57         }
  58         return false;
  59     }
  60
  61     @Override
  62     public boolean needsLogin() {
  63         return false;
  64     }
  65
  66     private void tryAuthWithUnpw(HttpServletRequest req) {
  67         String un = req.getParameter("username");
  68         String pw = req.getParameter("password");
  69         GigiPreparedStatement ps = DatabaseConnection.getInstance().prepare("SELECT `password`, `id` FROM `users` WHERE `email`=? AND verified='1'");
  70         ps.setString(1, un);
  71         GigiResultSet rs = ps.executeQuery();
  72         if (rs.next()) {
  73             if (PasswordHash.verifyHash(pw, rs.getString(1))) {
  74                 loginSession(req, User.getById(rs.getInt(2)));
  75             }
  76         }
  77         rs.close();
  78     }
  79
  80     public static User getUser(HttpServletRequest req) {
  81         return (User) req.getSession().getAttribute(USER);
  82     }
  83
  84     private void tryAuthWithCertificate(HttpServletRequest req, X509Certificate x509Certificate) {
  85         String serial = x509Certificate.getSerialNumber().toString(16).toUpperCase();
  86         GigiPreparedStatement ps = DatabaseConnection.getInstance().prepare("SELECT `memid` FROM `certs` WHERE `serial`=? AND `disablelogin`='0' AND `revoked` = '0000-00-00 00:00:00'");
  87         ps.setString(1, serial);
  88         GigiResultSet rs = ps.executeQuery();
  89         if (rs.next()) {
  90             loginSession(req, User.getById(rs.getInt(1)));
  91         }
  92         rs.close();
  93     }
  94
  95     private static final Group LOGIN_BLOCKED = Group.getByString("blockedlogin");
  96
  97     private void loginSession(HttpServletRequest req, User user) {
  98         if (user.isInGroup(LOGIN_BLOCKED)) {
  99             return;
 100         }
 101         req.getSession().invalidate();
 102         HttpSession hs = req.getSession();
 103         hs.setAttribute(LOGGEDIN, true);
 104         hs.setAttribute(Language.SESSION_ATTRIB_NAME, user.getPreferredLocale());
 105         hs.setAttribute(USER, user);
 106     }
 107
 108     @Override
 109     public boolean isPermitted(User u) {
 110         return u == null;
 111     }
 112 }