From d6bd76e408820f1e3ccbb6e9e3f7601da9394d36 Mon Sep 17 00:00:00 2001
From: Ziver Koc <ziver@koc.se>
Date: Sat, 4 Aug 2018 23:15:51 +0200
Subject: [PATCH] Added whitelist pages

---
 WebContent/page_login.jsp                   | 12 ++++-----
 src/zall/ZalleryServlet.java                |  2 +-
 src/zall/filter/AuthenticationFilter.java   | 30 ++++++++++++++++-----
 src/zall/manager/AuthenticationManager.java |  4 +--
 src/zall/page/LoginServlet.java             | 13 +++++----
 5 files changed, 41 insertions(+), 20 deletions(-)

diff --git a/WebContent/page_login.jsp b/WebContent/page_login.jsp
index 20acd4f..30cef8f 100755
--- a/WebContent/page_login.jsp
+++ b/WebContent/page_login.jsp
@@ -16,14 +16,14 @@
                 <div class="form-bottom">
                     <form role="form" action="" method="post" class="login-form">
                         <div class="form-group">
-                            <label class="sr-only" for="form-username">Username</label>
-                            <input type="text" name="form-username" placeholder="Username..."
-                                   class="form-username form-control" id="form-username">
+                            <label class="sr-only" for="email">Username</label>
+                            <input type="text" name="email" placeholder="Email..."
+                                   class="form-username form-control" id="email">
                         </div>
                         <div class="form-group">
-                            <label class="sr-only" for="form-password">Password</label>
-                            <input type="password" name="form-password" placeholder="Password..."
-                                   class="form-password form-control" id="form-password">
+                            <label class="sr-only" for="password">Password</label>
+                            <input type="password" name="password" placeholder="Password..."
+                                   class="form-password form-control" id="password">
                         </div>
                         <button type="submit" class="btn">Sign in!</button>
                     </form>
diff --git a/src/zall/ZalleryServlet.java b/src/zall/ZalleryServlet.java
index dc7bc98..f234910 100644
--- a/src/zall/ZalleryServlet.java
+++ b/src/zall/ZalleryServlet.java
@@ -65,7 +65,7 @@ public abstract class ZalleryServlet extends HttpServlet {
             dispatcher.forward(request, response);
     }
 
-    public void redirect(String url, HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+    public static void redirect(String url, HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
         if (url.startsWith("http"))
             response.sendRedirect(url);
         else {
diff --git a/src/zall/filter/AuthenticationFilter.java b/src/zall/filter/AuthenticationFilter.java
index fdcc001..4b43425 100755
--- a/src/zall/filter/AuthenticationFilter.java
+++ b/src/zall/filter/AuthenticationFilter.java
@@ -4,6 +4,7 @@ import zall.bean.User;
 import zall.manager.AuthenticationManager;
 import zall.page.LoginServlet;
 import zall.page.RegisterServlet;
+import zutil.ObjectUtil;
 import zutil.log.LogUtil;
 
 import javax.servlet.*;
@@ -13,12 +14,17 @@ import java.io.IOException;
 import java.util.logging.Logger;
 
 /**
- * This filter will check if user is isValid if not will redirect to /login page
+ * This filter will check if user is valid, if not it will redirect to the login page
  */
-@WebFilter(urlPatterns = "/")
+@WebFilter("/*")
 public class AuthenticationFilter implements Filter {
     private static final Logger logger = LogUtil.getLogger();
 
+    private static final String[] WHITELIST = new String[]{
+            LoginServlet.URI,
+            RegisterServlet.URI
+    };
+
     @Override
     public void init(FilterConfig filterConfig) { }
 
@@ -28,11 +34,12 @@ public class AuthenticationFilter implements Filter {
         User user = null;
 
         // continue the request via the filter pipeline if it is login page or it is a isValid User
-        if (requestURI.equals(LoginServlet.URI) ||
-                requestURI.equals(RegisterServlet.URI) ||
-                AuthenticationManager.isValid(user, (HttpServletRequest) request)) {
+        if (AuthenticationManager.isValid(user, (HttpServletRequest) request)) {
             logger.finest("User already authenticated, continuing filter chain.");
             chain.doFilter(request, response);
+        } else if (isWhitelisted(requestURI)){
+            logger.fine("Continuing filtering chain for whitelisted page: " + requestURI);
+            chain.doFilter(request, response);
         } else {
             // do not continue the filter pipeline forward to login page
             logger.fine("User not authenticated, redirecting to login page.");
@@ -40,6 +47,17 @@ public class AuthenticationFilter implements Filter {
         }
     }
 
+    private boolean isWhitelisted(String requestURI) {
+        if (ObjectUtil.isEmpty(requestURI))
+            return false;
+
+        for (String whitelistURI : WHITELIST) {
+            if (requestURI.endsWith(whitelistURI))
+                return true;
+        }
+        return false;
+    }
+
     @Override
-    public void destroy() {  }
+    public void destroy() { }
 }
diff --git a/src/zall/manager/AuthenticationManager.java b/src/zall/manager/AuthenticationManager.java
index b9fa45c..d8bcd17 100755
--- a/src/zall/manager/AuthenticationManager.java
+++ b/src/zall/manager/AuthenticationManager.java
@@ -39,10 +39,10 @@ public class AuthenticationManager {
                 setUserAuthenticated(db, user, User.AuthType.USER_INPUT, request, response);
                 return user;
             } else {
-                logger.info("Incorrect password for username: " + user);
+                logger.info("Incorrect password for username: " + email);
             }
         } else {
-            logger.info("Incorrect username provided: " + user);
+            logger.info("Incorrect username provided: " + email);
         }
         return null;
     }
diff --git a/src/zall/page/LoginServlet.java b/src/zall/page/LoginServlet.java
index 433dc38..2e79921 100755
--- a/src/zall/page/LoginServlet.java
+++ b/src/zall/page/LoginServlet.java
@@ -20,9 +20,12 @@ import java.util.logging.Logger;
 public class LoginServlet extends ZalleryServlet {
     private static Logger logger = LogUtil.getLogger();
 
-    public static final String URI = "/login";
+    public  static final String URI = "/login";
     private static final String JSP_FILE = "page_login.jsp";
 
+    private static final String FORM_EMAIL = "email";
+    private static final String FORM_PASSWORD = "password";
+
 
     public void doGet(HttpServletRequest request, HttpServletResponse response, DBConnection db) throws ServletException, IOException, SQLException {
         // User already logged in?
@@ -34,10 +37,10 @@ public class LoginServlet extends ZalleryServlet {
 
         // Forward user
         if (user != null) {
-            include(JSP_FILE, request, response);
-        } else {
             logger.fine("User(" + user.getEmail() + ") already authenticated, forwarding to gallery.");
             redirect(GalleryServlet.URI, request, response);
+        } else {
+            include(JSP_FILE, request, response);
         }
     }
 
@@ -45,8 +48,8 @@ public class LoginServlet extends ZalleryServlet {
     public void doPost(HttpServletRequest request, HttpServletResponse response, DBConnection db) throws SQLException, ServletException, IOException {
         UserMessage msgs = UserMessage.getUserMessage(request.getSession());
         User user = AuthenticationManager.authenticate(db,
-                request.getParameter("email"),
-                request.getParameter("password"),
+                request.getParameter(FORM_EMAIL),
+                request.getParameter(FORM_PASSWORD),
                 request, response);
 
         // Successful login