From 80b46fbc1f4616c57c4c31ae9af17be91623d2fb Mon Sep 17 00:00:00 2001 From: Ziver Koc Date: Wed, 8 Aug 2018 21:07:19 +0200 Subject: [PATCH] Fixed authentication --- db_structure.sql | 2 +- src/zall/ZalleryConstants.java | 3 +- src/zall/manager/AuthenticationManager.java | 80 +++++++++++++-------- 3 files changed, 54 insertions(+), 31 deletions(-) diff --git a/db_structure.sql b/db_structure.sql index 5d13984..81e1e64 100644 --- a/db_structure.sql +++ b/db_structure.sql @@ -64,7 +64,7 @@ CREATE TABLE `User` ( `passwordSalt` varchar(5) DEFAULT NULL, `ipHost` varchar(20) DEFAULT NULL, `loginDate` datetime DEFAULT NULL, - `cookieHash` varchar(32) DEFAULT NULL, + `cookieHash` varchar(42) DEFAULT NULL, `superUser` tinyint(1) NOT NULL, `enabled` tinyint(1) NOT NULL ) ENGINE=InnoDB DEFAULT CHARSET=latin1; diff --git a/src/zall/ZalleryConstants.java b/src/zall/ZalleryConstants.java index 858bc7f..f620984 100644 --- a/src/zall/ZalleryConstants.java +++ b/src/zall/ZalleryConstants.java @@ -10,8 +10,7 @@ public interface ZalleryConstants { /** Session Constants **/ public static final String SESSION_KEY_USER_MSG = "zall_user_message"; - public static final String SESSION_KEY_USER = "zall_user"; - public static final String SESSION_KEY_AUTH_HASH = "zall_user_session_hash"; + public static final String SESSION_KEY_USER_OBJ = "zall_user"; public static final long SESSION_TIMEOUT = 3*24*60*60*1000; // 2 day /** Cookie Constants **/ diff --git a/src/zall/manager/AuthenticationManager.java b/src/zall/manager/AuthenticationManager.java index 3ad8028..eb956a1 100755 --- a/src/zall/manager/AuthenticationManager.java +++ b/src/zall/manager/AuthenticationManager.java @@ -1,6 +1,5 @@ package zall.manager; -import zall.ZalleryConstants; import zall.bean.Folder; import zall.bean.Media; import zall.bean.User; @@ -23,7 +22,7 @@ import static zall.ZalleryConstants.*; public class AuthenticationManager { private static final Logger logger = LogUtil.getLogger(); - public static String generatePasswordHash(String password, String salt){ + public static String generatePasswordHash(String password, String salt) { return Hasher.PBKDF2(password, salt, 1000); } @@ -34,7 +33,7 @@ public class AuthenticationManager { User user = User.load(db, email); // Valid email? - if( user != null ){ + if (user != null) { if (user.getPasswordHash().equals(generatePasswordHash(password, user.getPasswordSalt()))) { setUserAuthenticated(db, user, User.AuthType.USER_INPUT, request, response); return user; @@ -52,8 +51,8 @@ public class AuthenticationManager { * * @return a user object or null authentications fails */ - public static User authenticate(DBConnection db, HttpServletRequest request, HttpServletResponse response) throws SQLException{ - String cookieHash = ServletUtil.getCookieValue(request.getCookies(), SESSION_KEY_AUTH_HASH); + public static User authenticate(DBConnection db, HttpServletRequest request, HttpServletResponse response) throws SQLException { + String cookieHash = ServletUtil.getCookieValue(request.getCookies(), COOKIE_KEY_USER_HASH); if (cookieHash != null) { User user = User.loadByCookieHash(db, cookieHash); @@ -76,51 +75,74 @@ public class AuthenticationManager { user.setLoginDate(new Timestamp(System.currentTimeMillis())); user.setAuthBy(authType); user.setIpHost(request.getRemoteAddr()); - user.setCookieHash(Double.toHexString(Math.random())); + user.setCookieHash(Hasher.SHA1(Math.random())); user.save(db); setUserSession(user, request.getSession()); - if(authType != User.AuthType.COOKIE){ + if (authType != User.AuthType.COOKIE) { Cookie c = new Cookie(COOKIE_KEY_USER_HASH, user.getCookieHash()); c.setMaxAge(COOKIE_TIMEOUT); response.addCookie(c); } - logger.info("User(" + user.getEmail() + ") authenticated by " + user.getAuthBy()); + logger.info("User(" + user.getEmail() + ") successfully authenticated by " + user.getAuthBy()); } /** * @return the User associated with the provided session. */ public static User getUserSession(HttpSession session) { - return (User) session.getAttribute(SESSION_KEY_USER); + return (User) session.getAttribute(SESSION_KEY_USER_OBJ); } + public static void setUserSession(User user, HttpSession session) { - session.setAttribute(SESSION_KEY_USER, user); + session.setAttribute(SESSION_KEY_USER_OBJ, user); } + public static void rmUserSession(HttpSession session) { - session.removeAttribute(SESSION_KEY_USER); + session.removeAttribute(SESSION_KEY_USER_OBJ); } /** - * @return true if the user has a isValid authentication session + * @return true if the user has correctly been authenticated */ public static boolean isValid(User user, HttpServletRequest request) { - if(user == null) + if (user == null) { + logger.fine("Invalid user, user is null."); return false; - if(!user.isEnabled()) - return false; - if(user.getCookieHash() == null || user.getCookieHash().isEmpty() ) - return false; - - switch(user.getAuthBy()){ - case USER_INPUT: - if (!user.isEmailVerified()) return false; - case COOKIE: - String sessionHash = ServletUtil.getCookieValue(request.getCookies(), SESSION_KEY_AUTH_HASH); - return user.getCookieHash().equals(sessionHash) && - user.getIpHost().equals(request.getRemoteAddr()); } + if (!user.isEnabled()) { + logger.fine("Invalid user(" + user.getEmail() + "), user disabled."); + return false; + } + + switch (user.getAuthBy()) { + case USER_INPUT: + if (!user.isEmailVerified()) { + logger.fine("Invalid user(" + user.getEmail() + "), email not verified"); + return false; + } + case COOKIE: + if (user.getCookieHash() == null || user.getCookieHash().isEmpty()) { + logger.fine("Invalid user(" + user.getEmail() + "), null or empty cookie hash."); + return false; + } + String cookieHash = ServletUtil.getCookieValue(request.getCookies(), COOKIE_KEY_USER_HASH); + if (!user.getCookieHash().equals(cookieHash)) { + logger.fine("Invalid user(" + user.getEmail() + "), " + + "cookie hash not matching, (server) " + user.getCookieHash() + " == (user) " + cookieHash + "."); + return false; + } + if (!user.getIpHost().equals(request.getRemoteAddr())) { + logger.fine("Invalid user(" + user.getEmail() + "), " + + "ip host not matching, (server) " + user.getIpHost() + " == (user) " + request.getRemoteAddr() + "."); + return false; + } + return true; + default: + logger.severe("Unknown user authentication type: " + user.getAuthBy()); + } + logger.severe("Invalid user."); return false; } @@ -130,17 +152,19 @@ public class AuthenticationManager { public static boolean canEdit(User user, Media target) { return target != null && (user.isSuperUser() || target.getUser().equals(user)); } + /** * @return true if the specified user can edit the media */ public static boolean canEdit(User user, Folder target) { - return target != null && (user.isSuperUser() || user.equals( target.getUser() )); + return target != null && (user.isSuperUser() || user.equals(target.getUser())); } + /** * @return true if the specified user can edit the profile of the other user */ - public static boolean canEdit(User user, User target){ - return user.equals( target ) || user.isSuperUser(); + public static boolean canEdit(User user, User target) { + return user.equals(target) || user.isSuperUser(); }