From a502d96a860456ec5e8c96761db70f7cabb74751 Mon Sep 17 00:00:00 2001
From: Paul Martin <paul@paulsputer.com>
Date: Sat, 30 Apr 2016 04:19:14 -0400
Subject: [PATCH] Merge pull request #1073 from gitblit/1062-DocEditorUpdates

---
 src/main/java/com/gitblit/wicket/pages/SessionPage.java |  205 +++++++++++++++++++++++++++++++-------------------
 1 files changed, 127 insertions(+), 78 deletions(-)

diff --git a/src/main/java/com/gitblit/wicket/pages/SessionPage.java b/src/main/java/com/gitblit/wicket/pages/SessionPage.java
index a10102f..bcf8e97 100644
--- a/src/main/java/com/gitblit/wicket/pages/SessionPage.java
+++ b/src/main/java/com/gitblit/wicket/pages/SessionPage.java
@@ -1,78 +1,127 @@
-/*
- * Copyright 2013 gitblit.com.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package com.gitblit.wicket.pages;
-
-import javax.servlet.http.HttpServletRequest;
-
-import org.apache.wicket.PageParameters;
-import org.apache.wicket.markup.html.WebPage;
-import org.apache.wicket.protocol.http.WebRequest;
-import org.apache.wicket.protocol.http.WebResponse;
-
-import com.gitblit.Keys;
-import com.gitblit.models.UserModel;
-import com.gitblit.wicket.GitBlitWebApp;
-import com.gitblit.wicket.GitBlitWebSession;
-
-public abstract class SessionPage extends WebPage {
-
-	public SessionPage() {
-		super();
-		login();
-	}
-
-	public SessionPage(final PageParameters params) {
-		super(params);
-		login();
-	}
-
-	protected String [] getEncodings() {
-		return app().settings().getStrings(Keys.web.blobEncodings).toArray(new String[0]);
-	}
-
-	protected GitBlitWebApp app() {
-		return GitBlitWebApp.get();
-	}
-
-	private void login() {
-		GitBlitWebSession session = GitBlitWebSession.get();
-		if (session.isLoggedIn() && !session.isSessionInvalidated()) {
-			// already have a session, refresh usermodel to pick up
-			// any changes to permissions or roles (issue-186)
-			UserModel user = app().users().getUserModel(session.getUser().username);
-			session.setUser(user);
-			return;
-		}
-
-		// try to authenticate by servlet request
-		HttpServletRequest httpRequest = ((WebRequest) getRequestCycle().getRequest())
-				.getHttpServletRequest();
-		UserModel user = app().session().authenticate(httpRequest);
-
-		// Login the user
-		if (user != null) {
-			// issue 62: fix session fixation vulnerability
-			session.replaceSession();
-			session.setUser(user);
-
-			// Set Cookie
-			WebResponse response = (WebResponse) getRequestCycle().getResponse();
-			app().session().setCookie(response.getHttpServletResponse(), user);
-
-			session.continueRequest();
-		}
-	}
-}
+/*
+ * Copyright 2013 gitblit.com.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.gitblit.wicket.pages;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.wicket.PageParameters;
+import org.apache.wicket.markup.html.WebPage;
+import org.apache.wicket.protocol.http.WebRequest;
+import org.apache.wicket.protocol.http.WebResponse;
+
+import com.gitblit.Constants;
+import com.gitblit.Constants.AuthenticationType;
+import com.gitblit.Keys;
+import com.gitblit.models.UserModel;
+import com.gitblit.utils.StringUtils;
+import com.gitblit.wicket.GitBlitWebApp;
+import com.gitblit.wicket.GitBlitWebSession;
+
+public abstract class SessionPage extends WebPage {
+
+	public SessionPage() {
+		super();
+		login();
+	}
+
+	public SessionPage(final PageParameters params) {
+		super(params);
+		login();
+	}
+
+	protected String [] getEncodings() {
+		return app().settings().getStrings(Keys.web.blobEncodings).toArray(new String[0]);
+	}
+
+	protected GitBlitWebApp app() {
+		return GitBlitWebApp.get();
+	}
+
+	private void login() {
+		GitBlitWebSession session = GitBlitWebSession.get();
+		HttpServletRequest request = ((WebRequest) getRequest()).getHttpServletRequest();
+		HttpServletResponse response = ((WebResponse) getResponse()).getHttpServletResponse();
+
+		// If using container/external servlet authentication, use request attribute
+		String authedUser = (String) request.getAttribute(Constants.ATTRIB_AUTHUSER);
+
+		// Default to trusting session authentication if not set in request by external processing
+		if (StringUtils.isEmpty(authedUser) && session.isLoggedIn()) {
+			authedUser = session.getUsername();
+		}
+
+		if (!StringUtils.isEmpty(authedUser)) {
+			// Avoid session fixation for non-session authentication
+			// If the authenticated user is different from the session user, discard
+			// the old session entirely, without trusting any session values
+			if (!authedUser.equals(session.getUsername())) {
+				session.replaceSession();
+			}
+
+			if (!session.isSessionInvalidated()) {
+				// Refresh usermodel to pick up any changes to permissions or roles (issue-186)
+				UserModel user = app().users().getUserModel(authedUser);
+
+				if (user == null || user.disabled) {
+					// user was deleted/disabled during session
+					app().authentication().logout(request, response, user);
+					session.setUser(null);
+					session.invalidateNow();
+					return;
+				}
+
+				// validate cookie during session (issue-361)
+				if (app().settings().getBoolean(Keys.web.allowCookieAuthentication, true)) {
+					String requestCookie = app().authentication().getCookie(request);
+					if (!StringUtils.isEmpty(requestCookie) && !StringUtils.isEmpty(user.cookie)) {
+						if (!requestCookie.equals(user.cookie)) {
+							// cookie was changed during our session
+							app().authentication().logout(request, response, user);
+							session.setUser(null);
+							session.invalidateNow();
+							return;
+						}
+					}
+				}
+				session.setUser(user);
+				return;
+			}
+		}
+
+		// try to authenticate by servlet request
+		UserModel user = app().authentication().authenticate(request);
+
+		// Login the user
+		if (user != null) {
+			AuthenticationType authenticationType = (AuthenticationType) request.getAttribute(Constants.ATTRIB_AUTHTYPE);
+
+			// issue 62: fix session fixation vulnerability
+			// but only if authentication was done in the container.
+			// It avoid double change of session, that some authentication method
+			// don't like
+			if (AuthenticationType.CONTAINER != authenticationType) {
+				session.replaceSession();
+			}
+			session.setUser(user);
+
+			// Set Cookie
+			app().authentication().setCookie(request, response, user);
+
+			session.continueRequest();
+		}
+	}
+}

--
Gitblit v1.9.1