src/org/cacert/gigi/pages/LoginPage.java

   1 package org.cacert.gigi.pages;
   2
   3 import static org.cacert.gigi.Gigi.LOGGEDIN;
   4 import static org.cacert.gigi.Gigi.USER;
   5
   6 import java.io.IOException;
   7 import java.security.cert.X509Certificate;
   8 import java.sql.PreparedStatement;
   9 import java.sql.ResultSet;
  10 import java.sql.SQLException;
  11
  12 import javax.servlet.http.HttpServletRequest;
  13 import javax.servlet.http.HttpServletResponse;
  14 import javax.servlet.http.HttpSession;
  15
  16 import org.cacert.gigi.User;
  17 import org.cacert.gigi.database.DatabaseConnection;
  18 import org.cacert.gigi.util.PasswordHash;
  19
  20 public class LoginPage extends Page {
  21         public static final String LOGIN_RETURNPATH = "login-returnpath";
  22
  23         public LoginPage(String title) {
  24                 super(title);
  25         }
  26
  27         @Override
  28         public void doGet(HttpServletRequest req, HttpServletResponse resp)
  29                         throws IOException {
  30                 resp.getWriter()
  31                                 .println(
  32                                                 "<form method='POST' action='/login'>"
  33                                                                 + "<input type='text' name='username'>"
  34                                                                 + "<input type='password' name='password'> <input type='submit' value='login'></form>");
  35         }
  36
  37         @Override
  38         public boolean beforeTemplate(HttpServletRequest req,
  39                         HttpServletResponse resp) throws IOException {
  40                 HttpSession hs = req.getSession();
  41                 if (hs.getAttribute("loggedin") == null) {
  42                         X509Certificate[] cert = (X509Certificate[]) req
  43                                         .getAttribute("javax.servlet.request.X509Certificate");
  44                         if (cert != null && cert[0] != null) {
  45                                 tryAuthWithCertificate(req, cert[0]);
  46                         }
  47                         if (req.getMethod().equals("POST")) {
  48                                 tryAuthWithUnpw(req);
  49                         }
  50                 }
  51
  52                 if (hs.getAttribute("loggedin") != null) {
  53                         String s = (String) req.getSession().getAttribute(LOGIN_RETURNPATH);
  54                         if (s != null) {
  55                                 if (!s.startsWith("/")) {
  56                                         s = "/" + s;
  57                                 }
  58                                 resp.sendRedirect(s);
  59                         } else {
  60                                 resp.sendRedirect("/");
  61                         }
  62                         return true;
  63                 }
  64                 return false;
  65         }
  66         @Override
  67         public boolean needsLogin() {
  68                 return false;
  69         }
  70         private void tryAuthWithUnpw(HttpServletRequest req) {
  71                 String un = req.getParameter("username");
  72                 String pw = req.getParameter("password");
  73                 try {
  74                         PreparedStatement ps = DatabaseConnection.getInstance().prepare(
  75                                         "SELECT `password`, `id` FROM `users` WHERE `email`=?");
  76                         ps.setString(1, un);
  77                         ResultSet rs = ps.executeQuery();
  78                         if (rs.next()) {
  79                                 if (PasswordHash.verifyHash(pw, rs.getString(1))) {
  80                                         HttpSession hs = req.getSession();
  81                                         hs.setAttribute(LOGGEDIN, true);
  82                                         hs.setAttribute(USER, new User(rs.getInt(2)));
  83                                 }
  84                         }
  85                         rs.close();
  86                 } catch (SQLException e) {
  87                         e.printStackTrace();
  88                 }
  89         }
  90         public static User getUser(HttpServletRequest req) {
  91                 return (User) req.getSession().getAttribute(USER);
  92         }
  93         private void tryAuthWithCertificate(HttpServletRequest req,
  94                         X509Certificate x509Certificate) {
  95                 String serial = x509Certificate.getSerialNumber().toString(16)
  96                                 .toUpperCase();
  97                 try {
  98                         PreparedStatement ps = DatabaseConnection
  99                                         .getInstance()
 100                                         .prepare(
 101                                                         "SELECT `memid` FROM `emailcerts` WHERE `serial`=? AND `disablelogin`='0' AND `revoked` = "
 102                                                                         + "'0000-00-00 00:00:00'");
 103                         ps.setString(1, serial);
 104                         ResultSet rs = ps.executeQuery();
 105                         if (rs.next()) {
 106                                 HttpSession hs = req.getSession();
 107                                 hs.setAttribute(LOGGEDIN, true);
 108                                 hs.setAttribute(USER, new User(rs.getInt(1)));
 109                         }
 110                         rs.close();
 111                 } catch (SQLException e) {
 112                         e.printStackTrace();
 113                 }
 114         }
 115 }