/** * {@inheritDoc} * * @see DefaultPersistentLoginManager#rememberingLogin(javax.servlet.http.HttpServletRequest) */ @Override public boolean rememberingLogin(HttpServletRequest request) { if (getCookieValue(request.getCookies(), getCookiePrefix() + COOKIE_REMEMBERME, "false").equals("true")) { return true; } else { return false; } }
/** * Forget a login by removing the authentication cookies. * * @param request The servlet request. * @param response The servlet response. */ @Override public void forgetLogin(HttpServletRequest request, HttpServletResponse response) { ((SecurityRequestWrapper) request).setUserPrincipal(null); removeCookie(request, response, getCookiePrefix() + COOKIE_USERNAME); removeCookie(request, response, getCookiePrefix() + COOKIE_PASSWORD); removeCookie(request, response, getCookiePrefix() + COOKIE_REMEMBERME); removeCookie(request, response, getCookiePrefix() + COOKIE_VALIDATION); return; }
/** * Checks if the cookies are valid. * * @param request The servlet request. * @param response The servlet response. * @return True if the validation cookie holds a valid value or is not present, false otherwise. * @todo Don't ignore it when set to "false", check the validation method. */ private boolean checkValidation(HttpServletRequest request, HttpServletResponse response) { if (this.protection.equals(PROTECTION_ALL) || this.protection.equals(PROTECTION_VALIDATION)) { String username = getCookieValue(request.getCookies(), getCookiePrefix() + COOKIE_USERNAME, DEFAULT_VALUE); String password = getCookieValue(request.getCookies(), getCookiePrefix() + COOKIE_PASSWORD, DEFAULT_VALUE); String cookieHash = getCookieValue(request.getCookies(), getCookiePrefix() + COOKIE_VALIDATION, DEFAULT_VALUE); String calculatedHash = getValidationHash(username, password, getClientIP(request)); if (cookieHash.equals(calculatedHash)) { return true; } else { LOG.warn("Login cookie validation hash mismatch! Cookies have been tampered with"); LOG.info("Login cookie is being deleted!"); forgetLogin(request, response); } } return false; }
/** * Get the username stored (in a cookie) in the request. Also checks the validity of the cookie. * * @param request The servlet request. * @param response The servlet response. * @return The username value, or <tt>null</tt> if not found or the cookie isn't valid. * @todo Also use the URL, in case cookies are disabled [XWIKI-1071]. */ @Override public String getRememberedUsername(HttpServletRequest request, HttpServletResponse response) { String username = getCookieValue(request.getCookies(), getCookiePrefix() + COOKIE_USERNAME, DEFAULT_VALUE); if (!username.equals(DEFAULT_VALUE)) { if (checkValidation(request, response)) { if (this.protection.equals(PROTECTION_ALL) || this.protection.equals(PROTECTION_ENCRYPTION)) { username = decryptText(username); } return username; } } return null; }
/** * Get the password stored (in a cookie) in the request. Also checks the validity of the cookie. * * @param request The servlet request. * @param response The servlet response. * @return The password value, or <tt>null</tt> if not found or the cookie isn't valid. * @todo Also use the URL, in case cookies are disabled [XWIKI-1071]. */ @Override public String getRememberedPassword(HttpServletRequest request, HttpServletResponse response) { String password = getCookieValue(request.getCookies(), getCookiePrefix() + COOKIE_PASSWORD, DEFAULT_VALUE); if (!password.equals(DEFAULT_VALUE)) { if (checkValidation(request, response)) { if (this.protection.equals(PROTECTION_ALL) || this.protection.equals(PROTECTION_ENCRYPTION)) { password = decryptText(password); } return password; } } return null; }
Cookie usernameCookie = new Cookie(getCookiePrefix() + COOKIE_USERNAME, protectedUsername); setupCookie(usernameCookie, sessionCookie, cookieDomain, response); Cookie passwdCookie = new Cookie(getCookiePrefix() + COOKIE_PASSWORD, protectedPassword); setupCookie(passwdCookie, sessionCookie, cookieDomain, response); Cookie rememberCookie = new Cookie(getCookiePrefix() + COOKIE_REMEMBERME, !sessionCookie + ""); setupCookie(rememberCookie, sessionCookie, cookieDomain, response); if (validationHash != null) { Cookie validationCookie = new Cookie(getCookiePrefix() + COOKIE_VALIDATION, validationHash); setupCookie(validationCookie, sessionCookie, cookieDomain, response); } else {