ziver/zallery
1
0
Fork 0
Code Pull requests Releases Activity

Fixed authentication

Browse source
This commit is contained in:
Ziver Koc 2018-08-08 21:07:19 +02:00
parent 87bd924e8d
commit 80b46fbc1f
3 changed files with 54 additions and 31 deletions
Download patch file Download diff file Expand all files Collapse all files

2
db_structure.sql
View file

@ -64,7 +64,7 @@ CREATE TABLE `User` (
`passwordSalt` varchar(5) DEFAULT NULL, `passwordSalt` varchar(5) DEFAULT NULL,
`ipHost` varchar(20) DEFAULT NULL, `ipHost` varchar(20) DEFAULT NULL,
`loginDate` datetime DEFAULT NULL, `loginDate` datetime DEFAULT NULL,
`cookieHash` varchar(32) DEFAULT NULL, `cookieHash` varchar(42) DEFAULT NULL,
`superUser` tinyint(1) NOT NULL, `superUser` tinyint(1) NOT NULL,
`enabled` tinyint(1) NOT NULL `enabled` tinyint(1) NOT NULL
) ENGINE=InnoDB DEFAULT CHARSET=latin1; ) ENGINE=InnoDB DEFAULT CHARSET=latin1;

3
src/zall/ZalleryConstants.java
View file

@ -10,8 +10,7 @@ public interface ZalleryConstants {
/** Session Constants **/ /** Session Constants **/
public static final String SESSION_KEY_USER_MSG = "zall_user_message"; public static final String SESSION_KEY_USER_MSG = "zall_user_message";
public static final String SESSION_KEY_USER = "zall_user"; public static final String SESSION_KEY_USER_OBJ = "zall_user";
public static final String SESSION_KEY_AUTH_HASH = "zall_user_session_hash";
public static final long SESSION_TIMEOUT = 3*24*60*60*1000; // 2 day public static final long SESSION_TIMEOUT = 3*24*60*60*1000; // 2 day
/** Cookie Constants **/ /** Cookie Constants **/

58
src/zall/manager/AuthenticationManager.java
View file

@ -1,6 +1,5 @@
package zall.manager; package zall.manager;
import zall.ZalleryConstants;
import zall.bean.Folder; import zall.bean.Folder;
import zall.bean.Media; import zall.bean.Media;
import zall.bean.User; import zall.bean.User;
@ -53,7 +52,7 @@ public class AuthenticationManager {
* @return a user object or null authentications fails * @return a user object or null authentications fails
*/ */
public static User authenticate(DBConnection db, HttpServletRequest request, HttpServletResponse response) throws SQLException { public static User authenticate(DBConnection db, HttpServletRequest request, HttpServletResponse response) throws SQLException {
String cookieHash = ServletUtil.getCookieValue(request.getCookies(), SESSION_KEY_AUTH_HASH); String cookieHash = ServletUtil.getCookieValue(request.getCookies(), COOKIE_KEY_USER_HASH);
if (cookieHash != null) { if (cookieHash != null) {
User user = User.loadByCookieHash(db, cookieHash); User user = User.loadByCookieHash(db, cookieHash);
@ -76,7 +75,7 @@ public class AuthenticationManager {
user.setLoginDate(new Timestamp(System.currentTimeMillis())); user.setLoginDate(new Timestamp(System.currentTimeMillis()));
user.setAuthBy(authType); user.setAuthBy(authType);
user.setIpHost(request.getRemoteAddr()); user.setIpHost(request.getRemoteAddr());
user.setCookieHash(Double.toHexString(Math.random())); user.setCookieHash(Hasher.SHA1(Math.random()));
user.save(db); user.save(db);
setUserSession(user, request.getSession()); setUserSession(user, request.getSession());
@ -86,41 +85,64 @@ public class AuthenticationManager {
response.addCookie(c); response.addCookie(c);
} }
logger.info("User(" + user.getEmail() + ") authenticated by " + user.getAuthBy()); logger.info("User(" + user.getEmail() + ") successfully authenticated by " + user.getAuthBy());
} }
/** /**
* @return the User associated with the provided session. * @return the User associated with the provided session.
*/ */
public static User getUserSession(HttpSession session) { public static User getUserSession(HttpSession session) {
return (User) session.getAttribute(SESSION_KEY_USER); return (User) session.getAttribute(SESSION_KEY_USER_OBJ);
} }
public static void setUserSession(User user, HttpSession session) { public static void setUserSession(User user, HttpSession session) {
session.setAttribute(SESSION_KEY_USER, user); session.setAttribute(SESSION_KEY_USER_OBJ, user);
} }
public static void rmUserSession(HttpSession session) { public static void rmUserSession(HttpSession session) {
session.removeAttribute(SESSION_KEY_USER); session.removeAttribute(SESSION_KEY_USER_OBJ);
} }
/** /**
* @return true if the user has a isValid authentication session * @return true if the user has correctly been authenticated
*/ */
public static boolean isValid(User user, HttpServletRequest request) { public static boolean isValid(User user, HttpServletRequest request) {
if(user == null) if (user == null) {
logger.fine("Invalid user, user is null.");
return false; return false;
if(!user.isEnabled()) }
return false; if (!user.isEnabled()) {
if(user.getCookieHash() == null || user.getCookieHash().isEmpty() ) logger.fine("Invalid user(" + user.getEmail() + "), user disabled.");
return false; return false;
}
switch (user.getAuthBy()) { switch (user.getAuthBy()) {
case USER_INPUT: case USER_INPUT:
if (!user.isEmailVerified()) return false; if (!user.isEmailVerified()) {
case COOKIE: logger.fine("Invalid user(" + user.getEmail() + "), email not verified");
String sessionHash = ServletUtil.getCookieValue(request.getCookies(), SESSION_KEY_AUTH_HASH); return false;
return user.getCookieHash().equals(sessionHash) &&
user.getIpHost().equals(request.getRemoteAddr());
} }
case COOKIE:
if (user.getCookieHash() == null || user.getCookieHash().isEmpty()) {
logger.fine("Invalid user(" + user.getEmail() + "), null or empty cookie hash.");
return false;
}
String cookieHash = ServletUtil.getCookieValue(request.getCookies(), COOKIE_KEY_USER_HASH);
if (!user.getCookieHash().equals(cookieHash)) {
logger.fine("Invalid user(" + user.getEmail() + "), " +
"cookie hash not matching, (server) " + user.getCookieHash() + " == (user) " + cookieHash + ".");
return false;
}
if (!user.getIpHost().equals(request.getRemoteAddr())) {
logger.fine("Invalid user(" + user.getEmail() + "), " +
"ip host not matching, (server) " + user.getIpHost() + " == (user) " + request.getRemoteAddr() + ".");
return false;
}
return true;
default:
logger.severe("Unknown user authentication type: " + user.getAuthBy());
}
logger.severe("Invalid user.");
return false; return false;
} }
@ -130,12 +152,14 @@ public class AuthenticationManager {
public static boolean canEdit(User user, Media target) { public static boolean canEdit(User user, Media target) {
return target != null && (user.isSuperUser() || target.getUser().equals(user)); return target != null && (user.isSuperUser() || target.getUser().equals(user));
} }
/** /**
* @return true if the specified user can edit the media * @return true if the specified user can edit the media
*/ */
public static boolean canEdit(User user, Folder target) { public static boolean canEdit(User user, Folder target) {
return target != null && (user.isSuperUser() || user.equals(target.getUser())); return target != null && (user.isSuperUser() || user.equals(target.getUser()));
} }
/** /**
* @return true if the specified user can edit the profile of the other user * @return true if the specified user can edit the profile of the other user
*/ */