src/org/cacert/gigi/pages/LoginPage.java

   1 package org.cacert.gigi.pages;
   2
   3 import static org.cacert.gigi.Gigi.LOGGEDIN;
   4 import static org.cacert.gigi.Gigi.USER;
   5
   6 import java.io.IOException;
   7 import java.security.cert.X509Certificate;
   8 import java.sql.PreparedStatement;
   9 import java.sql.ResultSet;
  10 import java.sql.SQLException;
  11
  12 import javax.servlet.http.HttpServletRequest;
  13 import javax.servlet.http.HttpServletResponse;
  14 import javax.servlet.http.HttpSession;
  15
  16 import org.cacert.gigi.User;
  17 import org.cacert.gigi.database.DatabaseConnection;
  18 import org.cacert.gigi.util.PasswordHash;
  19
  20 public class LoginPage extends Page {
  21         public LoginPage(String title) {
  22                 super(title);
  23         }
  24
  25         @Override
  26         public void doGet(HttpServletRequest req, HttpServletResponse resp)
  27                         throws IOException {
  28                 HttpSession hs = req.getSession();
  29                 if (hs.getAttribute("loggedin") == null) {
  30                         X509Certificate[] cert = (X509Certificate[]) req
  31                                         .getAttribute("javax.servlet.request.X509Certificate");
  32                         if (cert != null && cert[0] != null) {
  33                                 tryAuthWithCertificate(req, cert[0]);
  34                         }
  35                         if (req.getMethod().equals("POST")) {
  36                                 tryAuthWithUnpw(req);
  37                         }
  38                 }
  39
  40                 if (hs.getAttribute("loggedin") != null) { // Redir from login
  41                         resp.sendRedirect("/");
  42                         return;
  43                 }
  44
  45                 resp.getWriter()
  46                                 .println(
  47                                                 "<form method='POST' action='/login'>"
  48                                                                 + "<input type='text' name='username'>"
  49                                                                 + "<input type='password' name='password'> <input type='submit' value='login'></form>");
  50         }
  51         @Override
  52         public boolean needsLogin() {
  53                 return false;
  54         }
  55         private void tryAuthWithUnpw(HttpServletRequest req) {
  56                 String un = req.getParameter("username");
  57                 String pw = req.getParameter("password");
  58                 try {
  59                         PreparedStatement ps = DatabaseConnection.getInstance().prepare(
  60                                         "SELECT `password`, `id` FROM `users` WHERE `email`=?");
  61                         ps.setString(1, un);
  62                         ResultSet rs = ps.executeQuery();
  63                         if (rs.next()) {
  64                                 if (PasswordHash.verifyHash(pw, rs.getString(1))) {
  65                                         HttpSession hs = req.getSession();
  66                                         hs.setAttribute(LOGGEDIN, true);
  67                                         hs.setAttribute(USER, new User(rs.getInt(2)));
  68                                 }
  69                         }
  70                         rs.close();
  71                 } catch (SQLException e) {
  72                         e.printStackTrace();
  73                 }
  74         }
  75         public static User getUser(HttpServletRequest req) {
  76                 return (User) req.getSession().getAttribute(USER);
  77         }
  78         private void tryAuthWithCertificate(HttpServletRequest req,
  79                         X509Certificate x509Certificate) {
  80                 String serial = x509Certificate.getSerialNumber().toString(16)
  81                                 .toUpperCase();
  82                 try {
  83                         PreparedStatement ps = DatabaseConnection
  84                                         .getInstance()
  85                                         .prepare(
  86                                                         "SELECT `memid` FROM `emailcerts` WHERE `serial`=? AND `disablelogin`='0' AND `revoked` = "
  87                                                                         + "'0000-00-00 00:00:00'");
  88                         ps.setString(1, serial);
  89                         ResultSet rs = ps.executeQuery();
  90                         if (rs.next()) {
  91                                 HttpSession hs = req.getSession();
  92                                 hs.setAttribute(LOGGEDIN, true);
  93                                 hs.setAttribute(USER, new User(rs.getInt(1)));
  94                         }
  95                         rs.close();
  96                 } catch (SQLException e) {
  97                         e.printStackTrace();
  98                 }
  99         }
 100 }