ziver/zallery
1
0
Fork 0
Code Pull requests Releases Activity

Some progress on auth logic and cleanup of User class

Browse source
This commit is contained in:
Ziver Koc 2017-11-13 16:34:13 +01:00
parent 58d4ab2f75
commit 26ab7c9dd9
12 changed files with 370 additions and 110 deletions
Download patch file Download diff file Expand all files Collapse all files

30
Zallery.iml
View file

@ -1,5 +1,5 @@
<?xml version="1.0" encoding="UTF-8"?>
<module type="JAVA_MODULE" version="4">
<module org.jetbrains.idea.maven.project.MavenProjectsManager.isMavenModule="true" type="JAVA_MODULE" version="4">
<component name="EclipseModuleManager">
<libelement value="file:///Test/lib/commons-cli-1.2.jar" />
<libelement value="file:///Test/lib/slf4j-api-1.6.4.jar" />
@ -11,12 +11,14 @@
<src_folder value="file://$MODULE_DIR$/src" expected_position="0" />
</src_description>
</component>
<component name="NewModuleRootManager" inherit-compiler-output="true">
<exclude-output />
<component name="NewModuleRootManager" LANGUAGE_LEVEL="JDK_1_8">
<output url="file://$MODULE_DIR$/target/classes" />
<output-test url="file://$MODULE_DIR$/target/test-classes" />
<content url="file://$MODULE_DIR$">
<sourceFolder url="file://$MODULE_DIR$/src" isTestSource="false" />
<sourceFolder url="file://$MODULE_DIR$/WebContent" type="java-resource" />
<excludeFolder url="file://$MODULE_DIR$/build" />
<excludeFolder url="file://$MODULE_DIR$/target" />
</content>
<orderEntry type="sourceFolder" forTests="false" />
<orderEntry type="inheritedJdk" />
@ -43,7 +45,6 @@
<jarDirectory url="file://$MODULE_DIR$/lib" recursive="false" />
</library>
</orderEntry>
<orderEntry type="module" module-name="Zutil" />
<orderEntry type="module-library">
<library>
<CLASSES />
@ -54,5 +55,26 @@
<SOURCES />
</library>
</orderEntry>
<orderEntry type="library" name="Maven: se.koc:zutil:1.0.0-SNAPSHOT" level="project" />
<orderEntry type="library" name="Maven: commons-fileupload:commons-fileupload:1.2.1" level="project" />
<orderEntry type="library" name="Maven: commons-io:commons-io:2.5" level="project" />
<orderEntry type="library" name="Maven: dom4j:dom4j:1.6.1" level="project" />
<orderEntry type="library" name="Maven: xml-apis:xml-apis:1.0.b2" level="project" />
<orderEntry type="library" name="Maven: org.xerial:sqlite-jdbc:3.8.11.2" level="project" />
<orderEntry type="library" name="Maven: org.hamcrest:hamcrest-core:1.3" level="project" />
<orderEntry type="library" name="Maven: com.carrotsearch:junit-benchmarks:0.7.2" level="project" />
<orderEntry type="library" name="Maven: javax.mail:mail:1.3.2" level="project" />
<orderEntry type="library" name="Maven: javax.activation:activation:1.0.2" level="project" />
<orderEntry type="library" name="Maven: mysql:mysql-connector-java:5.1.36" level="project" />
<orderEntry type="module-library">
<library name="Maven: xuggle:xuggle-xuggler:5.4">
<CLASSES>
<root url="jar://$MODULE_DIR$/WebContent/WEB-INF/lib/xuggle-xuggler-5.4.jar!/" />
</CLASSES>
<JAVADOC />
<SOURCES />
</library>
</orderEntry>
<orderEntry type="library" scope="PROVIDED" name="Maven: javax.servlet:javax.servlet-api:3.1.0" level="project" />
</component>
</module>

79
pom.xml Executable file
View file

@ -0,0 +1,79 @@
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>se.koc</groupId>
<artifactId>zallery</artifactId>
<version>1.0.0-SNAPSHOT</version>
<packaging>war</packaging>
<name>Zallery</name>
<properties>
<java.version>1.8</java.version>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
</properties>
<dependencies>
<dependency>
<groupId>se.koc</groupId>
<artifactId>zutil</artifactId>
<version>1.0.0-SNAPSHOT</version>
</dependency>
<dependency>
<groupId>javax.mail</groupId>
<artifactId>mail</artifactId>
<version>1.3.2</version>
</dependency>
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<version>5.1.36</version>
</dependency>
<dependency>
<groupId>xuggle</groupId>
<artifactId>xuggle-xuggler</artifactId>
<version>5.4</version>
<scope>system</scope>
<systemPath>${basedir}/WebContent/WEB-INF/lib/xuggle-xuggler-5.4.jar</systemPath>
</dependency>
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>javax.servlet-api</artifactId>
<version>3.1.0</version>
<scope>provided</scope>
</dependency>
</dependencies>
<build>
<sourceDirectory>src</sourceDirectory>
<testSourceDirectory>test</testSourceDirectory>
<plugins>
<plugin>
<artifactId>maven-compiler-plugin</artifactId>
<version>3.6.1</version>
<configuration>
<source>${java.version}</source>
<target>${java.version}</target>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-war-plugin</artifactId>
<version>3.2.0</version>
<configuration>
<warSourceDirectory>WebContent</warSourceDirectory>
</configuration>
</plugin>
</plugins>
</build>
</project>

12
src/zall/ZalleryConstant.java Executable file
View file

@ -0,0 +1,12 @@
package zall;
/**
* Zallery globally defined constants
*/
public interface ZalleryConstant {
/** Session Constants **/
String SESSION_KEY_USER = "zal_user";
String SESSION_KEY_AUTH_HASH = "zal_session_hash";
}

2
src/zall/action/RegisterAction.java
View file

@ -31,7 +31,7 @@ public class RegisterAction extends ZalleryAction{
msgs.add(MessageType.ERROR, "Please provide a valid email!");
return;
}
if( User.emailExists(request.getParameter("email"), db) ){
if(User.load(db, request.getParameter("email")) != null){
msgs.add(MessageType.ERROR, "An account with that email already exists!");
return;
}

150
src/zall/bean/User.java
View file

@ -9,13 +9,11 @@ import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import zall.Zallery;
import zutil.Hasher;
import zutil.db.DBConnection;
import zutil.db.bean.DBBean;
import zutil.db.bean.DBBeanSQLResultHandler;
import zutil.db.bean.DBBean.*;
import zutil.db.handler.SimpleSQLResult;
@DBTable("User")
public class User extends DBBean{
@ -30,7 +28,6 @@ public class User extends DBBean{
protected String password;
// Date
protected Timestamp loginDate;
protected transient Timestamp prevLoginDate;
// security
protected transient AuthType authBy;
protected String sessionId;
@ -50,32 +47,21 @@ public class User extends DBBean{
return DBConnection.exec(sql, DBBeanSQLResultHandler.createList(User.class, db));
}
/**
* Uses normal user and password to get user object,
* this function will save the bean
*
* @param db is the DB connection
* @param email is the email of the user
* @param password is the password of the user
* @param request is the HTTP request object
* @return The user object or null if non where found
* @throws SQLException
*/
public static User load(HttpServletRequest request, HttpServletResponse response, DBConnection db, String email, String password ) throws SQLException{
if( password==null || password.isEmpty() || password.equalsIgnoreCase("null"))
return null;
public static User load(DBConnection db, String email) throws SQLException{
PreparedStatement sql = db.getPreparedStatement(
"SELECT * FROM User WHERE email=? AND password=? LIMIT 1");
"SELECT * FROM User WHERE email=? LIMIT 1");
sql.setString(1, email);
sql.setString(2, Hasher.MD5( password ));
User user = DBConnection.exec(sql, DBBeanSQLResultHandler.create(User.class, db));
if( user != null ){
user.registerOnHost(request, response, db, true );
user.save(db);
user.setAuthBy( AuthType.USER_INPUT );
}
return user;
}
@ -104,7 +90,6 @@ public class User extends DBBean{
if( user != null &&
user.ipHost.equals( request.getLocalName() ) &&
user.loginDate.getTime()+SESSION_TIMEOUT > System.currentTimeMillis() ){
user.prevLoginDate = user.loginDate;
user.loginDate = new Timestamp( System.currentTimeMillis() );
user.save(db);
user.setAuthBy( AuthType.COOKIE );
@ -113,14 +98,6 @@ public class User extends DBBean{
return null;
}
public static boolean emailExists(String email, DBConnection db) throws SQLException{
PreparedStatement sql = db.getPreparedStatement(
"SELECT email FROM User WHERE email=? LIMIT 1");
sql.setString(1, email);
String tmp = DBConnection.exec(sql, new SimpleSQLResult<String>());
return tmp != null;
}
public User(){
@ -139,11 +116,10 @@ public class User extends DBBean{
* @throws SQLException
*/
public void registerOnHost(HttpServletRequest request, HttpServletResponse response, DBConnection db, boolean cookie) throws SQLException{
prevLoginDate = loginDate;
loginDate = new Timestamp( System.currentTimeMillis() );
sessionId = request.getSession().getId();
ipHost = request.getRemoteAddr();
sessionHash = Hasher.MD5( ""+sessionId+ipHost+loginDate+password );
sessionHash = generateSessionHash();
if( cookie ){
Cookie c = new Cookie("sessionHash", sessionHash );
c.setMaxAge(5*24*60*60); // 5 days
@ -151,30 +127,11 @@ public class User extends DBBean{
}
}
public void logout(HttpServletResponse response) {
Cookie cookie = new Cookie( "sessionHash", null);
cookie.setMaxAge( 0 );
response.addCookie( cookie );
}
public boolean valid(HttpServletRequest request){
if( !isEnabled() ) return false;
switch( authBy ){
case USER_INPUT:
if( !isEmailVerified() ) return false;
case COOKIE:
return ( sessionHash.equals( Zallery.getCookieValue(request.getCookies(), "sessionHash")) ||
loginDate.getTime()+1000 > System.currentTimeMillis() ) &&
ipHost.equals( request.getRemoteAddr() ) &&
loginDate.getTime()+SESSION_TIMEOUT > System.currentTimeMillis();
}
return false;
}
public boolean verifyEmail(String hash) {
return emailVerified = getEmailVerificationHash().equals(hash);
return emailVerified = generateEmailVerificationHash().equals(hash);
}
public String getEmailVerificationHash(){
public String generateEmailVerificationHash(){
return Hasher.MD5( "##helloWorld-->2011"+email+name+password );
}
@ -187,20 +144,21 @@ public class User extends DBBean{
public void setLoginDate(Timestamp loginDate) {
this.loginDate = loginDate;
}
public Timestamp getPrevLoginDate() {
if( loginDate == null )
loginDate = new Timestamp(0);
return prevLoginDate;
public void setAuthBy(AuthType authBy){
this.authBy = authBy;
}
public void setPrevLoginDate(Timestamp prevLoginDate) {
this.prevLoginDate = prevLoginDate;
public AuthType getAuthBy(){
return authBy;
}
public String getName() {
return name;
}
public void setName(String name) {
this.name = name;
}
public String getEmail() {
return email;
}
@ -210,57 +168,59 @@ public class User extends DBBean{
emailVerified = false;
this.email = email;
}
public String getPassword() {
return password;
}
public void setPassword(String password) {
this.password = Hasher.MD5( password );
}
public boolean equalsPassword( String pass ){
return Hasher.MD5( pass ).equals( password );
}
public String getSessionId() {
return sessionId;
}
public void setSessionId(String sessionId) {
this.sessionId = sessionId;
}
public String getIpHost() {
return ipHost;
}
public void setIpHost(String ipHost) {
this.ipHost = ipHost;
}
public String getSessionHash() {
return sessionHash;
}
public boolean isSuperUser(){
return superUser;
}
public void setSuperUser(boolean superuser){
this.superUser = superuser;
}
public boolean isEnabled(){
return enabled;
}
public void setEnabled(boolean enabled){
this.enabled = enabled;
}
public boolean isEmailVerified(){
return emailVerified;
}
public void setEmailVerified(boolean verified){
this.emailVerified = verified;
}
public void setAuthBy(AuthType authBy){
this.authBy = authBy;
public String getPassword() {
return password;
}
public AuthType getAuthBy(){
return authBy;
public void setPassword(String password) {
this.password = Hasher.MD5( password );
}
public String getSessionId() {
return sessionId;
}
public void setSessionId(String sessionId) {
this.sessionId = sessionId;
}
public String getSessionHash() {
return sessionHash;
}
public void setSessionHash(String sessionHash) {
this.sessionHash = sessionHash;
}
public String generateSessionHash(){
return Hasher.MD5( ""+sessionId+ipHost+loginDate+password );
}
public String getIpHost() {
return ipHost;
}
public void setIpHost(String ipHost) {
this.ipHost = ipHost;
}
public boolean isSuperUser(){
return superUser;
}
public void setSuperUser(boolean superUser){
this.superUser = superUser;
}
public boolean isEnabled(){
return enabled;
}
public void setEnabled(boolean enabled){
this.enabled = enabled;
}
public boolean equals(User u){
return u != null && this.getId() == u.getId();
return u != null && getId() == u.getId();
}
}

5
src/zall/filter/AuthenticationFilter.java
View file

@ -1,6 +1,7 @@
package zall.filter;
import zall.bean.User;
import zall.manager.AuthenticationManager;
import javax.servlet.*;
import javax.servlet.annotation.WebFilter;
@ -18,7 +19,7 @@ public class AuthenticationFilter implements Filter {
@Override
public void init(FilterConfig filterConfig) throws ServletException { }
public void init(FilterConfig filterConfig) { }
@Override
public void doFilter(final ServletRequest request, final ServletResponse response, final FilterChain chain) throws IOException, ServletException {
@ -26,7 +27,7 @@ public class AuthenticationFilter implements Filter {
User user = null;
// continue the request via the filter pipeline if it is login page or it is a valid User
if (requestURI.equals(LOGIN_URI) || user != null) {
if (requestURI.equals(LOGIN_URI) || AuthenticationManager.valid(user)) {
chain.doFilter(request, response);
} else {
// do not continue the filter pipeline but respond back to client

61
src/zall/manager/AuthenticationManager.java
View file

@ -1,13 +1,65 @@
package zall.manager;
import zall.Zallery;
import zall.ZalleryConstant;
import zall.bean.Folder;
import zall.bean.Media;
import zall.bean.User;
import zall.util.msg.UserMessage;
import zutil.Hasher;
import zutil.db.DBConnection;
import zutil.log.LogUtil;
import javax.servlet.http.HttpServletRequest;
import java.sql.SQLException;
import java.util.logging.Logger;
/**
*
*/
public class AuthenticationManager {
private static final Logger logger = LogUtil.getLogger();
/**
* Authenticate a username and password and return the associated Uaer object
*/
public static User authenticate(DBConnection db, String email, String password) throws SQLException {
User authenticatedUser = null;
User user = User.load(db, email);
// Valid email?
if( user != null ){
if (user.getPassword().equals(Hasher.MD5(password))) {
authenticatedUser = user;
authenticatedUser.setAuthBy(User.AuthType.USER_INPUT);
authenticatedUser.save(db);
logger.info("User(" + authenticatedUser.getName() + ") authenticated by "+authenticatedUser.getAuthBy());
}
}
return authenticatedUser;
}
/**
* @return true if the user has a valid authentication session
*/
public static boolean valid(User user, HttpServletRequest request) {
if(user == null)
return false;
if(!user.isEnabled())
return false;
if(user.getSessionHash() == null || user.getSessionHash().isEmpty() )
return false;
switch( user.getAuthBy() ){
case USER_INPUT:
if (!user.isEmailVerified()) return false;
case COOKIE:
String cookieHash = Zallery.getCookieValue(request.getCookies(), ZalleryConstant.SESSION_KEY_AUTH_HASH);
return user.getSessionHash().equals(cookieHash) &&
user.getIpHost().equals( request.getRemoteAddr() );
}
return false;
}
/**
* @return true if the specified user can edit the media
@ -27,4 +79,13 @@ public class AuthenticationManager {
public static boolean canEdit(User user, User target){
return user.equals( target ) || user.isSuperUser();
}
/**
* Reset the user authentication. In plain word: logout user.
*/
public static void reset(DBConnection db, User user) throws SQLException {
user.setSessionHash(null);
user.save(db);
}
}

34
src/zall/servlet/LoginServlet.java
View file

@ -1,5 +1,10 @@
package zall.servlet;
import zall.bean.User;
import zall.manager.AuthenticationManager;
import zall.util.DbHttpServlet;
import zutil.db.DBConnection;
import javax.servlet.RequestDispatcher;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
@ -7,17 +12,38 @@ import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.sql.SQLException;
import static zall.ZalleryConstant.SESSION_KEY_USER;
/**
*
*/
@WebServlet(urlPatterns = "/login")
public class LoginServlet extends HttpServlet {
public class LoginServlet extends DbHttpServlet {
private static final String JSP_FILE = "login.jsp";
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
RequestDispatcher dispatcher = getServletContext().getRequestDispatcher("/"+JSP_FILE);
if (dispatcher != null)
dispatcher.include(req, resp);
getServletContext().getRequestDispatcher("/" + JSP_FILE).include(req, resp);
}
protected void doPost(HttpServletRequest req, HttpServletResponse resp, DBConnection db) throws ServletException, IOException, SQLException {
User user = AuthenticationManager.authenticate(db,
req.getParameter("email"),
req.getParameter("password"));
// Successfull login
if (user != null) {
user.registerOnHost(req, resp, db, true );
req.getSession().setAttribute(SESSION_KEY_USER, user);
getServletContext().getRequestDispatcher("/").forward(req, resp);
}
// Failed login
else {
getServletContext().getRequestDispatcher("/" + JSP_FILE).include(req, resp);
}
}
}

32
src/zall/servlet/LogoutServlet.java Executable file
View file

@ -0,0 +1,32 @@
package zall.servlet;
import zall.ZalleryConstant;
import zall.bean.User;
import zall.manager.AuthenticationManager;
import zall.util.DbHttpServlet;
import zutil.db.DBConnection;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.sql.SQLException;
import static zall.ZalleryConstant.SESSION_KEY_USER;
/**
*
*/
@WebServlet(urlPatterns = "/logout")
public class LogoutServlet extends DbHttpServlet {
protected void doGet(HttpServletRequest req, HttpServletResponse resp, DBConnection db) throws SQLException, IOException {
User user = (User) req.getSession().getAttribute(SESSION_KEY_USER);
AuthenticationManager.reset(db, user);
req.getSession().removeAttribute(SESSION_KEY_USER);
resp.sendRedirect("/login");
}
}

4
src/zall/servlet/RegisterServlet.java
View file

@ -16,8 +16,6 @@ public class RegisterServlet extends HttpServlet {
private static final String JSP_FILE = "register.jsp";
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
RequestDispatcher dispatcher = getServletContext().getRequestDispatcher("/"+JSP_FILE);
if (dispatcher != null)
dispatcher.include(req, resp);
getServletContext().getRequestDispatcher("/"+JSP_FILE).include(req, resp);
}
}

69
src/zall/util/DbHttpServlet.java Executable file
View file

@ -0,0 +1,69 @@
package zall.util;
import zall.bean.Folder;
import zall.bean.Image;
import zall.bean.Media;
import zall.bean.User;
import zall.manager.AuthenticationManager;
import zall.util.msg.UserMessage;
import zall.util.msg.UserMessage.MessageType;
import zutil.db.DBConnection;
import zutil.log.LogUtil;
import javax.naming.Context;
import javax.naming.InitialContext;
import javax.naming.NamingException;
import javax.servlet.RequestDispatcher;
import javax.servlet.ServletConfig;
import javax.servlet.ServletException;
import javax.servlet.http.*;
import java.io.File;
import java.io.IOException;
import java.sql.SQLException;
import java.util.List;
import java.util.logging.Level;
import java.util.logging.Logger;
public abstract class DbHttpServlet extends HttpServlet{
private static Logger logger = LogUtil.getLogger();
protected void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
DBConnection db = null;
try{
doGet(request, response, db = getDB());
} catch (SQLException e) {
throw new IOException(e);
} finally{
if(db != null) db.close();
}
}
protected void doGet(HttpServletRequest request, HttpServletResponse response, DBConnection db)
throws ServletException, IOException, SQLException { }
protected void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
DBConnection db = null;
try{
doPost(request, response, db = getDB());
} catch (SQLException e) {
throw new IOException(e);
} finally{
if(db != null) db.close();
}
}
protected void doPost(HttpServletRequest request, HttpServletResponse response, DBConnection db)
throws ServletException, IOException, SQLException { }
public static DBConnection getDB() throws ServletException{
try {
return new DBConnection("jdbc/mysql");
} catch (Exception e) {
throw new ServletException(e);
}
}
}

2
src/zall/util/ZalleryEmail.java
View file

@ -28,7 +28,7 @@ public class ZalleryEmail {
email.setContentType(Email.ContentType.HTML);
email.setMessage("You receive this message because you have requested an account" +
"<br>at "+Zallery.getWebsiteName()+". Please click the link to verify your email address: " +
"<p><a href='"+Zallery.getWebsiteURL()+"?action=verfemail&id="+user.getId()+"&hash="+user.getEmailVerificationHash()+"'>"+Zallery.getWebsiteURL()+"?action=verfemail&id="+user.getId()+"&hash="+user.getEmailVerificationHash()+"</a>" +
"<p><a href='"+Zallery.getWebsiteURL()+"?action=verfemail&id="+user.getId()+"&hash="+user.generateEmailVerificationHash()+"'>"+Zallery.getWebsiteURL()+"?action=verfemail&id="+user.getId()+"&hash="+user.generateEmailVerificationHash()+"</a>" +
"<p> You will have to wait for an admin to activate your account after you have verified your email.");
SmtpClient smtp = new SmtpClient(host);