| | |
|---|
| | | HttpServletRequest request = ((WebRequest) getRequest()).getHttpServletRequest(); |
|---|
| | | HttpServletResponse response = ((WebResponse) getResponse()).getHttpServletResponse(); |
|---|
| | | |
|---|
| | | if (session.isLoggedIn() && !session.isSessionInvalidated()) { |
|---|
| | | // already have a session, refresh usermodel to pick up |
|---|
| | | // any changes to permissions or roles (issue-186) |
|---|
| | | UserModel user = app().users().getUserModel(session.getUser().username); |
|---|
| | | // If using container/external servlet authentication, use request attribute |
|---|
| | | String authedUser = (String) request.getAttribute(Constants.ATTRIB_AUTHUSER); |
|---|
| | | |
|---|
| | | // Default to trusting session authentication if not set in request by external processing |
|---|
| | | if (StringUtils.isEmpty(authedUser) && session.isLoggedIn()) { |
|---|
| | | authedUser = session.getUsername(); |
|---|
| | | } |
|---|
| | | |
|---|
| | | if (!StringUtils.isEmpty(authedUser)) { |
|---|
| | | // Avoid session fixation for non-session authentication |
|---|
| | | // If the authenticated user is different from the session user, discard |
|---|
| | | // the old session entirely, without trusting any session values |
|---|
| | | if (!authedUser.equals(session.getUsername())) { |
|---|
| | | session.replaceSession(); |
|---|
| | | } |
|---|
| | | |
|---|
| | | if (!session.isSessionInvalidated()) { |
|---|
| | | // Refresh usermodel to pick up any changes to permissions or roles (issue-186) |
|---|
| | | UserModel user = app().users().getUserModel(authedUser); |
|---|
| | | |
|---|
| | | if (user == null || user.disabled) { |
|---|
| | | // user was deleted/disabled during session |
|---|
| | |
|---|
| | | } |
|---|
| | | |
|---|
| | | // validate cookie during session (issue-361) |
|---|
| | | if (user != null && app().settings().getBoolean(Keys.web.allowCookieAuthentication, true)) { |
|---|
| | | if (app().settings().getBoolean(Keys.web.allowCookieAuthentication, true)) { |
|---|
| | | String requestCookie = app().authentication().getCookie(request); |
|---|
| | | if (!StringUtils.isEmpty(requestCookie) && !StringUtils.isEmpty(user.cookie)) { |
|---|
| | | if (!requestCookie.equals(user.cookie)) { |
|---|
| | |
|---|
| | | session.setUser(user); |
|---|
| | | return; |
|---|
| | | } |
|---|
| | | } |
|---|
| | | |
|---|
| | | // try to authenticate by servlet request |
|---|
| | | UserModel user = app().authentication().authenticate(request); |
|---|
| | | |
|---|
| | | // Login the user |
|---|
| | | if (user != null) { |
|---|
| | | // preserve the authentication type across session replacement |
|---|
| | | AuthenticationType authenticationType = (AuthenticationType) request.getSession() |
|---|
| | | .getAttribute(Constants.AUTHENTICATION_TYPE); |
|---|
| | | AuthenticationType authenticationType = (AuthenticationType) request.getAttribute(Constants.ATTRIB_AUTHTYPE); |
|---|
| | | |
|---|
| | | // issue 62: fix session fixation vulnerability |
|---|
| | | // but only if authentication was done in the container. |
|---|
| | | // It avoid double change of session, that some authentication method |
|---|
| | | // don't like |
|---|
| | | if (AuthenticationType.CONTAINER != authenticationType) { |
|---|
| | | session.replaceSession(); |
|---|
| | | } |
|---|
| | | session.setUser(user); |
|---|
| | | |
|---|
| | | request.getSession().setAttribute(Constants.AUTHENTICATION_TYPE, authenticationType); |
|---|
| | | |
|---|
| | | // Set Cookie |
|---|
| | | app().authentication().setCookie(request, response, user); |
|---|
