ziver/zallery
1
0
Fork 0
Code Pull requests Releases Activity

Initial impl of Authenticator and jsp files

Browse source
This commit is contained in:
Ziver Koc 2017-10-19 15:46:38 +02:00
parent 41b7baa382
commit 58d4ab2f75
153 changed files with 7557 additions and 11415 deletions
Download patch file Download diff file Expand all files Collapse all files

497
src/zall/Zallery.java
View file

@ -22,6 +22,7 @@ import zall.bean.Folder;
import zall.bean.Image;
import zall.bean.Media;
import zall.bean.User;
import zall.manager.AuthenticationManager;
import zall.util.ZalleryEmail;
import zutil.net.smtp.Email;
import zall.util.msg.UserMessage;
@ -30,31 +31,31 @@ import zutil.db.DBConnection;
import zutil.log.LogUtil;
public class Zallery extends HttpServlet{
private static Logger logger = LogUtil.getLogger();
private static Logger logger = LogUtil.getLogger();
public static final String VERSION = "1.0.2";
public static final String VERSION = "1.0.2";
public static String WEBSITE_NAME = "Example.com";
public static String WEBSITE_URL = "http://example.com";
public static String ROOT_PATH = "";
public static String DATA_PATH = "";
public static String WEBSITE_NAME = "Example.com";
public static String WEBSITE_URL = "http://example.com";
public static String ROOT_PATH = "";
public static String DATA_PATH = "";
/**
* Config Options:
* <br>- WEBSITE_NAME
* <br>- WEBSITE_URL
* <br>- SMTP_HOST
* <br>- DATA_PATH
*/
public void init(ServletConfig config) throws ServletException {
super.init(config);
// java:comp/env
ROOT_PATH = config.getServletContext().getRealPath("/");
/**
* Config Options:
* <br>- WEBSITE_NAME
* <br>- WEBSITE_URL
* <br>- SMTP_HOST
* <br>- DATA_PATH
*/
public void init(ServletConfig config) throws ServletException {
super.init(config);
// java:comp/env
ROOT_PATH = config.getServletContext().getRealPath("/");
try {
Context context = new InitialContext();
// Check if Zallery has been properly configured
if ("C:\\\\data".equals(context.lookup("java:comp/env/DATA_PATH")))
throw new ServletException("Zallery has not been properly configured, set proper configuration in Zallery.xml context file.");
if ("C:\\\\data".equals(context.lookup("java:comp/env/DATA_PATH")))
throw new ServletException("Zallery has not been properly configured, set proper configuration in Zallery.xml context file.");
WEBSITE_NAME = (String)context.lookup("java:comp/env/WEBSITE_NAME");
WEBSITE_URL = (String)context.lookup("java:comp/env/WEBSITE_URL");
@ -68,246 +69,246 @@ public class Zallery extends HttpServlet{
} catch (NamingException e) {
throw new ServletException(e);
}
}
public void destroy(){
}
}
public void destroy(){
public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException{
DBConnection db = null;
try{
doGet(request, response, db = getDB());
} finally{
if(db != null) db.close();
}
}
}
public void doGet(HttpServletRequest request, HttpServletResponse response, DBConnection db) throws ServletException{
try{
response.setContentType("text/html");
HttpSession session = request.getSession();
String page = new File(request.getRequestURI()).getName();
request.setAttribute("page", page);
User user = (User) session.getAttribute("user");
String action = request.getParameter("action");
if( action == null ) action = "";
UserMessage msgs = UserMessage.getUserMessage(session);
public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException{
DBConnection db = null;
try{
doGet(request, response, db = getDB());
} finally{
if(db != null) db.close();
}
}
// Verify email address
if( action.equalsIgnoreCase("verfemail") ){
User verfUser = User.load(db, Long.parseLong(request.getParameter("id")));
if (verfUser != null) {
if( verfUser.verifyEmail(request.getParameter("hash")) ){
ZalleryEmail.sendNewUserRegistrationToAdmin(verfUser, db);
verfUser.save(db);
msgs.add(MessageType.INFO, "Your email has been successfully verified.");
msgs.add(MessageType.WARNING, "The account is waiting account activation by an admin.");
}
else
msgs.add(MessageType.ERROR, "Email verification failed!");
}
else msgs.add(MessageType.ERROR, "Invalid user id: "+request.getParameter("id"));
}
// auth with cookie
if( user == null ){
user = User.loadByCookie(request, db, getCookieValue(request.getCookies(), "sessionHash") );
if(user != null){
logger.info("Used cookies to auth User: \""+user.getName()+"\".");
session.setAttribute("user", user);
}
}
public void doGet(HttpServletRequest request, HttpServletResponse response, DBConnection db) throws ServletException{
try{
response.setContentType("text/html");
HttpSession session = request.getSession();
String page = new File(request.getRequestURI()).getName();
request.setAttribute("page", page);
User user = (User) session.getAttribute("user");
String action = request.getParameter("action");
if( action == null ) action = "";
UserMessage msgs = UserMessage.getUserMessage(session);
if( user == null && ( !page.startsWith("register") && !page.startsWith("login") )){
//response.sendRedirect("login?redirect=\""+getUrl(request)+"\"");
response.sendRedirect("login");
return;
}
// validate user or Logout
if( user != null && ( !user.valid(request) || page.startsWith("logout") )){
logger.info("Logging Out User: \""+user.getName()+"\".");
session.invalidate();
session = request.getSession( true );
msgs.setSession( session );
user.logout( response );
if( !user.isEmailVerified() )
msgs.add(MessageType.WARNING, "Your email has not been verified!");
else if( !user.isEnabled() )
msgs.add(MessageType.ERROR, "Your account is disabled! Please contact the website administrator.");
else
msgs.add(MessageType.WARNING, "Your have been logged out.");
user = null;
response.sendRedirect("login");
return;
}
//**********************************************************
String include_jsp = null;
if( user != null ){
logger.finest("Valid user: \""+user.getName()+"\"");
// Import JSP pages
if(page.startsWith("media")){
try{
if( request.getParameter("id") == null && request.getParameter("type") == null){
msgs.add(MessageType.ERROR, "Missing parameters!");
return;
}
int id = Integer.parseInt( request.getParameter("id") );
Media media = Media.load(db, request.getParameter("type"), id);
request.setAttribute("media", media);
include_jsp = "media.jsp";
}catch(NumberFormatException e){ logger.log(Level.FINE, "", e); }
}
else if(page.startsWith("login")){
include_jsp = "login.jsp";
}
else if(page.startsWith("profile")){
if( request.getParameter("id") != null ){
User profile_user = User.load(db, Long.parseLong( request.getParameter("id") ));
if( user.canEdit( profile_user )){
request.setAttribute("profile_user", profile_user);
include_jsp = "profile.jsp";
}else{
msgs.add(MessageType.ERROR, "You do not have permission to edit this user.");
}
}else{
request.setAttribute("profile_user", user);
include_jsp = "profile.jsp";
}
}
else if(page.startsWith("users")){
List<User> users = User.load(db);
request.setAttribute("users", users);
include_jsp = "users.jsp";
}
else if(page.startsWith("upload")){
List<Folder> dirList = Folder.load(db, user);
request.setAttribute("folders", dirList);
include_jsp = "upload.jsp";
}
else if( page.startsWith("slideshow") ){
Image image = Image.load(db, Integer.parseInt( request.getParameter("id") ));
request.setAttribute("image", image );
List<Image> list = Image.loadFolder(db, image.getFolder());
request.setAttribute("image", image);
request.setAttribute("images", list);
include_jsp = "slideshow.jsp";
}
else { // if(page.startsWith("gallery"))
Folder folder = null;
if(request.getParameter("folder") != null && !request.getParameter("folder").equalsIgnoreCase("null"))
folder = Folder.load(db, Long.parseLong(request.getParameter("folder")) );
else{
folder = Folder.loadRoot(db, user);
// Setup new root folder
if( folder == null ){
folder = Folder.genRoot();
folder.save(db);
}
}
List<Media> list = Media.load(db, folder);
List<Folder> subFolders = Folder.loadSubFolders(db, folder, user);
//session.setAttribute("user", user);
request.setAttribute("folder", folder);
request.setAttribute("subfolders", subFolders);
request.setAttribute("media", list);
include_jsp = "gallery.jsp";
}
}
else if(page.startsWith("register")){
include_jsp = "register.jsp";
}
else if(page.startsWith("login")){
include_jsp = "login.jsp";
}
else{
//response.sendRedirect("login?redirect=\""+getUrl(request)+"\"");
response.sendRedirect("login");
return;
}
include("header.jsp", request, response);
if( include_jsp != null )
include(include_jsp, request, response);
include("footer.jsp", request, response);
} catch (Exception e) {
logger.severe(e.getMessage());
System.out.flush();
throw new ServletException(e);
} finally{
if(db != null) db.close();
}
}
// Verify email address
if( action.equalsIgnoreCase("verfemail") ){
User verfUser = User.load(db, Long.parseLong(request.getParameter("id")));
if (verfUser != null) {
if( verfUser.verifyEmail(request.getParameter("hash")) ){
ZalleryEmail.sendNewUserRegistrationToAdmin(verfUser, db);
verfUser.save(db);
msgs.add(MessageType.INFO, "Your email has been successfully verified.");
msgs.add(MessageType.WARNING, "The account is waiting account activation by an admin.");
}
else
msgs.add(MessageType.ERROR, "Email verification failed!");
}
else msgs.add(MessageType.ERROR, "Invalid user id: "+request.getParameter("id"));
}
// auth with cookie
if( user == null ){
user = User.loadByCookie(request, db, getCookieValue(request.getCookies(), "sessionHash") );
if(user != null){
logger.info("Used cookies to auth User: \""+user.getName()+"\".");
session.setAttribute("user", user);
}
}
public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException{
try {
include("ajax", request, response);
// RequestDispatcher include header read only workaround
HttpSession session = request.getSession();
User user = (User) session.getAttribute("user");
if( user != null ){
Cookie c = new Cookie("sessionHash", user.getSessionHash() );
c.setMaxAge(5*24*60*60); // 5 days
response.addCookie( c );
}
// Do the output
doGet(request, response);
if( user == null && ( !page.startsWith("register") && !page.startsWith("login") )){
//response.sendRedirect("login?redirect=\""+getUrl(request)+"\"");
response.sendRedirect("login");
return;
}
// validate user or Logout
if( user != null && ( !user.valid(request) || page.startsWith("logout") )){
logger.info("Logging Out User: \""+user.getName()+"\".");
session.invalidate();
session = request.getSession( true );
msgs.setSession( session );
user.logout( response );
} catch (Exception e) {
logger.severe(e.getMessage());
throw new ServletException(e);
}
}
if( !user.isEmailVerified() )
msgs.add(MessageType.WARNING, "Your email has not been verified!");
else if( !user.isEnabled() )
msgs.add(MessageType.ERROR, "Your account is disabled! Please contact the website administrator.");
else
msgs.add(MessageType.WARNING, "Your have been logged out.");
user = null;
response.sendRedirect("login");
return;
}
public static DBConnection getDB() throws ServletException{
try {
return new DBConnection("jdbc/mysql");
} catch (Exception e) {
throw new ServletException(e);
}
}
//**********************************************************
String include_jsp = null;
if( user != null ){
logger.finest("Valid user: \""+user.getName()+"\"");
// Import JSP pages
if(page.startsWith("media")){
try{
if( request.getParameter("id") == null && request.getParameter("type") == null){
msgs.add(MessageType.ERROR, "Missing parameters!");
return;
}
int id = Integer.parseInt( request.getParameter("id") );
Media media = Media.load(db, request.getParameter("type"), id);
protected void include(String url, HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException{
RequestDispatcher dispatcher = getServletContext().getRequestDispatcher("/"+url);
if (dispatcher != null)
dispatcher.include(request, response);
}
request.setAttribute("media", media);
include_jsp = "media.jsp";
}catch(NumberFormatException e){ logger.log(Level.FINE, "", e); }
}
else if(page.startsWith("login")){
include_jsp = "login.jsp";
}
else if(page.startsWith("profile")){
if( request.getParameter("id") != null ){
User profile_user = User.load(db, Long.parseLong( request.getParameter("id") ));
if( AuthenticationManager.canEdit( user, profile_user )){
request.setAttribute("profile_user", profile_user);
include_jsp = "profile.jsp";
}else{
msgs.add(MessageType.ERROR, "You do not have permission to edit this user.");
}
}else{
request.setAttribute("profile_user", user);
include_jsp = "profile.jsp";
}
}
else if(page.startsWith("users")){
List<User> users = User.load(db);
request.setAttribute("users", users);
include_jsp = "users.jsp";
}
else if(page.startsWith("upload")){
List<Folder> dirList = Folder.load(db, user);
request.setAttribute("folders", dirList);
include_jsp = "upload.jsp";
}
else if( page.startsWith("slideshow") ){
Image image = Image.load(db, Integer.parseInt( request.getParameter("id") ));
request.setAttribute("image", image );
List<Image> list = Image.loadFolder(db, image.getFolder());
public static String getCookieValue(Cookie[] cookies, String name) {
if( cookies == null )
return null;
for(Cookie cookie : cookies) {
if ( name.equals(cookie.getName()) )
return cookie.getValue();
}
return null;
}
request.setAttribute("image", image);
request.setAttribute("images", list);
public static String getWebsiteName() {
return WEBSITE_NAME;
}
include_jsp = "slideshow.jsp";
}
else { // if(page.startsWith("gallery"))
Folder folder = null;
if(request.getParameter("folder") != null && !request.getParameter("folder").equalsIgnoreCase("null"))
folder = Folder.load(db, Long.parseLong(request.getParameter("folder")) );
else{
folder = Folder.loadRoot(db, user);
// Setup new root folder
if( folder == null ){
folder = Folder.genRoot();
folder.save(db);
}
}
List<Media> list = Media.load(db, folder);
List<Folder> subFolders = Folder.loadSubFolders(db, folder, user);
public static String getWebsiteURL() {
return WEBSITE_URL;
}
// /mywebapp/servlet/MyServlet/a/b;c=123?d=789
public static String getUrl(HttpServletRequest req) {
String reqUri = req.getRequestURI().toString();
String queryString = req.getQueryString(); // d=789
if (queryString != null) {
reqUri += "?"+queryString;
}
return reqUri;
}
//session.setAttribute("user", user);
request.setAttribute("folder", folder);
request.setAttribute("subfolders", subFolders);
request.setAttribute("media", list);
include_jsp = "gallery.jsp";
}
}
else if(page.startsWith("register")){
include_jsp = "register.jsp";
}
else if(page.startsWith("login")){
include_jsp = "login.jsp";
}
else{
//response.sendRedirect("login?redirect=\""+getUrl(request)+"\"");
response.sendRedirect("login");
return;
}
include("header.jsp", request, response);
if( include_jsp != null )
include(include_jsp, request, response);
include("footer.jsp", request, response);
} catch (Exception e) {
logger.severe(e.getMessage());
System.out.flush();
throw new ServletException(e);
} finally{
if(db != null) db.close();
}
}
public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException{
try {
include("ajax", request, response);
// RequestDispatcher include header read only workaround
HttpSession session = request.getSession();
User user = (User) session.getAttribute("user");
if( user != null ){
Cookie c = new Cookie("sessionHash", user.getSessionHash() );
c.setMaxAge(5*24*60*60); // 5 days
response.addCookie( c );
}
// Do the output
doGet(request, response);
} catch (Exception e) {
logger.severe(e.getMessage());
throw new ServletException(e);
}
}
public static DBConnection getDB() throws ServletException{
try {
return new DBConnection("jdbc/mysql");
} catch (Exception e) {
throw new ServletException(e);
}
}
protected void include(String url, HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException{
RequestDispatcher dispatcher = getServletContext().getRequestDispatcher("/"+url);
if (dispatcher != null)
dispatcher.include(request, response);
}
public static String getCookieValue(Cookie[] cookies, String name) {
if( cookies == null )
return null;
for(Cookie cookie : cookies) {
if ( name.equals(cookie.getName()) )
return cookie.getValue();
}
return null;
}
public static String getWebsiteName() {
return WEBSITE_NAME;
}
public static String getWebsiteURL() {
return WEBSITE_URL;
}
// /mywebapp/servlet/MyServlet/a/b;c=123?d=789
public static String getUrl(HttpServletRequest req) {
String reqUri = req.getRequestURI().toString();
String queryString = req.getQueryString(); // d=789
if (queryString != null) {
reqUri += "?"+queryString;
}
return reqUri;
}
}

129
src/zall/ZalleryAjax.java
View file

@ -1,129 +0,0 @@
package zall;
import java.io.IOException;
import java.io.PrintWriter;
import java.sql.SQLException;
import java.util.HashMap;
import java.util.List;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.servlet.ServletConfig;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import zall.action.*;
import zall.action.media.*;
import zall.action.user.*;
import zall.bean.*;
import zutil.net.smtp.Email;
import zutil.net.smtp.Email.ContentType;
import zall.util.msg.UserMessage;
import zall.util.msg.UserMessage.MessageType;
import zutil.db.DBConnection;
import zutil.log.LogUtil;
public class ZalleryAjax extends HttpServlet{
public static final Logger logger = LogUtil.getLogger();
private static final long serialVersionUID = 1L;
private HashMap<String,ZalleryAction> actions;
public void init(ServletConfig config) throws ServletException {
super.init(config);
// General
registerAction(new LoginAction());
registerAction(new RegisterAction());
// User Actions
registerAction(new ModifyUserAction());
registerAction(new ModifyUserStatusAction());
registerAction(new RemoveUserAction());
registerAction(new SendVerificationEmailAction());
registerAction(new VerifyEmailAction());
// Media Actions
registerAction(new CommentAction());
registerAction(new CreateFolderAction());
registerAction(new ModifyMediaAction());
registerAction(new RemoveFolderAction());
registerAction(new RemoveMediaAction());
registerAction(new TogglePrivateAction());
}
protected void registerAction(ZalleryAction action){
if(actions == null)
actions = new HashMap<>();
actions.put(action.getActionId().toLowerCase(), action);
}
public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException{
try {
doGet(request, response, response.getWriter());
} catch (IOException e) {
throw new ServletException(e);
}
}
public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException{
doGet(request, response, null);
}
/**
* @param out is the PrintStream that will be used, no output will be generated if it is null
*/
private void doGet(HttpServletRequest request, HttpServletResponse response, PrintWriter out) throws ServletException{
DBConnection db = null;
try {
String actionStr = request.getParameter("action").toLowerCase();
HttpSession session = request.getSession();
User user = (User) session.getAttribute("user");
db = Zallery.getDB();
UserMessage msgs = UserMessage.getUserMessage(session);
ZalleryAction action = actions.get( actionStr );
if( action != null ){
if( (action.requireUser() && user != null) || !action.requireUser() ){
action.handleRequest(db, request, response, session, out, user, msgs);
}
else{
// Unauthorized
if( out != null ){
out.print( "{\"error\":\"Unauthorized user!\"}" );
response.setStatus( 401 );
}
else
msgs.add(MessageType.ERROR, "Unauthorized user!");
logger.severe("Unauthorized user!");
return;
}
}
else{
// Unauthorized
if( out != null ){
out.print( "{\"error\":\"Unknown action!\"}" );
response.setStatus( 404 );
}
else
msgs.add(MessageType.ERROR, "Unknown action: '"+actionStr+"'!");
logger.severe("Unknown action: '"+actionStr+"'!");
return;
}
} catch (Exception e) {
if( out != null ){
out.println("{\"error\":\""+e.getMessage().replaceAll("\"", "\\\"")+"\"}");
logger.log(Level.SEVERE, "Exception in ajax page!", e);
}
else
throw new ServletException(e);
} finally{
if(db != null) db.close();
}
}
}

120
src/zall/ZalleryContent.java Normal file → Executable file
View file

@ -20,68 +20,68 @@ import zutil.db.DBConnection;
import zutil.io.file.FileUtil;
public class ZalleryContent extends HttpServlet{
private static final long serialVersionUID = 1L;
private static final long serialVersionUID = 1L;
public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException{
DBConnection db = null;
try {
HttpSession session = request.getSession();
User user = (User) session.getAttribute("user");
String size = request.getParameter("size");
if( size == null ) size = "";
public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException{
DBConnection db = null;
try {
HttpSession session = request.getSession();
User user = (User) session.getAttribute("user");
String size = request.getParameter("size");
if( size == null ) size = "";
if( user != null || size.equalsIgnoreCase("small") ){
db = Zallery.getDB();
Media media;
if( "video".equals(request.getParameter("type")) )
media = Video.load(db, Integer.parseInt(request.getParameter("id")));
else
media = Image.load(db, Integer.parseInt(request.getParameter("id")));
if( user != null || size.equalsIgnoreCase("small") ){
db = Zallery.getDB();
Media media;
if( media != null ){
File file = null;
if( size.equalsIgnoreCase( "small" ) )
file = media.getFile( Media.Size.SMALL );
else if( size.equalsIgnoreCase( "medium" ) )
file = media.getFile( Media.Size.MEDIUM );
else if( size.equalsIgnoreCase( "large" ) )
file = media.getFile( Media.Size.LARGE );
else
file = media.getFile( Media.Size.ORIGINAL );
if( request.getParameter("download") != null )
response.setHeader("Content-disposition", "attachment; filename="+media.getTitle()+"."+FileUtil.getFileExtension(file));
if( file.exists() ){
if( "video".equals(request.getParameter("type")) )
response.setContentType("video/"+FileUtil.getFileExtension(file));
else
response.setContentType("image/"+FileUtil.getFileExtension(file));
response.setContentLength( (int)file.length() );
BufferedInputStream in = new BufferedInputStream( new FileInputStream(file) );
Streams.copy(in, response.getOutputStream(), false);
in.close();
}
else
response.setStatus( 404 );
}
else{
// Page not found
response.setStatus( 404 );
}
}
else{
// Unauthorized
response.setStatus( 401 );
}
if( "video".equals(request.getParameter("type")) )
media = Video.load(db, Integer.parseInt(request.getParameter("id")));
else
media = Image.load(db, Integer.parseInt(request.getParameter("id")));
} catch (Exception e) {
throw new ServletException(e);
} finally{
if(db != null) db.close();
}
}
if( media != null ){
File file = null;
if( size.equalsIgnoreCase( "small" ) )
file = media.getFile( Media.Size.SMALL );
else if( size.equalsIgnoreCase( "medium" ) )
file = media.getFile( Media.Size.MEDIUM );
else if( size.equalsIgnoreCase( "large" ) )
file = media.getFile( Media.Size.LARGE );
else
file = media.getFile( Media.Size.ORIGINAL );
if( request.getParameter("download") != null )
response.setHeader("Content-disposition", "attachment; filename="+media.getTitle()+"."+FileUtil.getFileExtension(file));
if( file.exists() ){
if( "video".equals(request.getParameter("type")) )
response.setContentType("video/"+FileUtil.getFileExtension(file));
else
response.setContentType("image/"+FileUtil.getFileExtension(file));
response.setContentLength( (int)file.length() );
BufferedInputStream in = new BufferedInputStream( new FileInputStream(file) );
Streams.copy(in, response.getOutputStream(), false);
in.close();
}
else
response.setStatus( 404 );
}
else{
// Page not found
response.setStatus( 404 );
}
}
else{
// Unauthorized
response.setStatus( 401 );
}
} catch (Exception e) {
throw new ServletException(e);
} finally{
if(db != null) db.close();
}
}
}

1
src/zall/action/RegisterAction.java
View file

@ -9,7 +9,6 @@ import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import zall.ZalleryAjax;
import zall.bean.User;
import zall.util.ZalleryEmail;
import zall.util.msg.UserMessage;

3
src/zall/action/media/ModifyMediaAction.java Normal file → Executable file
View file

@ -11,6 +11,7 @@ import javax.servlet.http.HttpSession;
import zall.action.ZalleryAction;
import zall.bean.Media;
import zall.bean.User;
import zall.manager.AuthenticationManager;
import zall.util.msg.UserMessage;
import zall.util.msg.UserMessage.MessageType;
import zutil.db.DBConnection;
@ -35,7 +36,7 @@ public class ModifyMediaAction extends ZalleryAction{
Media media = Media.load(db, request.getParameter("type"), id);
if( media != null ){
if( user.canEdit(media) ){
if( AuthenticationManager.canEdit(user, media) ){
media.setTitle( request.getParameter("title") );
media.setDescription( request.getParameter("description") );
media.save(db);

3
src/zall/action/media/RemoveFolderAction.java Normal file → Executable file
View file

@ -11,6 +11,7 @@ import javax.servlet.http.HttpSession;
import zall.action.ZalleryAction;
import zall.bean.Folder;
import zall.bean.User;
import zall.manager.AuthenticationManager;
import zall.util.msg.UserMessage;
import zall.util.msg.UserMessage.MessageType;
import zutil.db.DBConnection;
@ -38,7 +39,7 @@ public class RemoveFolderAction extends ZalleryAction{
if( !folder.isEmpty(db) ){
if(out != null) out.println("{ \"error\": \"Folder is not empty!\"}");
else msgs.add(MessageType.ERROR, "Folder is not empty!");
} else if( user.canEdit(folder) ){
} else if( AuthenticationManager.canEdit(user, folder) ){
folder.delete( db );
if(out != null) out.println("{}");
else msgs.add(MessageType.INFO, "Folder removed successfully.");

3
src/zall/action/media/RemoveMediaAction.java Normal file → Executable file
View file

@ -11,6 +11,7 @@ import javax.servlet.http.HttpSession;
import zall.action.ZalleryAction;
import zall.bean.Media;
import zall.bean.User;
import zall.manager.AuthenticationManager;
import zall.util.msg.UserMessage;
import zall.util.msg.UserMessage.MessageType;
import zutil.db.DBConnection;
@ -35,7 +36,7 @@ public class RemoveMediaAction extends ZalleryAction{
Media media = Media.load(db, request.getParameter("type"), id);
if( media != null ){
if( user.canEdit(media) ){
if( AuthenticationManager.canEdit(user, media) ){
media.delete( db );
if(out != null) out.println("{}");

3
src/zall/action/media/TogglePrivateAction.java Normal file → Executable file
View file

@ -11,6 +11,7 @@ import javax.servlet.http.HttpSession;
import zall.action.ZalleryAction;
import zall.bean.Folder;
import zall.bean.User;
import zall.manager.AuthenticationManager;
import zall.util.msg.UserMessage;
import zall.util.msg.UserMessage.MessageType;
import zutil.db.DBConnection;
@ -35,7 +36,7 @@ public class TogglePrivateAction extends ZalleryAction{
Folder folder = Folder.load(db, id);
if( folder != null ){
if( user.canEdit(folder) ){
if( AuthenticationManager.canEdit(user, folder) ){
folder.setPrivate( !folder.isPrivate() );
folder.save(db);
if(out != null) out.println("{}");

3
src/zall/action/user/ModifyUserStatusAction.java
View file

@ -10,6 +10,7 @@ import javax.servlet.http.HttpSession;
import zall.action.ZalleryAction;
import zall.bean.User;
import zall.manager.AuthenticationManager;
import zall.util.ZalleryEmail;
import zall.util.msg.UserMessage;
import zall.util.msg.UserMessage.MessageType;
@ -31,7 +32,7 @@ public class ModifyUserStatusAction extends ZalleryAction{
else // set target user to the logged in user
target_user = user;
if( user.canEdit(target_user) ){
if( AuthenticationManager.canEdit(user, target_user) ){
if( request.getParameter("email") != null )
target_user.setEmail( request.getParameter("email") );
if( request.getParameter("password") != null ){

1
src/zall/action/user/VerifyEmailAction.java
View file

@ -8,7 +8,6 @@ import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import zall.ZalleryAjax;
import zall.action.ZalleryAction;
import zall.bean.User;
import zall.util.ZalleryEmail;

467
src/zall/bean/User.java
View file

@ -19,261 +19,248 @@ import zutil.db.handler.SimpleSQLResult;
@DBTable("User")
public class User extends DBBean{
public enum AuthType{
USER_INPUT, COOKIE
}
public static final long SESSION_TIMEOUT = 1000*60*60*24*3; // 3day ttl
public enum AuthType{
USER_INPUT, COOKIE
}
public static final long SESSION_TIMEOUT = 1000*60*60*24*3; // 3day ttl
protected String name;
protected String email;
protected boolean emailVerified;
protected String password;
// Date
protected Timestamp loginDate;
protected transient Timestamp prevLoginDate;
// security
protected transient AuthType authBy;
protected String sessionId;
protected String ipHost;
protected String sessionHash;
protected String name;
protected String email;
protected boolean emailVerified;
protected String password;
// Date
protected Timestamp loginDate;
protected transient Timestamp prevLoginDate;
// security
protected transient AuthType authBy;
protected String sessionId;
protected String ipHost;
protected String sessionHash;
protected boolean superUser;
protected boolean enabled;
protected boolean superUser;
protected boolean enabled;
public static User load(DBConnection db, Long id) throws SQLException{
return load(db, User.class, id);
}
public static User load(DBConnection db, Long id) throws SQLException{
return load(db, User.class, id);
}
public static List<User> load(DBConnection db) throws SQLException{
PreparedStatement sql = db.getPreparedStatement("SELECT * FROM User");
return DBConnection.exec(sql, DBBeanSQLResultHandler.createList(User.class, db));
}
public static List<User> load(DBConnection db) throws SQLException{
PreparedStatement sql = db.getPreparedStatement("SELECT * FROM User");
return DBConnection.exec(sql, DBBeanSQLResultHandler.createList(User.class, db));
}
/**
* Uses normal user and password to get user object,
* this function will save the bean
*
* @param db is the DB connection
* @param email is the email of the user
* @param password is the password of the user
* @param request is the HTTP request object
* @return The user object or null if non where found
* @throws SQLException
*/
public static User load(HttpServletRequest request, HttpServletResponse response, DBConnection db, String email, String password ) throws SQLException{
if( password==null || password.isEmpty() || password.equalsIgnoreCase("null"))
return null;
PreparedStatement sql = db.getPreparedStatement(
"SELECT * FROM User WHERE email=? AND password=? LIMIT 1");
sql.setString(1, email);
sql.setString(2, Hasher.MD5( password ));
/**
* Uses normal user and password to get user object,
* this function will save the bean
*
* @param db is the DB connection
* @param email is the email of the user
* @param password is the password of the user
* @param request is the HTTP request object
* @return The user object or null if non where found
* @throws SQLException
*/
public static User load(HttpServletRequest request, HttpServletResponse response, DBConnection db, String email, String password ) throws SQLException{
if( password==null || password.isEmpty() || password.equalsIgnoreCase("null"))
return null;
PreparedStatement sql = db.getPreparedStatement(
"SELECT * FROM User WHERE email=? AND password=? LIMIT 1");
sql.setString(1, email);
sql.setString(2, Hasher.MD5( password ));
User user = DBConnection.exec(sql, DBBeanSQLResultHandler.create(User.class, db));
if( user != null ){
user.registerOnHost(request, response, db, true );
user.save(db);
user.setAuthBy( AuthType.USER_INPUT );
}
return user;
}
public static List<User> loadSuperUsers(DBConnection db) throws SQLException {
PreparedStatement sql = db.getPreparedStatement(
"SELECT * FROM User WHERE superUser=1");
return DBConnection.exec(sql, DBBeanSQLResultHandler.createList(User.class, db));
}
User user = DBConnection.exec(sql, DBBeanSQLResultHandler.create(User.class, db));
if( user != null ){
user.registerOnHost(request, response, db, true );
user.save(db);
user.setAuthBy( AuthType.USER_INPUT );
}
return user;
}
/**
* Uses a cookie value to get the user object,
* this function will save the bean
*
* @param db is the DB connection
* @param hash is the cookie hash
* @param request is the HTTP request object
* @return The user object or null if non where found
* @throws SQLException
*/
public static User loadByCookie(HttpServletRequest request, DBConnection db, String hash ) throws SQLException{
PreparedStatement sql = db.getPreparedStatement(
"SELECT * FROM User WHERE sessionHash=? LIMIT 1");
sql.setString(1, hash);
public static List<User> loadSuperUsers(DBConnection db) throws SQLException {
PreparedStatement sql = db.getPreparedStatement(
"SELECT * FROM User WHERE superUser=1");
return DBConnection.exec(sql, DBBeanSQLResultHandler.createList(User.class, db));
}
User user = DBConnection.exec(sql, DBBeanSQLResultHandler.create(User.class, db));
if( user != null &&
user.ipHost.equals( request.getLocalName() ) &&
user.loginDate.getTime()+SESSION_TIMEOUT > System.currentTimeMillis() ){
user.prevLoginDate = user.loginDate;
user.loginDate = new Timestamp( System.currentTimeMillis() );
user.save(db);
user.setAuthBy( AuthType.COOKIE );
return user;
}
return null;
}
/**
* Uses a cookie value to get the user object,
* this function will save the bean
*
* @param db is the DB connection
* @param hash is the cookie hash
* @param request is the HTTP request object
* @return The user object or null if non where found
* @throws SQLException
*/
public static User loadByCookie(HttpServletRequest request, DBConnection db, String hash ) throws SQLException{
PreparedStatement sql = db.getPreparedStatement(
"SELECT * FROM User WHERE sessionHash=? LIMIT 1");
sql.setString(1, hash);
public static boolean emailExists(String email, DBConnection db) throws SQLException{
PreparedStatement sql = db.getPreparedStatement(
"SELECT email FROM User WHERE email=? LIMIT 1");
sql.setString(1, email);
String tmp = DBConnection.exec(sql, new SimpleSQLResult<String>());
return tmp != null;
}
User user = DBConnection.exec(sql, DBBeanSQLResultHandler.create(User.class, db));
if( user != null &&
user.ipHost.equals( request.getLocalName() ) &&
user.loginDate.getTime()+SESSION_TIMEOUT > System.currentTimeMillis() ){
user.prevLoginDate = user.loginDate;
user.loginDate = new Timestamp( System.currentTimeMillis() );
user.save(db);
user.setAuthBy( AuthType.COOKIE );
return user;
}
return null;
}
public User(){
// Default values
emailVerified = false;
superUser = false;
enabled = false;
}
public static boolean emailExists(String email, DBConnection db) throws SQLException{
PreparedStatement sql = db.getPreparedStatement(
"SELECT email FROM User WHERE email=? LIMIT 1");
sql.setString(1, email);
/**
* Registers the User to the Host machine that sent the request,
* this method alters the bean, so a call to save() is recommended
*
* @param db is the DB connection
* @param request is the request from the Host/Client
* @throws SQLException
*/
public void registerOnHost(HttpServletRequest request, HttpServletResponse response, DBConnection db, boolean cookie) throws SQLException{
prevLoginDate = loginDate;
loginDate = new Timestamp( System.currentTimeMillis() );
sessionId = request.getSession().getId();
ipHost = request.getRemoteAddr();
sessionHash = Hasher.MD5( ""+sessionId+ipHost+loginDate+password );
if( cookie ){
Cookie c = new Cookie("sessionHash", sessionHash );
c.setMaxAge(5*24*60*60); // 5 days
response.addCookie( c );
}
}
public void logout(HttpServletResponse response) {
Cookie cookie = new Cookie( "sessionHash", null);
cookie.setMaxAge( 0 );
response.addCookie( cookie );
}
String tmp = DBConnection.exec(sql, new SimpleSQLResult<String>());
return tmp != null;
}
public boolean valid(HttpServletRequest request){
if( !this.isEnabled() ) return false;
switch( authBy ){
case USER_INPUT:
if( !this.isEmailVerified() ) return false;
case COOKIE:
return ( sessionHash.equals( Zallery.getCookieValue(request.getCookies(), "sessionHash")) ||
loginDate.getTime()+1000 > System.currentTimeMillis() ) &&
ipHost.equals( request.getRemoteAddr() ) &&
loginDate.getTime()+SESSION_TIMEOUT > System.currentTimeMillis();
}
return false;
}
public boolean verifyEmail(String hash) {
return emailVerified = getEmailVerificationHash().equals(hash);
}
public String getEmailVerificationHash(){
return Hasher.MD5( "##helloWorld-->2011"+email+name+password );
}
public User(){
// Default values
emailVerified = false;
superUser = false;
enabled = false;
}
/**
* Registers the User to the Host machine that sent the request,
* this method alters the bean, so a call to save() is recommended
*
* @param db is the DB connection
* @param request is the request from the Host/Client
* @throws SQLException
*/
public void registerOnHost(HttpServletRequest request, HttpServletResponse response, DBConnection db, boolean cookie) throws SQLException{
prevLoginDate = loginDate;
loginDate = new Timestamp( System.currentTimeMillis() );
sessionId = request.getSession().getId();
ipHost = request.getRemoteAddr();
sessionHash = Hasher.MD5( ""+sessionId+ipHost+loginDate+password );
if( cookie ){
Cookie c = new Cookie("sessionHash", sessionHash );
c.setMaxAge(5*24*60*60); // 5 days
response.addCookie( c );
}
}
public void logout(HttpServletResponse response) {
Cookie cookie = new Cookie( "sessionHash", null);
cookie.setMaxAge( 0 );
response.addCookie( cookie );
}
public Timestamp getLoginDate() {
if( loginDate == null )
loginDate = new Timestamp(0);
return loginDate;
}
public void setLoginDate(Timestamp loginDate) {
this.loginDate = loginDate;
}
public Timestamp getPrevLoginDate() {
if( loginDate == null )
loginDate = new Timestamp(0);
return prevLoginDate;
}
public void setPrevLoginDate(Timestamp prevLoginDate) {
this.prevLoginDate = prevLoginDate;
}
public String getName() {
return name;
}
public void setName(String name) {
this.name = name;
}
public String getEmail() {
return email;
}
public void setEmail(String email) {
if( this.email != null && this.email.equals(email) )
return;
emailVerified = false;
this.email = email;
}
public String getPassword() {
return password;
}
public void setPassword(String password) {
this.password = Hasher.MD5( password );
}
public boolean equalsPassword( String pass ){
return Hasher.MD5( pass ).equals( password );
}
public String getSessionId() {
return sessionId;
}
public void setSessionId(String sessionId) {
this.sessionId = sessionId;
}
public String getIpHost() {
return ipHost;
}
public void setIpHost(String ipHost) {
this.ipHost = ipHost;
}
public String getSessionHash() {
return sessionHash;
}
public boolean isSuperUser(){
return superUser;
}
public void setSuperUser(boolean superuser){
this.superUser = superuser;
}
public boolean isEnabled(){
return enabled;
}
public void setEnabled(boolean enabled){
this.enabled = enabled;
}
public boolean isEmailVerified(){
return emailVerified;
}
public void setEmailVerified(boolean verified){
this.emailVerified = verified;
}
public void setAuthBy(AuthType authBy){
this.authBy = authBy;
}
public AuthType getAuthBy(){
return authBy;
}
public boolean equals(User u){
return u != null && this.getId() == u.getId();
}
/**
* @return true if the specified user can edit the media
*/
public boolean canEdit(Media target) {
return target != null && (this.isSuperUser() || target.getUser().equals(this));
}
public boolean canEdit(Folder target) {
return target != null && (this.isSuperUser() || this.equals( target.getUser() ));
}
public boolean canEdit(User target){
return this.equals( target ) || this.superUser;
}
public boolean valid(HttpServletRequest request){
if( !isEnabled() ) return false;
switch( authBy ){
case USER_INPUT:
if( !isEmailVerified() ) return false;
case COOKIE:
return ( sessionHash.equals( Zallery.getCookieValue(request.getCookies(), "sessionHash")) ||
loginDate.getTime()+1000 > System.currentTimeMillis() ) &&
ipHost.equals( request.getRemoteAddr() ) &&
loginDate.getTime()+SESSION_TIMEOUT > System.currentTimeMillis();
}
return false;
}
public boolean verifyEmail(String hash) {
return emailVerified = getEmailVerificationHash().equals(hash);
}
public String getEmailVerificationHash(){
return Hasher.MD5( "##helloWorld-->2011"+email+name+password );
}
public Timestamp getLoginDate() {
if( loginDate == null )
loginDate = new Timestamp(0);
return loginDate;
}
public void setLoginDate(Timestamp loginDate) {
this.loginDate = loginDate;
}
public Timestamp getPrevLoginDate() {
if( loginDate == null )
loginDate = new Timestamp(0);
return prevLoginDate;
}
public void setPrevLoginDate(Timestamp prevLoginDate) {
this.prevLoginDate = prevLoginDate;
}
public String getName() {
return name;
}
public void setName(String name) {
this.name = name;
}
public String getEmail() {
return email;
}
public void setEmail(String email) {
if( this.email != null && this.email.equals(email) )
return;
emailVerified = false;
this.email = email;
}
public String getPassword() {
return password;
}
public void setPassword(String password) {
this.password = Hasher.MD5( password );
}
public boolean equalsPassword( String pass ){
return Hasher.MD5( pass ).equals( password );
}
public String getSessionId() {
return sessionId;
}
public void setSessionId(String sessionId) {
this.sessionId = sessionId;
}
public String getIpHost() {
return ipHost;
}
public void setIpHost(String ipHost) {
this.ipHost = ipHost;
}
public String getSessionHash() {
return sessionHash;
}
public boolean isSuperUser(){
return superUser;
}
public void setSuperUser(boolean superuser){
this.superUser = superuser;
}
public boolean isEnabled(){
return enabled;
}
public void setEnabled(boolean enabled){
this.enabled = enabled;
}
public boolean isEmailVerified(){
return emailVerified;
}
public void setEmailVerified(boolean verified){
this.emailVerified = verified;
}
public void setAuthBy(AuthType authBy){
this.authBy = authBy;
}
public AuthType getAuthBy(){
return authBy;
}
public boolean equals(User u){
return u != null && this.getId() == u.getId();
}
}

42
src/zall/filter/AuthenticationFilter.java Executable file
View file

@ -0,0 +1,42 @@
package zall.filter;
import zall.bean.User;
import javax.servlet.*;
import javax.servlet.annotation.WebFilter;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.Objects;
/**
* This filter will check if user is valid if not will redirect to /login page
*/
@WebFilter(urlPatterns = "/")
public class AuthenticationFilter implements Filter {
private static final String LOGIN_URI = "/login";
@Override
public void init(FilterConfig filterConfig) throws ServletException { }
@Override
public void doFilter(final ServletRequest request, final ServletResponse response, final FilterChain chain) throws IOException, ServletException {
String requestURI = ((HttpServletRequest) request).getRequestURI();
User user = null;
// continue the request via the filter pipeline if it is login page or it is a valid User
if (requestURI.equals(LOGIN_URI) || user != null) {
chain.doFilter(request, response);
} else {
// do not continue the filter pipeline but respond back to client
HttpServletResponse resp = (HttpServletResponse) response;
resp.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
resp.setContentType("text/plain");
resp.sendRedirect(LOGIN_URI);
}
}
@Override
public void destroy() { }
}

30
src/zall/manager/AuthenticationManager.java Executable file
View file

@ -0,0 +1,30 @@
package zall.manager;
import zall.bean.Folder;
import zall.bean.Media;
import zall.bean.User;
/**
*
*/
public class AuthenticationManager {
/**
* @return true if the specified user can edit the media
*/
public static boolean canEdit(User user, Media target) {
return target != null && (user.isSuperUser() || target.getUser().equals(user));
}
/**
* @return true if the specified user can edit the media
*/
public static boolean canEdit(User user, Folder target) {
return target != null && (user.isSuperUser() || user.equals( target.getUser() ));
}
/**
* @return true if the specified user can edit the profile of the other user
*/
public static boolean canEdit(User user, User target){
return user.equals( target ) || user.isSuperUser();
}
}

23
src/zall/servlet/LoginServlet.java Executable file
View file

@ -0,0 +1,23 @@
package zall.servlet;
import javax.servlet.RequestDispatcher;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
/**
*
*/
@WebServlet(urlPatterns = "/login")
public class LoginServlet extends HttpServlet {
private static final String JSP_FILE = "login.jsp";
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
RequestDispatcher dispatcher = getServletContext().getRequestDispatcher("/"+JSP_FILE);
if (dispatcher != null)
dispatcher.include(req, resp);
}
}

23
src/zall/servlet/RegisterServlet.java Executable file
View file

@ -0,0 +1,23 @@
package zall.servlet;
import javax.servlet.RequestDispatcher;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
/**
*
*/
@WebServlet(urlPatterns = "/register")
public class RegisterServlet extends HttpServlet {
private static final String JSP_FILE = "register.jsp";
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
RequestDispatcher dispatcher = getServletContext().getRequestDispatcher("/"+JSP_FILE);
if (dispatcher != null)
dispatcher.include(req, resp);
}
}