/** * Remove a cookie. * * @param request The servlet request. * @param response The servlet response. * @param cookieName The name of the cookie that must be removed. */ private void removeCookie(HttpServletRequest request, HttpServletResponse response, String cookieName) { Cookie cookie = getCookie(request.getCookies(), cookieName); if (cookie != null) { cookie.setMaxAge(0); cookie.setPath(this.cookiePath); addCookie(response, cookie); String cookieDomain = getCookieDomain(request); if (cookieDomain != null) { cookie.setDomain(cookieDomain); addCookie(response, cookie); } } }
/** * Get the username stored (in a cookie) in the request. Also checks the validity of the cookie. * * @param request The servlet request. * @param response The servlet response. * @return The username value, or <tt>null</tt> if not found or the cookie isn't valid. * @todo Also use the URL, in case cookies are disabled [XWIKI-1071]. */ @Override public String getRememberedUsername(HttpServletRequest request, HttpServletResponse response) { String username = getCookieValue(request.getCookies(), getCookiePrefix() + COOKIE_USERNAME, DEFAULT_VALUE); if (!username.equals(DEFAULT_VALUE)) { if (checkValidation(request, response)) { if (this.protection.equals(PROTECTION_ALL) || this.protection.equals(PROTECTION_ENCRYPTION)) { username = decryptText(username); } return username; } } return null; }
/** * Checks if the cookies are valid. * * @param request The servlet request. * @param response The servlet response. * @return True if the validation cookie holds a valid value or is not present, false otherwise. * @todo Don't ignore it when set to "false", check the validation method. */ private boolean checkValidation(HttpServletRequest request, HttpServletResponse response) { if (this.protection.equals(PROTECTION_ALL) || this.protection.equals(PROTECTION_VALIDATION)) { String username = getCookieValue(request.getCookies(), getCookiePrefix() + COOKIE_USERNAME, DEFAULT_VALUE); String password = getCookieValue(request.getCookies(), getCookiePrefix() + COOKIE_PASSWORD, DEFAULT_VALUE); String cookieHash = getCookieValue(request.getCookies(), getCookiePrefix() + COOKIE_VALIDATION, DEFAULT_VALUE); String calculatedHash = getValidationHash(username, password, getClientIP(request)); if (cookieHash.equals(calculatedHash)) { return true; } else { LOG.warn("Login cookie validation hash mismatch! Cookies have been tampered with"); LOG.info("Login cookie is being deleted!"); forgetLogin(request, response); } } return false; }
/** * Forget a login by removing the authentication cookies. * * @param request The servlet request. * @param response The servlet response. */ @Override public void forgetLogin(HttpServletRequest request, HttpServletResponse response) { ((SecurityRequestWrapper) request).setUserPrincipal(null); removeCookie(request, response, getCookiePrefix() + COOKIE_USERNAME); removeCookie(request, response, getCookiePrefix() + COOKIE_PASSWORD); removeCookie(request, response, getCookiePrefix() + COOKIE_REMEMBERME); removeCookie(request, response, getCookiePrefix() + COOKIE_VALIDATION); return; }
/** * {@inheritDoc} * * @see DefaultPersistentLoginManager#rememberingLogin(javax.servlet.http.HttpServletRequest) */ @Override public boolean rememberingLogin(HttpServletRequest request) { if (getCookieValue(request.getCookies(), getCookiePrefix() + COOKIE_REMEMBERME, "false").equals("true")) { return true; } else { return false; } }
/** * Setup a cookie: expiration date, path, domain + send it to the response. * * @param cookie The cookie to setup. * @param sessionCookie Whether the cookie is only for this session, or for a longer period. * @param cookieDomain The domain for which the cookie is set. * @param response The servlet response. */ public void setupCookie(Cookie cookie, boolean sessionCookie, String cookieDomain, HttpServletResponse response) { if (!sessionCookie) { setMaxAge(cookie); } cookie.setPath(this.cookiePath); if (cookieDomain != null) { cookie.setDomain(cookieDomain); } addCookie(response, cookie); }
MyPersistentLoginManager persistent = new MyPersistentLoginManager(); if (xwiki.Param("xwiki.authentication.cookieprefix") != null) { persistent.setCookiePrefix(xwiki.Param("xwiki.authentication.cookieprefix")); persistent.setCookiePath(xwiki.Param("xwiki.authentication.cookiepath")); persistent.setCookieDomains(cdomains); persistent.setCookieLife(xwiki.Param("xwiki.authentication.cookielife")); persistent.setProtection(xwiki.Param("xwiki.authentication.protection")); persistent.setUseIP(xwiki.Param("xwiki.authentication.useip")); persistent.setEncryptionAlgorithm(xwiki.Param("xwiki.authentication.encryptionalgorithm")); persistent.setEncryptionMode(xwiki.Param("xwiki.authentication.encryptionmode")); persistent.setEncryptionPadding(xwiki.Param("xwiki.authentication.encryptionpadding")); persistent.setValidationKey(xwiki.Param("xwiki.authentication.validationKey")); persistent.setEncryptionKey(xwiki.Param("xwiki.authentication.encryptionKey"));
String protectedPassword = password; if (this.protection.equals(PROTECTION_ALL) || this.protection.equals(PROTECTION_ENCRYPTION)) { protectedUsername = encryptText(protectedUsername); protectedPassword = encryptText(protectedPassword); if (protectedUsername == null || protectedPassword == null) { LOG.error("ERROR!!"); boolean sessionCookie = !(isTrue(request.getParameter("j_rememberme"))); String cookieDomain = getCookieDomain(request); Cookie usernameCookie = new Cookie(getCookiePrefix() + COOKIE_USERNAME, protectedUsername); setupCookie(usernameCookie, sessionCookie, cookieDomain, response); Cookie passwdCookie = new Cookie(getCookiePrefix() + COOKIE_PASSWORD, protectedPassword); setupCookie(passwdCookie, sessionCookie, cookieDomain, response); Cookie rememberCookie = new Cookie(getCookiePrefix() + COOKIE_REMEMBERME, !sessionCookie + ""); setupCookie(rememberCookie, sessionCookie, cookieDomain, response); String validationHash = getValidationHash(protectedUsername, protectedPassword, getClientIP(request)); if (validationHash != null) { Cookie validationCookie = new Cookie(getCookiePrefix() + COOKIE_VALIDATION, validationHash); setupCookie(validationCookie, sessionCookie, cookieDomain, response); } else { if (LOG.isErrorEnabled()) {
/** * Get the password stored (in a cookie) in the request. Also checks the validity of the cookie. * * @param request The servlet request. * @param response The servlet response. * @return The password value, or <tt>null</tt> if not found or the cookie isn't valid. * @todo Also use the URL, in case cookies are disabled [XWIKI-1071]. */ @Override public String getRememberedPassword(HttpServletRequest request, HttpServletResponse response) { String password = getCookieValue(request.getCookies(), getCookiePrefix() + COOKIE_PASSWORD, DEFAULT_VALUE); if (!password.equals(DEFAULT_VALUE)) { if (checkValidation(request, response)) { if (this.protection.equals(PROTECTION_ALL) || this.protection.equals(PROTECTION_ENCRYPTION)) { password = decryptText(password); } return password; } } return null; }