001package votorola.a.web.wic.authen; // Copyright 2012, Michael Allan. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Votorola Software"), to deal in the Votorola Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicence, and/or sell copies of the Votorola Software, and to permit persons to whom the Votorola Software is furnished to do so, subject to the following conditions: The preceding copyright notice and this permission notice shall be included in all copies or substantial portions of the Votorola Software. THE VOTOROLA SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE VOTOROLA SOFTWARE OR THE USE OR OTHER DEALINGS IN THE VOTOROLA SOFTWARE. 002 003import java.util.logging.*; 004import org.apache.wicket.Page; 005import org.apache.wicket.request.cycle.RequestCycle; 006import org.apache.wicket.request.mapper.parameter.PageParameters; 007import votorola.a.voter.*; 008import votorola.a.web.wic.*; 009import votorola.g.lang.*; 010import votorola.g.logging.*; 011 012 013/** A basic login page. Each instantiable subclass must have a public constructor that 014 * accepts page parameters, enabling it to be constructed by WC_LoginLink. 015 */ 016 @SuppressWarnings("deprecation") // of IDPair.isFromEmail(), fails placed on method (1.7.0_06) 017public @ThreadRestricted("wicket") abstract class LoginPage extends VPageHTML 018{ 019 020 021 /** Constructs a LoginPage. 022 */ 023 LoginPage( final PageParameters pP ) { super( pP ); } 024 025 026 027 // ------------------------------------------------------------------------------------ 028 029 030 /** The name of the cookie that stores the state of the "keep me logged in" check box. 031 */ 032 static final String COOKIE_PERSIST_BUTTON = "vo_loginPersistButton"; 033 // "voLogin.persistButton" would have been more standard 034 035 036 037 /** Sets the return page encoded in the page parameters as the response page. 038 * 039 * @see Authenticator#newLoginPage(PageParameters) 040 */ 041 final void respondWithReturnPage( final RequestCycle cycle ) 042 { 043 final PageParameters pP = getPageParameters(); 044 final Class<? extends Page> returnClass = Authenticator.extractReturnClass( pP ); 045 if( VoterPage.class.isAssignableFrom( returnClass )) 046 { 047 final VSession.User user = VSession.get().user(); // as newly authenticated 048 if( user != null && pP.get("u") == null && pP.get("v") == null ) 049 { 050 pP.set( "u", user.username() ); 051 } 052 } 053 cycle.setResponsePage( returnClass, pP ); 054 } 055 056 057 058 /** Sets the newly authenticated user in the session. 059 * 060 * @param method the name of the authentication method for logging purposes. 061 * @see votorola.a.web.wic.VSession.User#isPersistent() 062 * @param toReplaceSession answers whether to replace the session in order to 063 * defend the user from a potential fixation attack. This is currently 064 * disabled and has no effect. 065 * 066 * @see <a href='https://www.owasp.org/index.php/Session_Fixation'>Session Fixation</a> 067 */ 068 static void setUserInSession( IDPair id, final String method, final boolean persistent, 069 final boolean toReplaceSession, final VRequestCycle cycle ) 070 { 071 logger.fine( "logging in by " + method + ": " + id.username() ); 072 if( id.isFromEmail() ) id = new IDPair( id.email(), id.username(), /*isFromEmail*/false ); 073 // forcing it to appear in mailish form 074 final VSession session = VSession.get(); 075 if( toReplaceSession ) session.replaceSession(); 076 try 077 { 078 session.setUser( id, persistent, 079 VOWicket.get().vsRun().trustserver().getTraceNode(/*list, look it up*/null,id), cycle); 080 } 081 catch( java.io.IOException|java.sql.SQLException x ) { throw new RuntimeException( x ); } 082 } 083 084 085 086//// P r i v a t e /////////////////////////////////////////////////////////////////////// 087 088 089 private static final Logger logger = LoggerX.i( LoginPage.class ); 090 091 092}