package zall.manager; import zall.bean.Folder; import zall.bean.Media; import zall.bean.User; import zall.util.ServletUtil; import zutil.Hasher; import zutil.db.DBConnection; import zutil.log.LogUtil; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpSession; import java.sql.SQLException; import java.sql.Timestamp; import java.util.logging.Logger; /** * */ public class AuthenticationManager { private static final Logger logger = LogUtil.getLogger(); public static final String SESSION_KEY_USER = "zall_user"; public static final String SESSION_KEY_AUTH_HASH = "zall_ueser_session_hash"; public static final long SESSION_TIMEOUT = 1000*60*60*24*3; // 3day /** * Authenticate a username and password and return the associated Uaer object */ public static User authenticate(DBConnection db, String email, String password) throws SQLException { User user = User.load(db, email); // Valid email? if( user != null ){ if (user.getPassword().equals(Hasher.MD5(password))) { userAuthenticated(db, user, User.AuthType.USER_INPUT); return user; } } return null; } /** * Uses a cookie to authenticate a user, * * @return a user object or null authentications fails */ public static User authenticate(DBConnection db, HttpServletRequest request) throws SQLException{ String sessionHash = ServletUtil.getCookieValue(request.getCookies(), SESSION_KEY_AUTH_HASH); User user = User.loadBySessionHash(db, sessionHash); if( user != null && user.getIpHost().equals(request.getRemoteAddr()) && user.getLoginDate().getTime() + SESSION_TIMEOUT > System.currentTimeMillis()){ userAuthenticated(db, user, User.AuthType.COOKIE); return user; } return null; } private static void userAuthenticated(DBConnection db, User user, User.AuthType authType) throws SQLException { user.setLoginDate(new Timestamp(System.currentTimeMillis())); user.setAuthBy(authType); user.save(db); logger.info("User(" + user.getName() + ") authenticated by " + user.getAuthBy()); } /** * @return the User associated with the provided session. */ public static User getUserSession(HttpSession session) { return (User) session.getAttribute(SESSION_KEY_USER); } public static void setUserSession(User user, HttpSession session) { session.setAttribute(SESSION_KEY_USER, user); } public static void rmUserSession(HttpSession session) { session.removeAttribute(SESSION_KEY_USER); } /** * @return true if the user has a isValid authentication session */ public static boolean isValid(User user, HttpServletRequest request) { if(user == null) return false; if(!user.isEnabled()) return false; if(user.getSessionHash() == null || user.getSessionHash().isEmpty() ) return false; switch(user.getAuthBy()){ case USER_INPUT: if (!user.isEmailVerified()) return false; case COOKIE: String sessionHash = ServletUtil.getCookieValue(request.getCookies(), SESSION_KEY_AUTH_HASH); return user.getSessionHash().equals(sessionHash) && user.getIpHost().equals(request.getRemoteAddr()); } return false; } /** * @return true if the specified user can edit the media */ public static boolean canEdit(User user, Media target) { return target != null && (user.isSuperUser() || target.getUser().equals(user)); } /** * @return true if the specified user can edit the media */ public static boolean canEdit(User user, Folder target) { return target != null && (user.isSuperUser() || user.equals( target.getUser() )); } /** * @return true if the specified user can edit the profile of the other user */ public static boolean canEdit(User user, User target){ return user.equals( target ) || user.isSuperUser(); } /** * Reset the user authentication. In plain word: logout user. */ public static void reset(DBConnection db, User user) throws SQLException { user.setSessionHash(null); user.save(db); } }