githubFork/gitblit.git - Solinfo Gitblit

parent: c75da194 | patch | commit | ignore whitespace

James Moger

2014-09-30 f685ea581f94373a63bcdc94ec417fdf92a95d68

Merge branch 'ticket/129' into develop

8 files modified

	src/main/java/com/gitblit/Constants.java	2 ●●●●● patch \| view \| raw \| blame \| history
	src/main/java/com/gitblit/auth/RedmineAuthProvider.java	2 ●●●●● patch \| view \| raw \| blame \| history
	src/main/java/com/gitblit/manager/AuthenticationManager.java	27 ●●●●● patch \| view \| raw \| blame \| history
	src/main/java/com/gitblit/servlet/PtServlet.java	2 ●●●●● patch \| view \| raw \| blame \| history
	src/main/java/com/gitblit/utils/CompressionUtils.java	2 ●●●●● patch \| view \| raw \| blame \| history
	src/main/java/com/gitblit/wicket/GitBlitWebSession.java	4 ●●●●● patch \| view \| raw \| blame \| history
	src/main/java/com/gitblit/wicket/pages/RootPage.java	23 ●●●●● patch \| view \| raw \| blame \| history
	src/main/java/com/gitblit/wicket/pages/SessionPage.java	222 ●●●●● patch \| view \| raw \| blame \| history

 src/main/java/com/gitblit/Constants.java

@@ -137,6 +137,8 @@


    public static final String DEVELOP = "develop";



    public static final String AUTHENTICATION_TYPE = "authentication-type";



    public static String getVersion() {

        String v = Constants.class.getPackage().getImplementationVersion();

        if (v == null) {


 src/main/java/com/gitblit/auth/RedmineAuthProvider.java

@@ -19,7 +19,7 @@
import java.io.InputStreamReader;
import java.net.HttpURLConnection;

import org.apache.wicket.util.io.IOUtils;
import org.apache.commons.io.IOUtils;

import com.gitblit.Constants;
import com.gitblit.Constants.AccountType;

 src/main/java/com/gitblit/manager/AuthenticationManager.java

@@ -27,8 +27,8 @@
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;

import org.apache.wicket.RequestCycle;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@@ -53,7 +53,6 @@
import com.gitblit.utils.HttpUtils;
import com.gitblit.utils.StringUtils;
import com.gitblit.utils.X509Utils.X509Metadata;
import com.gitblit.wicket.GitBlitWebSession;
import com.google.inject.Inject;
import com.google.inject.Singleton;

@@ -205,7 +204,7 @@
                    UserModel user = userManager.getUserModel(username);
                    if (user != null) {
                        // existing user
                        flagWicketSession(AuthenticationType.CONTAINER);
                        flagSession(httpRequest, AuthenticationType.CONTAINER);
                        logger.debug(MessageFormat.format("{0} authenticated by servlet container principal from {1}",
                                user.username, httpRequest.getRemoteAddr()));
                        return validateAuthentication(user, AuthenticationType.CONTAINER);
@@ -217,7 +216,7 @@
                        user.password = Constants.EXTERNAL_ACCOUNT;
                        user.accountType = AccountType.CONTAINER;
                        userManager.updateUserModel(user);
                        flagWicketSession(AuthenticationType.CONTAINER);
                        flagSession(httpRequest, AuthenticationType.CONTAINER);
                        logger.debug(MessageFormat.format("{0} authenticated and created by servlet container principal from {1}",
                                user.username, httpRequest.getRemoteAddr()));
                        return validateAuthentication(user, AuthenticationType.CONTAINER);
@@ -238,7 +237,7 @@
            UserModel user = userManager.getUserModel(model.username);
            X509Metadata metadata = HttpUtils.getCertificateMetadata(httpRequest);
            if (user != null) {
                flagWicketSession(AuthenticationType.CERTIFICATE);
                flagSession(httpRequest, AuthenticationType.CERTIFICATE);
                logger.debug(MessageFormat.format("{0} authenticated by client certificate {1} from {2}",
                        user.username, metadata.serialNumber, httpRequest.getRemoteAddr()));
                return validateAuthentication(user, AuthenticationType.CERTIFICATE);
@@ -260,7 +259,7 @@
        if (!StringUtils.isEmpty(cookie)) {
            user = userManager.getUserModel(cookie.toCharArray());
            if (user != null) {
                flagWicketSession(AuthenticationType.COOKIE);
                flagSession(httpRequest, AuthenticationType.COOKIE);
                logger.debug(MessageFormat.format("{0} authenticated by cookie from {1}",
                    user.username, httpRequest.getRemoteAddr()));
                return validateAuthentication(user, AuthenticationType.COOKIE);
@@ -282,7 +281,7 @@
                char[] password = values[1].toCharArray();
                user = authenticate(username, password);
                if (user != null) {
                    flagWicketSession(AuthenticationType.CREDENTIALS);
                    flagSession(httpRequest, AuthenticationType.CREDENTIALS);
                    logger.debug(MessageFormat.format("{0} authenticated by BASIC request header from {1}",
                            user.username, httpRequest.getRemoteAddr()));
                    return validateAuthentication(user, AuthenticationType.CREDENTIALS);
@@ -347,13 +346,8 @@
        return user;
    }

    protected void flagWicketSession(AuthenticationType authenticationType) {
        RequestCycle requestCycle = RequestCycle.get();
        if (requestCycle != null) {
            // flag the Wicket session, if this is a Wicket request
            GitBlitWebSession session = GitBlitWebSession.get();
            session.authenticationType = authenticationType;
        }
    protected void flagSession(HttpServletRequest httpRequest, AuthenticationType authenticationType) {
        httpRequest.getSession().setAttribute(Constants.AUTHENTICATION_TYPE, authenticationType);
    }

    /**
@@ -474,8 +468,9 @@
    @Override
    public void setCookie(HttpServletRequest request, HttpServletResponse response, UserModel user) {
        if (settings.getBoolean(Keys.web.allowCookieAuthentication, true)) {
            GitBlitWebSession session = GitBlitWebSession.get();
            boolean standardLogin = session.authenticationType.isStandard();
            HttpSession session = request.getSession();
            AuthenticationType authenticationType = (AuthenticationType) session.getAttribute(Constants.AUTHENTICATION_TYPE);
            boolean standardLogin = authenticationType.isStandard();

            if (standardLogin) {
                Cookie userCookie;

 src/main/java/com/gitblit/servlet/PtServlet.java

@@ -15,6 +15,7 @@
 */

package com.gitblit.servlet;



import java.io.ByteArrayOutputStream;

import java.io.File;

import java.io.FileInputStream;

import java.io.IOException;

@@ -34,7 +35,6 @@
import org.apache.commons.compress.archivers.zip.ZipArchiveOutputStream;

import org.apache.commons.compress.compressors.CompressorOutputStream;

import org.apache.commons.compress.compressors.CompressorStreamFactory;

import org.apache.wicket.util.io.ByteArrayOutputStream;

import org.eclipse.jgit.lib.FileMode;



import com.gitblit.manager.IRuntimeManager;


 src/main/java/com/gitblit/utils/CompressionUtils.java

@@ -15,6 +15,7 @@
 */

package com.gitblit.utils;



import java.io.ByteArrayOutputStream;

import java.io.IOException;

import java.io.OutputStream;

import java.text.MessageFormat;

@@ -27,7 +28,6 @@
import org.apache.commons.compress.archivers.zip.ZipArchiveOutputStream;

import org.apache.commons.compress.compressors.CompressorException;

import org.apache.commons.compress.compressors.CompressorStreamFactory;

import org.apache.wicket.util.io.ByteArrayOutputStream;

import org.eclipse.jgit.lib.Constants;

import org.eclipse.jgit.lib.FileMode;

import org.eclipse.jgit.lib.MutableObjectId;


 src/main/java/com/gitblit/wicket/GitBlitWebSession.java

@@ -30,7 +30,6 @@
import org.apache.wicket.protocol.http.WebSession;

import org.apache.wicket.protocol.http.request.WebClientInfo;



import com.gitblit.Constants.AuthenticationType;

import com.gitblit.models.UserModel;



public final class GitBlitWebSession extends WebSession {

@@ -47,12 +46,9 @@


    private AtomicBoolean isForking;



    public AuthenticationType authenticationType;



    public GitBlitWebSession(Request request) {

        super(request);

        isForking = new AtomicBoolean();

        authenticationType = AuthenticationType.CREDENTIALS;

    }



    @Override


 src/main/java/com/gitblit/wicket/pages/RootPage.java

@@ -31,6 +31,9 @@
import java.util.concurrent.atomic.AtomicInteger;
import java.util.regex.Pattern;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.apache.wicket.MarkupContainer;
import org.apache.wicket.PageParameters;
import org.apache.wicket.behavior.HeaderContributor;
@@ -50,6 +53,7 @@
import org.apache.wicket.protocol.http.WebResponse;

import com.gitblit.Constants;
import com.gitblit.Constants.AuthenticationType;
import com.gitblit.Keys;
import com.gitblit.extensions.NavLinkExtension;
import com.gitblit.extensions.UserMenuExtension;
@@ -262,19 +266,22 @@

    private void loginUser(UserModel user) {
        if (user != null) {
            HttpServletRequest request = ((WebRequest) getRequest()).getHttpServletRequest();
            HttpServletResponse response = ((WebResponse) getResponse()).getHttpServletResponse();

            // Set the user into the session
            GitBlitWebSession session = GitBlitWebSession.get();

            // issue 62: fix session fixation vulnerability
            session.replaceSession();
            session.setUser(user);

            request = ((WebRequest) getRequest()).getHttpServletRequest();
            response = ((WebResponse) getResponse()).getHttpServletResponse();
            request.getSession().setAttribute(Constants.AUTHENTICATION_TYPE, AuthenticationType.CREDENTIALS);

            // Set Cookie
            if (app().settings().getBoolean(Keys.web.allowCookieAuthentication, false)) {
                WebRequest request = (WebRequest) getRequestCycle().getRequest();
                WebResponse response = (WebResponse) getRequestCycle().getResponse();
                app().authentication().setCookie(request.getHttpServletRequest(),
                        response.getHttpServletResponse(), user);
            }
            app().authentication().setCookie(request, response, user);

            if (!session.continueRequest()) {
                PageParameters params = getPageParameters();
@@ -599,7 +606,9 @@
            GitBlitWebSession session = GitBlitWebSession.get();
            UserModel user = session.getUser();
            boolean editCredentials = app().authentication().supportsCredentialChanges(user);
            boolean standardLogin = session.authenticationType.isStandard();
            HttpServletRequest request = ((WebRequest) getRequest()).getHttpServletRequest();
            AuthenticationType authenticationType = (AuthenticationType) request.getSession().getAttribute(Constants.AUTHENTICATION_TYPE);
            boolean standardLogin = authenticationType.isStandard();

            if (app().settings().getBoolean(Keys.web.allowGravatar, true)) {
                add(new GravatarImage("username", user, "navbarGravatar", 20, false));

 src/main/java/com/gitblit/wicket/pages/SessionPage.java

@@ -1,112 +1,110 @@
/*

 * Copyright 2013 gitblit.com.

 *

 * Licensed under the Apache License, Version 2.0 (the "License");

 * you may not use this file except in compliance with the License.

 * You may obtain a copy of the License at

 *

 *     http://www.apache.org/licenses/LICENSE-2.0

 *

 * Unless required by applicable law or agreed to in writing, software

 * distributed under the License is distributed on an "AS IS" BASIS,

 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

 * See the License for the specific language governing permissions and

 * limitations under the License.

 */

package com.gitblit.wicket.pages;



import javax.servlet.http.HttpServletRequest;

import javax.servlet.http.HttpServletResponse;



import org.apache.wicket.PageParameters;

import org.apache.wicket.markup.html.WebPage;

import org.apache.wicket.protocol.http.WebRequest;

import org.apache.wicket.protocol.http.WebResponse;



import com.gitblit.Keys;

import com.gitblit.models.UserModel;

import com.gitblit.utils.StringUtils;

import com.gitblit.wicket.GitBlitWebApp;

import com.gitblit.wicket.GitBlitWebSession;



public abstract class SessionPage extends WebPage {



    public SessionPage() {

        super();

        login();

    }



    public SessionPage(final PageParameters params) {

        super(params);

        login();

    }



    protected String [] getEncodings() {

        return app().settings().getStrings(Keys.web.blobEncodings).toArray(new String[0]);

    }



    protected GitBlitWebApp app() {

        return GitBlitWebApp.get();

    }



    private void login() {

        GitBlitWebSession session = GitBlitWebSession.get();

        if (session.isLoggedIn() && !session.isSessionInvalidated()) {

            // already have a session, refresh usermodel to pick up

            // any changes to permissions or roles (issue-186)

            UserModel user = app().users().getUserModel(session.getUser().username);



            if (user == null || user.disabled) {

                // user was deleted/disabled during session

                HttpServletRequest request = ((WebRequest) getRequestCycle().getRequest())

                        .getHttpServletRequest();

                HttpServletResponse response = ((WebResponse) getRequestCycle().getResponse())

                        .getHttpServletResponse();

                app().authentication().logout(request, response, user);

                session.setUser(null);

                session.invalidateNow();

                return;

            }



            // validate cookie during session (issue-361)

            if (user != null && app().settings().getBoolean(Keys.web.allowCookieAuthentication, true)) {

                HttpServletRequest request = ((WebRequest) getRequestCycle().getRequest())

                        .getHttpServletRequest();

                String requestCookie = app().authentication().getCookie(request);

                if (!StringUtils.isEmpty(requestCookie) && !StringUtils.isEmpty(user.cookie)) {

                    if (!requestCookie.equals(user.cookie)) {

                        // cookie was changed during our session

                        HttpServletResponse response = ((WebResponse) getRequestCycle().getResponse())

                                .getHttpServletResponse();

                        app().authentication().logout(request, response, user);

                        session.setUser(null);

                        session.invalidateNow();

                        return;

                    }

                }

            }

            session.setUser(user);

            return;

        }



        // try to authenticate by servlet request

        HttpServletRequest httpRequest = ((WebRequest) getRequestCycle().getRequest())

                .getHttpServletRequest();

        UserModel user = app().authentication().authenticate(httpRequest);



        // Login the user

        if (user != null) {

            // issue 62: fix session fixation vulnerability

            session.replaceSession();

            session.setUser(user);



            // Set Cookie

            WebRequest request = (WebRequest) getRequestCycle().getRequest();

            WebResponse response = (WebResponse) getRequestCycle().getResponse();

            app().authentication().setCookie(request.getHttpServletRequest(),

                    response.getHttpServletResponse(), user);



            session.continueRequest();

        }

    }

}

/*
 * Copyright 2013 gitblit.com.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package com.gitblit.wicket.pages;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.apache.wicket.PageParameters;
import org.apache.wicket.markup.html.WebPage;
import org.apache.wicket.protocol.http.WebRequest;
import org.apache.wicket.protocol.http.WebResponse;

import com.gitblit.Constants;
import com.gitblit.Constants.AuthenticationType;
import com.gitblit.Keys;
import com.gitblit.models.UserModel;
import com.gitblit.utils.StringUtils;
import com.gitblit.wicket.GitBlitWebApp;
import com.gitblit.wicket.GitBlitWebSession;

public abstract class SessionPage extends WebPage {

    public SessionPage() {
        super();
        login();
    }

    public SessionPage(final PageParameters params) {
        super(params);
        login();
    }

    protected String [] getEncodings() {
        return app().settings().getStrings(Keys.web.blobEncodings).toArray(new String[0]);
    }

    protected GitBlitWebApp app() {
        return GitBlitWebApp.get();
    }

    private void login() {
        GitBlitWebSession session = GitBlitWebSession.get();
        HttpServletRequest request = ((WebRequest) getRequest()).getHttpServletRequest();
        HttpServletResponse response = ((WebResponse) getResponse()).getHttpServletResponse();

        if (session.isLoggedIn() && !session.isSessionInvalidated()) {
            // already have a session, refresh usermodel to pick up
            // any changes to permissions or roles (issue-186)
            UserModel user = app().users().getUserModel(session.getUser().username);

            if (user == null || user.disabled) {
                // user was deleted/disabled during session
                app().authentication().logout(request, response, user);
                session.setUser(null);
                session.invalidateNow();
                return;
            }

            // validate cookie during session (issue-361)
            if (user != null && app().settings().getBoolean(Keys.web.allowCookieAuthentication, true)) {
                String requestCookie = app().authentication().getCookie(request);
                if (!StringUtils.isEmpty(requestCookie) && !StringUtils.isEmpty(user.cookie)) {
                    if (!requestCookie.equals(user.cookie)) {
                        // cookie was changed during our session
                        app().authentication().logout(request, response, user);
                        session.setUser(null);
                        session.invalidateNow();
                        return;
                    }
                }
            }
            session.setUser(user);
            return;
        }

        // try to authenticate by servlet request
        UserModel user = app().authentication().authenticate(request);

        // Login the user
        if (user != null) {
            // preserve the authentication type across session replacement
            AuthenticationType authenticationType = (AuthenticationType) request.getSession()
                    .getAttribute(Constants.AUTHENTICATION_TYPE);

            // issue 62: fix session fixation vulnerability
            session.replaceSession();
            session.setUser(user);

            request.getSession().setAttribute(Constants.AUTHENTICATION_TYPE, authenticationType);

            // Set Cookie
            app().authentication().setCookie(request, response, user);

            session.continueRequest();
        }
    }
}

			@@ -137,6 +137,8 @@

			public static final String DEVELOP = "develop";

			public static final String AUTHENTICATION_TYPE = "authentication-type";

			public static String getVersion() {
			String v = Constants.class.getPackage().getImplementationVersion();
			if (v == null) {

			@@ -19,7 +19,7 @@
			import java.io.InputStreamReader;
			import java.net.HttpURLConnection;

			import org.apache.wicket.util.io.IOUtils;
			import org.apache.commons.io.IOUtils;

			import com.gitblit.Constants;
			import com.gitblit.Constants.AccountType;

			@@ -27,8 +27,8 @@
			import javax.servlet.http.Cookie;
			import javax.servlet.http.HttpServletRequest;
			import javax.servlet.http.HttpServletResponse;
			import javax.servlet.http.HttpSession;

			import org.apache.wicket.RequestCycle;
			import org.slf4j.Logger;
			import org.slf4j.LoggerFactory;

			@@ -53,7 +53,6 @@
			import com.gitblit.utils.HttpUtils;
			import com.gitblit.utils.StringUtils;
			import com.gitblit.utils.X509Utils.X509Metadata;
			import com.gitblit.wicket.GitBlitWebSession;
			import com.google.inject.Inject;
			import com.google.inject.Singleton;

			@@ -205,7 +204,7 @@
			UserModel user = userManager.getUserModel(username);
			if (user != null) {
			// existing user
			flagWicketSession(AuthenticationType.CONTAINER);
			flagSession(httpRequest, AuthenticationType.CONTAINER);
			logger.debug(MessageFormat.format("{0} authenticated by servlet container principal from {1}",
			user.username, httpRequest.getRemoteAddr()));
			return validateAuthentication(user, AuthenticationType.CONTAINER);
			@@ -217,7 +216,7 @@
			user.password = Constants.EXTERNAL_ACCOUNT;
			user.accountType = AccountType.CONTAINER;
			userManager.updateUserModel(user);
			flagWicketSession(AuthenticationType.CONTAINER);
			flagSession(httpRequest, AuthenticationType.CONTAINER);
			logger.debug(MessageFormat.format("{0} authenticated and created by servlet container principal from {1}",
			user.username, httpRequest.getRemoteAddr()));
			return validateAuthentication(user, AuthenticationType.CONTAINER);
			@@ -238,7 +237,7 @@
			UserModel user = userManager.getUserModel(model.username);
			X509Metadata metadata = HttpUtils.getCertificateMetadata(httpRequest);
			if (user != null) {
			flagWicketSession(AuthenticationType.CERTIFICATE);
			flagSession(httpRequest, AuthenticationType.CERTIFICATE);
			logger.debug(MessageFormat.format("{0} authenticated by client certificate {1} from {2}",
			user.username, metadata.serialNumber, httpRequest.getRemoteAddr()));
			return validateAuthentication(user, AuthenticationType.CERTIFICATE);
			@@ -260,7 +259,7 @@
			if (!StringUtils.isEmpty(cookie)) {
			user = userManager.getUserModel(cookie.toCharArray());
			if (user != null) {
			flagWicketSession(AuthenticationType.COOKIE);
			flagSession(httpRequest, AuthenticationType.COOKIE);
			logger.debug(MessageFormat.format("{0} authenticated by cookie from {1}",
			user.username, httpRequest.getRemoteAddr()));
			return validateAuthentication(user, AuthenticationType.COOKIE);
			@@ -282,7 +281,7 @@
			char[] password = values[1].toCharArray();
			user = authenticate(username, password);
			if (user != null) {
			flagWicketSession(AuthenticationType.CREDENTIALS);
			flagSession(httpRequest, AuthenticationType.CREDENTIALS);
			logger.debug(MessageFormat.format("{0} authenticated by BASIC request header from {1}",
			user.username, httpRequest.getRemoteAddr()));
			return validateAuthentication(user, AuthenticationType.CREDENTIALS);
			@@ -347,13 +346,8 @@
			return user;
			}

			protected void flagWicketSession(AuthenticationType authenticationType) {
			RequestCycle requestCycle = RequestCycle.get();
			if (requestCycle != null) {
			// flag the Wicket session, if this is a Wicket request
			GitBlitWebSession session = GitBlitWebSession.get();
			session.authenticationType = authenticationType;
			}
			protected void flagSession(HttpServletRequest httpRequest, AuthenticationType authenticationType) {
			httpRequest.getSession().setAttribute(Constants.AUTHENTICATION_TYPE, authenticationType);
			}

			/**
			@@ -474,8 +468,9 @@
			@Override
			public void setCookie(HttpServletRequest request, HttpServletResponse response, UserModel user) {
			if (settings.getBoolean(Keys.web.allowCookieAuthentication, true)) {
			GitBlitWebSession session = GitBlitWebSession.get();
			boolean standardLogin = session.authenticationType.isStandard();
			HttpSession session = request.getSession();
			AuthenticationType authenticationType = (AuthenticationType) session.getAttribute(Constants.AUTHENTICATION_TYPE);
			boolean standardLogin = authenticationType.isStandard();

			if (standardLogin) {
			Cookie userCookie;

			@@ -15,6 +15,7 @@
			*/
			package com.gitblit.servlet;

			import java.io.ByteArrayOutputStream;
			import java.io.File;
			import java.io.FileInputStream;
			import java.io.IOException;
			@@ -34,7 +35,6 @@
			import org.apache.commons.compress.archivers.zip.ZipArchiveOutputStream;
			import org.apache.commons.compress.compressors.CompressorOutputStream;
			import org.apache.commons.compress.compressors.CompressorStreamFactory;
			import org.apache.wicket.util.io.ByteArrayOutputStream;
			import org.eclipse.jgit.lib.FileMode;

			import com.gitblit.manager.IRuntimeManager;

			@@ -15,6 +15,7 @@
			*/
			package com.gitblit.utils;

			import java.io.ByteArrayOutputStream;
			import java.io.IOException;
			import java.io.OutputStream;
			import java.text.MessageFormat;
			@@ -27,7 +28,6 @@
			import org.apache.commons.compress.archivers.zip.ZipArchiveOutputStream;
			import org.apache.commons.compress.compressors.CompressorException;
			import org.apache.commons.compress.compressors.CompressorStreamFactory;
			import org.apache.wicket.util.io.ByteArrayOutputStream;
			import org.eclipse.jgit.lib.Constants;
			import org.eclipse.jgit.lib.FileMode;
			import org.eclipse.jgit.lib.MutableObjectId;

			@@ -30,7 +30,6 @@
			import org.apache.wicket.protocol.http.WebSession;
			import org.apache.wicket.protocol.http.request.WebClientInfo;

			import com.gitblit.Constants.AuthenticationType;
			import com.gitblit.models.UserModel;

			public final class GitBlitWebSession extends WebSession {
			@@ -47,12 +46,9 @@

			private AtomicBoolean isForking;

			public AuthenticationType authenticationType;

			public GitBlitWebSession(Request request) {
			super(request);
			isForking = new AtomicBoolean();
			authenticationType = AuthenticationType.CREDENTIALS;
			}

			@Override

			@@ -31,6 +31,9 @@
			import java.util.concurrent.atomic.AtomicInteger;
			import java.util.regex.Pattern;

			import javax.servlet.http.HttpServletRequest;
			import javax.servlet.http.HttpServletResponse;

			import org.apache.wicket.MarkupContainer;
			import org.apache.wicket.PageParameters;
			import org.apache.wicket.behavior.HeaderContributor;
			@@ -50,6 +53,7 @@
			import org.apache.wicket.protocol.http.WebResponse;

			import com.gitblit.Constants;
			import com.gitblit.Constants.AuthenticationType;
			import com.gitblit.Keys;
			import com.gitblit.extensions.NavLinkExtension;
			import com.gitblit.extensions.UserMenuExtension;
			@@ -262,19 +266,22 @@

			private void loginUser(UserModel user) {
			if (user != null) {
			HttpServletRequest request = ((WebRequest) getRequest()).getHttpServletRequest();
			HttpServletResponse response = ((WebResponse) getResponse()).getHttpServletResponse();

			// Set the user into the session
			GitBlitWebSession session = GitBlitWebSession.get();

			// issue 62: fix session fixation vulnerability
			session.replaceSession();
			session.setUser(user);

			request = ((WebRequest) getRequest()).getHttpServletRequest();
			response = ((WebResponse) getResponse()).getHttpServletResponse();
			request.getSession().setAttribute(Constants.AUTHENTICATION_TYPE, AuthenticationType.CREDENTIALS);

			// Set Cookie
			if (app().settings().getBoolean(Keys.web.allowCookieAuthentication, false)) {
			WebRequest request = (WebRequest) getRequestCycle().getRequest();
			WebResponse response = (WebResponse) getRequestCycle().getResponse();
			app().authentication().setCookie(request.getHttpServletRequest(),
			response.getHttpServletResponse(), user);
			}
			app().authentication().setCookie(request, response, user);

			if (!session.continueRequest()) {
			PageParameters params = getPageParameters();
			@@ -599,7 +606,9 @@
			GitBlitWebSession session = GitBlitWebSession.get();
			UserModel user = session.getUser();
			boolean editCredentials = app().authentication().supportsCredentialChanges(user);
			boolean standardLogin = session.authenticationType.isStandard();
			HttpServletRequest request = ((WebRequest) getRequest()).getHttpServletRequest();
			AuthenticationType authenticationType = (AuthenticationType) request.getSession().getAttribute(Constants.AUTHENTICATION_TYPE);
			boolean standardLogin = authenticationType.isStandard();

			if (app().settings().getBoolean(Keys.web.allowGravatar, true)) {
			add(new GravatarImage("username", user, "navbarGravatar", 20, false));

			@@ -1,112 +1,110 @@
			/*
			* Copyright 2013 gitblit.com.
			*
			* Licensed under the Apache License, Version 2.0 (the "License");
			* you may not use this file except in compliance with the License.
			* You may obtain a copy of the License at
			*
			* http://www.apache.org/licenses/LICENSE-2.0
			*
			* Unless required by applicable law or agreed to in writing, software
			* distributed under the License is distributed on an "AS IS" BASIS,
			* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
			* See the License for the specific language governing permissions and
			* limitations under the License.
			*/
			package com.gitblit.wicket.pages;

			import javax.servlet.http.HttpServletRequest;
			import javax.servlet.http.HttpServletResponse;

			import org.apache.wicket.PageParameters;
			import org.apache.wicket.markup.html.WebPage;
			import org.apache.wicket.protocol.http.WebRequest;
			import org.apache.wicket.protocol.http.WebResponse;

			import com.gitblit.Keys;
			import com.gitblit.models.UserModel;
			import com.gitblit.utils.StringUtils;
			import com.gitblit.wicket.GitBlitWebApp;
			import com.gitblit.wicket.GitBlitWebSession;

			public abstract class SessionPage extends WebPage {

			public SessionPage() {
			super();
			login();
			}

			public SessionPage(final PageParameters params) {
			super(params);
			login();
			}

			protected String [] getEncodings() {
			return app().settings().getStrings(Keys.web.blobEncodings).toArray(new String[0]);
			}

			protected GitBlitWebApp app() {
			return GitBlitWebApp.get();
			}

			private void login() {
			GitBlitWebSession session = GitBlitWebSession.get();
			if (session.isLoggedIn() && !session.isSessionInvalidated()) {
			// already have a session, refresh usermodel to pick up
			// any changes to permissions or roles (issue-186)
			UserModel user = app().users().getUserModel(session.getUser().username);

			if (user == null \|\| user.disabled) {
			// user was deleted/disabled during session
			HttpServletRequest request = ((WebRequest) getRequestCycle().getRequest())
			.getHttpServletRequest();
			HttpServletResponse response = ((WebResponse) getRequestCycle().getResponse())
			.getHttpServletResponse();
			app().authentication().logout(request, response, user);
			session.setUser(null);
			session.invalidateNow();
			return;
			}

			// validate cookie during session (issue-361)
			if (user != null && app().settings().getBoolean(Keys.web.allowCookieAuthentication, true)) {
			HttpServletRequest request = ((WebRequest) getRequestCycle().getRequest())
			.getHttpServletRequest();
			String requestCookie = app().authentication().getCookie(request);
			if (!StringUtils.isEmpty(requestCookie) && !StringUtils.isEmpty(user.cookie)) {
			if (!requestCookie.equals(user.cookie)) {
			// cookie was changed during our session
			HttpServletResponse response = ((WebResponse) getRequestCycle().getResponse())
			.getHttpServletResponse();
			app().authentication().logout(request, response, user);
			session.setUser(null);
			session.invalidateNow();
			return;
			}
			}
			}
			session.setUser(user);
			return;
			}

			// try to authenticate by servlet request
			HttpServletRequest httpRequest = ((WebRequest) getRequestCycle().getRequest())
			.getHttpServletRequest();
			UserModel user = app().authentication().authenticate(httpRequest);

			// Login the user
			if (user != null) {
			// issue 62: fix session fixation vulnerability
			session.replaceSession();
			session.setUser(user);

			// Set Cookie
			WebRequest request = (WebRequest) getRequestCycle().getRequest();
			WebResponse response = (WebResponse) getRequestCycle().getResponse();
			app().authentication().setCookie(request.getHttpServletRequest(),
			response.getHttpServletResponse(), user);

			session.continueRequest();
			}
			}
			}
			/*
			* Copyright 2013 gitblit.com.
			*
			* Licensed under the Apache License, Version 2.0 (the "License");
			* you may not use this file except in compliance with the License.
			* You may obtain a copy of the License at
			*
			* http://www.apache.org/licenses/LICENSE-2.0
			*
			* Unless required by applicable law or agreed to in writing, software
			* distributed under the License is distributed on an "AS IS" BASIS,
			* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
			* See the License for the specific language governing permissions and
			* limitations under the License.
			*/
			package com.gitblit.wicket.pages;

			import javax.servlet.http.HttpServletRequest;
			import javax.servlet.http.HttpServletResponse;

			import org.apache.wicket.PageParameters;
			import org.apache.wicket.markup.html.WebPage;
			import org.apache.wicket.protocol.http.WebRequest;
			import org.apache.wicket.protocol.http.WebResponse;

			import com.gitblit.Constants;
			import com.gitblit.Constants.AuthenticationType;
			import com.gitblit.Keys;
			import com.gitblit.models.UserModel;
			import com.gitblit.utils.StringUtils;
			import com.gitblit.wicket.GitBlitWebApp;
			import com.gitblit.wicket.GitBlitWebSession;

			public abstract class SessionPage extends WebPage {

			public SessionPage() {
			super();
			login();
			}

			public SessionPage(final PageParameters params) {
			super(params);
			login();
			}

			protected String [] getEncodings() {
			return app().settings().getStrings(Keys.web.blobEncodings).toArray(new String[0]);
			}

			protected GitBlitWebApp app() {
			return GitBlitWebApp.get();
			}

			private void login() {
			GitBlitWebSession session = GitBlitWebSession.get();
			HttpServletRequest request = ((WebRequest) getRequest()).getHttpServletRequest();
			HttpServletResponse response = ((WebResponse) getResponse()).getHttpServletResponse();

			if (session.isLoggedIn() && !session.isSessionInvalidated()) {
			// already have a session, refresh usermodel to pick up
			// any changes to permissions or roles (issue-186)
			UserModel user = app().users().getUserModel(session.getUser().username);

			if (user == null \|\| user.disabled) {
			// user was deleted/disabled during session
			app().authentication().logout(request, response, user);
			session.setUser(null);
			session.invalidateNow();
			return;
			}

			// validate cookie during session (issue-361)
			if (user != null && app().settings().getBoolean(Keys.web.allowCookieAuthentication, true)) {
			String requestCookie = app().authentication().getCookie(request);
			if (!StringUtils.isEmpty(requestCookie) && !StringUtils.isEmpty(user.cookie)) {
			if (!requestCookie.equals(user.cookie)) {
			// cookie was changed during our session
			app().authentication().logout(request, response, user);
			session.setUser(null);
			session.invalidateNow();
			return;
			}
			}
			}
			session.setUser(user);
			return;
			}

			// try to authenticate by servlet request
			UserModel user = app().authentication().authenticate(request);

			// Login the user
			if (user != null) {
			// preserve the authentication type across session replacement
			AuthenticationType authenticationType = (AuthenticationType) request.getSession()
			.getAttribute(Constants.AUTHENTICATION_TYPE);

			// issue 62: fix session fixation vulnerability
			session.replaceSession();
			session.setUser(user);

			request.getSession().setAttribute(Constants.AUTHENTICATION_TYPE, authenticationType);

			// Set Cookie
			app().authentication().setCookie(request, response, user);

			session.continueRequest();
			}
			}
			}