ziver/zallery
1
0
Fork 0
Code Pull requests Releases Activity

Fixed authentication

Browse source
This commit is contained in:
Ziver Koc 2018-08-08 21:07:19 +02:00
parent 87bd924e8d
commit 80b46fbc1f
3 changed files with 54 additions and 31 deletions
Download patch file Download diff file Expand all files Collapse all files

2
db_structure.sql
View file

@ -64,7 +64,7 @@ CREATE TABLE `User` (
`passwordSalt` varchar(5) DEFAULT NULL, `passwordSalt` varchar(5) DEFAULT NULL,
`ipHost` varchar(20) DEFAULT NULL, `ipHost` varchar(20) DEFAULT NULL,
`loginDate` datetime DEFAULT NULL, `loginDate` datetime DEFAULT NULL,
`cookieHash` varchar(32) DEFAULT NULL, `cookieHash` varchar(42) DEFAULT NULL,
`superUser` tinyint(1) NOT NULL, `superUser` tinyint(1) NOT NULL,
`enabled` tinyint(1) NOT NULL `enabled` tinyint(1) NOT NULL
) ENGINE=InnoDB DEFAULT CHARSET=latin1; ) ENGINE=InnoDB DEFAULT CHARSET=latin1;

3
src/zall/ZalleryConstants.java
View file

@ -10,8 +10,7 @@ public interface ZalleryConstants {
/** Session Constants **/ /** Session Constants **/
public static final String SESSION_KEY_USER_MSG = "zall_user_message"; public static final String SESSION_KEY_USER_MSG = "zall_user_message";
public static final String SESSION_KEY_USER = "zall_user"; public static final String SESSION_KEY_USER_OBJ = "zall_user";
public static final String SESSION_KEY_AUTH_HASH = "zall_user_session_hash";
public static final long SESSION_TIMEOUT = 3*24*60*60*1000; // 2 day public static final long SESSION_TIMEOUT = 3*24*60*60*1000; // 2 day
/** Cookie Constants **/ /** Cookie Constants **/

80
src/zall/manager/AuthenticationManager.java
View file

@ -1,6 +1,5 @@
package zall.manager; package zall.manager;
import zall.ZalleryConstants;
import zall.bean.Folder; import zall.bean.Folder;
import zall.bean.Media; import zall.bean.Media;
import zall.bean.User; import zall.bean.User;
@ -23,7 +22,7 @@ import static zall.ZalleryConstants.*;
public class AuthenticationManager { public class AuthenticationManager {
private static final Logger logger = LogUtil.getLogger(); private static final Logger logger = LogUtil.getLogger();
public static String generatePasswordHash(String password, String salt){ public static String generatePasswordHash(String password, String salt) {
return Hasher.PBKDF2(password, salt, 1000); return Hasher.PBKDF2(password, salt, 1000);
} }
@ -34,7 +33,7 @@ public class AuthenticationManager {
User user = User.load(db, email); User user = User.load(db, email);
// Valid email? // Valid email?
if( user != null ){ if (user != null) {
if (user.getPasswordHash().equals(generatePasswordHash(password, user.getPasswordSalt()))) { if (user.getPasswordHash().equals(generatePasswordHash(password, user.getPasswordSalt()))) {
setUserAuthenticated(db, user, User.AuthType.USER_INPUT, request, response); setUserAuthenticated(db, user, User.AuthType.USER_INPUT, request, response);
return user; return user;
@ -52,8 +51,8 @@ public class AuthenticationManager {
* *
* @return a user object or null authentications fails * @return a user object or null authentications fails
*/ */
public static User authenticate(DBConnection db, HttpServletRequest request, HttpServletResponse response) throws SQLException{ public static User authenticate(DBConnection db, HttpServletRequest request, HttpServletResponse response) throws SQLException {
String cookieHash = ServletUtil.getCookieValue(request.getCookies(), SESSION_KEY_AUTH_HASH); String cookieHash = ServletUtil.getCookieValue(request.getCookies(), COOKIE_KEY_USER_HASH);
if (cookieHash != null) { if (cookieHash != null) {
User user = User.loadByCookieHash(db, cookieHash); User user = User.loadByCookieHash(db, cookieHash);
@ -76,51 +75,74 @@ public class AuthenticationManager {
user.setLoginDate(new Timestamp(System.currentTimeMillis())); user.setLoginDate(new Timestamp(System.currentTimeMillis()));
user.setAuthBy(authType); user.setAuthBy(authType);
user.setIpHost(request.getRemoteAddr()); user.setIpHost(request.getRemoteAddr());
user.setCookieHash(Double.toHexString(Math.random())); user.setCookieHash(Hasher.SHA1(Math.random()));
user.save(db); user.save(db);
setUserSession(user, request.getSession()); setUserSession(user, request.getSession());
if(authType != User.AuthType.COOKIE){ if (authType != User.AuthType.COOKIE) {
Cookie c = new Cookie(COOKIE_KEY_USER_HASH, user.getCookieHash()); Cookie c = new Cookie(COOKIE_KEY_USER_HASH, user.getCookieHash());
c.setMaxAge(COOKIE_TIMEOUT); c.setMaxAge(COOKIE_TIMEOUT);
response.addCookie(c); response.addCookie(c);
} }
logger.info("User(" + user.getEmail() + ") authenticated by " + user.getAuthBy()); logger.info("User(" + user.getEmail() + ") successfully authenticated by " + user.getAuthBy());
} }
/** /**
* @return the User associated with the provided session. * @return the User associated with the provided session.
*/ */
public static User getUserSession(HttpSession session) { public static User getUserSession(HttpSession session) {
return (User) session.getAttribute(SESSION_KEY_USER); return (User) session.getAttribute(SESSION_KEY_USER_OBJ);
} }
public static void setUserSession(User user, HttpSession session) { public static void setUserSession(User user, HttpSession session) {
session.setAttribute(SESSION_KEY_USER, user); session.setAttribute(SESSION_KEY_USER_OBJ, user);
} }
public static void rmUserSession(HttpSession session) { public static void rmUserSession(HttpSession session) {
session.removeAttribute(SESSION_KEY_USER); session.removeAttribute(SESSION_KEY_USER_OBJ);
} }
/** /**
* @return true if the user has a isValid authentication session * @return true if the user has correctly been authenticated
*/ */
public static boolean isValid(User user, HttpServletRequest request) { public static boolean isValid(User user, HttpServletRequest request) {
if(user == null) if (user == null) {
logger.fine("Invalid user, user is null.");
return false; return false;
if(!user.isEnabled())
return false;
if(user.getCookieHash() == null || user.getCookieHash().isEmpty() )
return false;
switch(user.getAuthBy()){
case USER_INPUT:
if (!user.isEmailVerified()) return false;
case COOKIE:
String sessionHash = ServletUtil.getCookieValue(request.getCookies(), SESSION_KEY_AUTH_HASH);
return user.getCookieHash().equals(sessionHash) &&
user.getIpHost().equals(request.getRemoteAddr());
} }
if (!user.isEnabled()) {
logger.fine("Invalid user(" + user.getEmail() + "), user disabled.");
return false;
}
switch (user.getAuthBy()) {
case USER_INPUT:
if (!user.isEmailVerified()) {
logger.fine("Invalid user(" + user.getEmail() + "), email not verified");
return false;
}
case COOKIE:
if (user.getCookieHash() == null || user.getCookieHash().isEmpty()) {
logger.fine("Invalid user(" + user.getEmail() + "), null or empty cookie hash.");
return false;
}
String cookieHash = ServletUtil.getCookieValue(request.getCookies(), COOKIE_KEY_USER_HASH);
if (!user.getCookieHash().equals(cookieHash)) {
logger.fine("Invalid user(" + user.getEmail() + "), " +
"cookie hash not matching, (server) " + user.getCookieHash() + " == (user) " + cookieHash + ".");
return false;
}
if (!user.getIpHost().equals(request.getRemoteAddr())) {
logger.fine("Invalid user(" + user.getEmail() + "), " +
"ip host not matching, (server) " + user.getIpHost() + " == (user) " + request.getRemoteAddr() + ".");
return false;
}
return true;
default:
logger.severe("Unknown user authentication type: " + user.getAuthBy());
}
logger.severe("Invalid user.");
return false; return false;
} }
@ -130,17 +152,19 @@ public class AuthenticationManager {
public static boolean canEdit(User user, Media target) { public static boolean canEdit(User user, Media target) {
return target != null && (user.isSuperUser() || target.getUser().equals(user)); return target != null && (user.isSuperUser() || target.getUser().equals(user));
} }
/** /**
* @return true if the specified user can edit the media * @return true if the specified user can edit the media
*/ */
public static boolean canEdit(User user, Folder target) { public static boolean canEdit(User user, Folder target) {
return target != null && (user.isSuperUser() || user.equals( target.getUser() )); return target != null && (user.isSuperUser() || user.equals(target.getUser()));
} }
/** /**
* @return true if the specified user can edit the profile of the other user * @return true if the specified user can edit the profile of the other user
*/ */
public static boolean canEdit(User user, User target){ public static boolean canEdit(User user, User target) {
return user.equals( target ) || user.isSuperUser(); return user.equals(target) || user.isSuperUser();
} }