src/org/cacert/gigi/pages/LoginPage.java

   1 package org.cacert.gigi.pages;
   2
   3 import static org.cacert.gigi.Gigi.LOGGEDIN;
   4 import static org.cacert.gigi.Gigi.USER;
   5
   6 import java.io.IOException;
   7 import java.security.cert.X509Certificate;
   8 import java.sql.PreparedStatement;
   9 import java.sql.ResultSet;
  10 import java.sql.SQLException;
  11
  12 import javax.servlet.http.HttpServletRequest;
  13 import javax.servlet.http.HttpServletResponse;
  14 import javax.servlet.http.HttpSession;
  15
  16 import org.cacert.gigi.User;
  17 import org.cacert.gigi.database.DatabaseConnection;
  18 import org.cacert.gigi.util.PasswordHash;
  19
  20 public class LoginPage extends Page {
  21         public static final String LOGIN_RETURNPATH = "login-returnpath";
  22
  23         public LoginPage(String title) {
  24                 super(title);
  25         }
  26
  27         @Override
  28         public void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
  29                 resp.getWriter().println(
  30                         "<form method='POST' action='/login'>" + "<input type='text' name='username'>"
  31                                 + "<input type='password' name='password'> <input type='submit' value='login'></form>");
  32         }
  33
  34         @Override
  35         public boolean beforeTemplate(HttpServletRequest req, HttpServletResponse resp) throws IOException {
  36                 String redir = (String) req.getSession().getAttribute(LOGIN_RETURNPATH);
  37                 if (req.getSession().getAttribute("loggedin") == null) {
  38                         X509Certificate[] cert = (X509Certificate[]) req.getAttribute("javax.servlet.request.X509Certificate");
  39                         if (cert != null && cert[0] != null) {
  40                                 tryAuthWithCertificate(req, cert[0]);
  41                         }
  42                         if (req.getMethod().equals("POST")) {
  43                                 tryAuthWithUnpw(req);
  44                         }
  45                 }
  46
  47                 if (req.getSession().getAttribute("loggedin") != null) {
  48                         String s = redir;
  49                         if (s != null) {
  50                                 if (!s.startsWith("/")) {
  51                                         s = "/" + s;
  52                                 }
  53                                 resp.sendRedirect(s);
  54                         } else {
  55                                 resp.sendRedirect("/");
  56                         }
  57                         return true;
  58                 }
  59                 return false;
  60         }
  61
  62         @Override
  63         public boolean needsLogin() {
  64                 return false;
  65         }
  66
  67         private void tryAuthWithUnpw(HttpServletRequest req) {
  68                 String un = req.getParameter("username");
  69                 String pw = req.getParameter("password");
  70                 try {
  71                         PreparedStatement ps = DatabaseConnection.getInstance().prepare(
  72                                 "SELECT `password`, `id` FROM `users` WHERE `email`=? AND locked='0' AND verified='1'");
  73                         ps.setString(1, un);
  74                         ResultSet rs = ps.executeQuery();
  75                         if (rs.next()) {
  76                                 if (PasswordHash.verifyHash(pw, rs.getString(1))) {
  77                                         req.getSession().invalidate();
  78                                         HttpSession hs = req.getSession();
  79                                         hs.setAttribute(LOGGEDIN, true);
  80                                         hs.setAttribute(USER, new User(rs.getInt(2)));
  81                                 }
  82                         }
  83                         rs.close();
  84                 } catch (SQLException e) {
  85                         e.printStackTrace();
  86                 }
  87         }
  88
  89         public static User getUser(HttpServletRequest req) {
  90                 return (User) req.getSession().getAttribute(USER);
  91         }
  92
  93         private void tryAuthWithCertificate(HttpServletRequest req, X509Certificate x509Certificate) {
  94                 String serial = x509Certificate.getSerialNumber().toString(16).toUpperCase();
  95                 try {
  96                         PreparedStatement ps = DatabaseConnection.getInstance().prepare(
  97                                 "SELECT `memid` FROM `emailcerts` WHERE `serial`=? AND `disablelogin`='0' AND `revoked` = "
  98                                         + "'0000-00-00 00:00:00'");
  99                         ps.setString(1, serial);
 100                         ResultSet rs = ps.executeQuery();
 101                         if (rs.next()) {
 102                                 req.getSession().invalidate();
 103                                 HttpSession hs = req.getSession();
 104                                 hs.setAttribute(LOGGEDIN, true);
 105                                 hs.setAttribute(USER, new User(rs.getInt(1)));
 106                         }
 107                         rs.close();
 108                 } catch (SQLException e) {
 109                         e.printStackTrace();
 110                 }
 111         }
 112 }