Example 11 with Session
use of org.apache.wiki.api.core.Session in project jspwiki by apache.
the class DefaultUserManager method validateProfile.
/**
* {@inheritDoc}
*/
@Override
public void validateProfile(final Context context, final UserProfile profile) {
final Session session = context.getWikiSession();
final InputValidator validator = new InputValidator(SESSION_MESSAGES, context);
final ResourceBundle rb = Preferences.getBundle(context, InternationalizationManager.CORE_BUNDLE);
// Query the SpamFilter first
final FilterManager fm = m_engine.getManager(FilterManager.class);
final List<PageFilter> ls = fm.getFilterList();
for (final PageFilter pf : ls) {
if (pf instanceof SpamFilter) {
if (!((SpamFilter) pf).isValidUserProfile(context, profile)) {
session.addMessage(SESSION_MESSAGES, "Invalid userprofile");
return;
}
break;
}
}
// If container-managed auth and user not logged in, throw an error
if (m_engine.getManager(AuthenticationManager.class).isContainerAuthenticated() && !context.getWikiSession().isAuthenticated()) {
session.addMessage(SESSION_MESSAGES, rb.getString("security.error.createprofilebeforelogin"));
}
validator.validateNotNull(profile.getLoginName(), rb.getString("security.user.loginname"));
validator.validateNotNull(profile.getFullname(), rb.getString("security.user.fullname"));
validator.validate(profile.getEmail(), rb.getString("security.user.email"), InputValidator.EMAIL);
if (!m_engine.getManager(AuthenticationManager.class).isContainerAuthenticated()) {
final String password = profile.getPassword();
if (password == null) {
if (profile.isNew()) {
// If new profile, passwords must match and can't be null
session.addMessage(SESSION_MESSAGES, rb.getString("security.error.blankpassword"));
}
} else {
final HttpServletRequest request = context.getHttpRequest();
final String password0 = (request == null) ? null : request.getParameter("password0");
final String password2 = (request == null) ? null : request.getParameter("password2");
if (!password.equals(password2)) {
session.addMessage(SESSION_MESSAGES, rb.getString("security.error.passwordnomatch"));
}
if (!profile.isNew() && !getUserDatabase().validatePassword(profile.getLoginName(), password0)) {
session.addMessage(SESSION_MESSAGES, rb.getString("security.error.passwordnomatch"));
}
}
}
UserProfile otherProfile;
final String fullName = profile.getFullname();
final String loginName = profile.getLoginName();
final String email = profile.getEmail();
// It's illegal to use as a full name someone else's login name
try {
otherProfile = getUserDatabase().find(fullName);
if (otherProfile != null && !profile.equals(otherProfile) && !fullName.equals(otherProfile.getFullname())) {
final Object[] args = { fullName };
session.addMessage(SESSION_MESSAGES, MessageFormat.format(rb.getString("security.error.illegalfullname"), args));
}
} catch (final NoSuchPrincipalException e) {
/* It's clean */
}
// It's illegal to use as a login name someone else's full name
try {
otherProfile = getUserDatabase().find(loginName);
if (otherProfile != null && !profile.equals(otherProfile) && !loginName.equals(otherProfile.getLoginName())) {
final Object[] args = { loginName };
session.addMessage(SESSION_MESSAGES, MessageFormat.format(rb.getString("security.error.illegalloginname"), args));
}
} catch (final NoSuchPrincipalException e) {
/* It's clean */
}
// It's illegal to use multiple accounts with the same email
try {
otherProfile = getUserDatabase().findByEmail(email);
if (// Issue JSPWIKI-1042
otherProfile != null && !profile.getUid().equals(otherProfile.getUid()) && !profile.equals(otherProfile) && StringUtils.lowerCase(email).equals(StringUtils.lowerCase(otherProfile.getEmail()))) {
final Object[] args = { email };
session.addMessage(SESSION_MESSAGES, MessageFormat.format(rb.getString("security.error.email.taken"), args));
}
} catch (final NoSuchPrincipalException e) {
/* It's clean */
}
}
Also used :
UserProfile(org.apache.wiki.auth.user.UserProfile)
SpamFilter(org.apache.wiki.filters.SpamFilter)
FilterManager(org.apache.wiki.filters.FilterManager)
HttpServletRequest(javax.servlet.http.HttpServletRequest)
InputValidator(org.apache.wiki.ui.InputValidator)
ResourceBundle(java.util.ResourceBundle)
PageFilter(org.apache.wiki.api.filters.PageFilter)
Session(org.apache.wiki.api.core.Session)
Example 12 with Session
use of org.apache.wiki.api.core.Session in project jspwiki by apache.
the class SessionMonitor method sessionDestroyed.
/**
* Removes the user's WikiSession from the internal session cache when the web
* container destroys an HTTP session.
* @param se the HTTP session event
*/
@Override
public void sessionDestroyed(final HttpSessionEvent se) {
final HttpSession session = se.getSession();
for (final SessionMonitor monitor : c_monitors.values()) {
final Session storedSession = monitor.findSession(session);
monitor.remove(session);
log.debug("Removed session " + session.getId() + ".");
if (storedSession != null) {
fireEvent(WikiSecurityEvent.SESSION_EXPIRED, storedSession.getLoginPrincipal(), storedSession);
}
}
}
Also used :
HttpSession(javax.servlet.http.HttpSession)
HttpSession(javax.servlet.http.HttpSession)
Session(org.apache.wiki.api.core.Session)
Example 13 with Session
use of org.apache.wiki.api.core.Session in project jspwiki by apache.
the class SessionMonitor method userPrincipals.
/**
* <p>Returns the current wiki users as a sorted array of Principal objects. The principals are those returned by
* each WikiSession's {@link Session#getUserPrincipal()}'s method.</p>
* <p>To obtain the list of current WikiSessions, we iterate through our session Map and obtain the list of values,
* which are WikiSessions wrapped in {@link java.lang.ref.WeakReference} objects. Those <code>WeakReference</code>s
* whose <code>get()</code> method returns non-<code>null</code> values are valid sessions.</p>
*
* @return the array of user principals
*/
public final Principal[] userPrincipals() {
final Collection<Principal> principals = new ArrayList<>();
synchronized (m_sessions) {
for (final Session session : m_sessions.values()) {
principals.add(session.getUserPrincipal());
}
}
final Principal[] p = principals.toArray(new Principal[0]);
Arrays.sort(p, m_comparator);
return p;
}
Also used :
ArrayList(java.util.ArrayList)
Principal(java.security.Principal)
HttpSession(javax.servlet.http.HttpSession)
Session(org.apache.wiki.api.core.Session)
Example 14 with Session
use of org.apache.wiki.api.core.Session in project jspwiki by apache.
the class SessionMonitor method findSession.
/**
* Just looks for a WikiSession; does not create a new one.
* This method may return <code>null</code>, <em>and
* callers should check for this value</em>.
*
* @param sessionId the user's HTTP session id
* @return the WikiSession, if found
*/
private Session findSession(final String sessionId) {
Session wikiSession = null;
final String sid = (sessionId == null) ? "(null)" : sessionId;
final Session storedSession = m_sessions.get(sid);
// If the weak reference returns a wiki session, return it
if (storedSession != null) {
log.debug("Looking up WikiSession for session ID={}... found it", sid);
wikiSession = storedSession;
}
return wikiSession;
}
Also used :
HttpSession(javax.servlet.http.HttpSession)
Session(org.apache.wiki.api.core.Session)
Example 15 with Session
use of org.apache.wiki.api.core.Session in project jspwiki by apache.
the class UserManagerTest method testSetRenamedUserProfile.
@Test
public void testSetRenamedUserProfile() throws Exception {
// First, count the number of users, groups, and pages
final int oldUserCount = m_db.getWikiNames().length;
final GroupManager groupManager = m_engine.getManager(GroupManager.class);
final PageManager pageManager = m_engine.getManager(PageManager.class);
final AuthorizationManager authManager = m_engine.getManager(AuthorizationManager.class);
final int oldGroupCount = groupManager.getRoles().length;
final int oldPageCount = pageManager.getTotalPageCount();
// Setup Step 1: create a new user with random name
final Context context = Wiki.context().create(m_engine, m_engine.newHttpRequest(), "");
final Session session = context.getWikiSession();
final long now = System.currentTimeMillis();
final String oldLogin = "TestLogin" + now;
final String oldName = "Test User " + now;
final String newLogin = "RenamedLogin" + now;
final String newName = "Renamed User " + now;
UserProfile profile = m_db.newProfile();
profile.setEmail("jspwiki.tests@mailinator.com");
profile.setLoginName(oldLogin);
profile.setFullname(oldName);
profile.setPassword("password");
m_mgr.setUserProfile(context, profile);
// 1a. Make sure the profile saved successfully and that we're logged in
profile = m_mgr.getUserProfile(session);
Assertions.assertEquals(oldLogin, profile.getLoginName());
Assertions.assertEquals(oldName, profile.getFullname());
Assertions.assertEquals(oldUserCount + 1, m_db.getWikiNames().length);
Assertions.assertTrue(session.isAuthenticated());
// Setup Step 2: create a new group with our test user in it
Group group = groupManager.parseGroup(m_groupName, "Alice \n Bob \n Charlie \n " + oldLogin + "\n" + oldName, true);
groupManager.setGroup(session, group);
// 2a. Make sure the group is created with the user in it, and the role is added to the Subject
Assertions.assertEquals(oldGroupCount + 1, groupManager.getRoles().length);
Assertions.assertTrue(group.isMember(new WikiPrincipal(oldLogin)));
Assertions.assertTrue(group.isMember(new WikiPrincipal(oldName)));
Assertions.assertFalse(group.isMember(new WikiPrincipal(newLogin)));
Assertions.assertFalse(group.isMember(new WikiPrincipal(newName)));
Assertions.assertTrue(groupManager.isUserInRole(session, group.getPrincipal()));
// Setup Step 3: create a new page with our test user in the ACL
String pageName = "TestPage" + now;
m_engine.saveText(pageName, "Test text. [{ALLOW view " + oldName + ", " + oldLogin + ", Alice}] More text.");
// 3a. Make sure the page got saved, and that ONLY our test user has permission to read it.
Page p = m_engine.getManager(PageManager.class).getPage(pageName);
Assertions.assertEquals(oldPageCount + 1, pageManager.getTotalPageCount());
Assertions.assertNotNull(p.getAcl().getAclEntry(new WikiPrincipal(oldLogin)));
Assertions.assertNotNull(p.getAcl().getAclEntry(new WikiPrincipal(oldName)));
Assertions.assertNull(p.getAcl().getAclEntry(new WikiPrincipal(newLogin)));
Assertions.assertNull(p.getAcl().getAclEntry(new WikiPrincipal(newName)));
Assertions.assertTrue(authManager.checkPermission(session, PermissionFactory.getPagePermission(p, "view")), "Test User view page");
final Session bobSession = WikiSessionTest.authenticatedSession(m_engine, Users.BOB, Users.BOB_PASS);
Assertions.assertFalse(authManager.checkPermission(bobSession, PermissionFactory.getPagePermission(p, "view")), "Bob !view page");
// Setup Step 4: change the user name in the profile and see what happens
profile = m_db.newProfile();
profile.setEmail("jspwiki.tests@mailinator.com");
profile.setLoginName(oldLogin);
profile.setFullname(newName);
profile.setPassword("password");
m_mgr.setUserProfile(context, profile);
// Test 1: the wiki session should have the new wiki name in Subject
Principal[] principals = session.getPrincipals();
Assertions.assertTrue(ArrayUtils.contains(principals, new WikiPrincipal(oldLogin)));
Assertions.assertFalse(ArrayUtils.contains(principals, new WikiPrincipal(oldName)));
Assertions.assertFalse(ArrayUtils.contains(principals, new WikiPrincipal(newLogin)));
Assertions.assertTrue(ArrayUtils.contains(principals, new WikiPrincipal(newName)));
// Test 2: our group should not contain the old name OR login name any more
// (the full name is always used)
group = groupManager.getGroup(m_groupName);
Assertions.assertFalse(group.isMember(new WikiPrincipal(oldLogin)));
Assertions.assertFalse(group.isMember(new WikiPrincipal(oldName)));
Assertions.assertFalse(group.isMember(new WikiPrincipal(newLogin)));
Assertions.assertTrue(group.isMember(new WikiPrincipal(newName)));
// Test 3: our page should not contain the old wiki name OR login name
// in the ACL any more (the full name is always used)
p = m_engine.getManager(PageManager.class).getPage(pageName);
Assertions.assertNull(p.getAcl().getAclEntry(new WikiPrincipal(oldLogin)));
Assertions.assertNull(p.getAcl().getAclEntry(new WikiPrincipal(oldName)));
Assertions.assertNull(p.getAcl().getAclEntry(new WikiPrincipal(newLogin)));
Assertions.assertNotNull(p.getAcl().getAclEntry(new WikiPrincipal(newName)));
Assertions.assertTrue(authManager.checkPermission(session, PermissionFactory.getPagePermission(p, "view")), "Test User view page");
Assertions.assertFalse(authManager.checkPermission(bobSession, PermissionFactory.getPagePermission(p, "view")), "Bob !view page");
// Test 4: our page text should have been re-written
// (The new full name should be in the ACL, but the login name should have been removed)
String expectedText = "[{ALLOW view Alice," + newName + "}]\nTest text. More text.\r\n";
String actualText = m_engine.getManager(PageManager.class).getText(pageName);
Assertions.assertEquals(expectedText, actualText);
// Remove our test page
m_engine.getManager(PageManager.class).deletePage(pageName);
// Setup Step 6: re-create the group with our old test user names in it
group = groupManager.parseGroup(m_groupName, "Alice \n Bob \n Charlie \n " + oldLogin + "\n" + oldName, true);
groupManager.setGroup(session, group);
// Setup Step 7: Save a new page with the old login/wiki names in the ACL again
// The test user should still be able to see the page (because the login name matches...)
pageName = "TestPage2" + now;
m_engine.saveText(pageName, "More test text. [{ALLOW view " + oldName + ", " + oldLogin + ", Alice}] More text.");
p = m_engine.getManager(PageManager.class).getPage(pageName);
Assertions.assertEquals(oldPageCount + 1, pageManager.getTotalPageCount());
Assertions.assertNotNull(p.getAcl().getAclEntry(new WikiPrincipal(oldLogin)));
Assertions.assertNotNull(p.getAcl().getAclEntry(new WikiPrincipal(oldName)));
Assertions.assertNull(p.getAcl().getAclEntry(new WikiPrincipal(newLogin)));
Assertions.assertNull(p.getAcl().getAclEntry(new WikiPrincipal(newName)));
Assertions.assertTrue(authManager.checkPermission(session, PermissionFactory.getPagePermission(p, "view")), "Test User view page");
Assertions.assertFalse(authManager.checkPermission(bobSession, PermissionFactory.getPagePermission(p, "view")), "Bob !view page");
// Setup Step 8: re-save the profile with the new login name
profile = m_db.newProfile();
profile.setEmail("jspwiki.tests@mailinator.com");
profile.setLoginName(newLogin);
profile.setFullname(oldName);
profile.setPassword("password");
m_mgr.setUserProfile(context, profile);
// Test 5: the wiki session should have the new login name in Subject
principals = session.getPrincipals();
Assertions.assertFalse(ArrayUtils.contains(principals, new WikiPrincipal(oldLogin)));
Assertions.assertTrue(ArrayUtils.contains(principals, new WikiPrincipal(oldName)));
Assertions.assertTrue(ArrayUtils.contains(principals, new WikiPrincipal(newLogin)));
Assertions.assertFalse(ArrayUtils.contains(principals, new WikiPrincipal(newName)));
// Test 6: our group should not contain the old name OR login name any more
// (the full name is always used)
group = groupManager.getGroup(m_groupName);
Assertions.assertFalse(group.isMember(new WikiPrincipal(oldLogin)));
Assertions.assertTrue(group.isMember(new WikiPrincipal(oldName)));
Assertions.assertFalse(group.isMember(new WikiPrincipal(newLogin)));
Assertions.assertFalse(group.isMember(new WikiPrincipal(newName)));
// Test 7: our page should not contain the old wiki name OR login name
// in the ACL any more (the full name is always used)
p = m_engine.getManager(PageManager.class).getPage(pageName);
Assertions.assertNull(p.getAcl().getAclEntry(new WikiPrincipal(oldLogin)));
Assertions.assertNotNull(p.getAcl().getAclEntry(new WikiPrincipal(oldName)));
Assertions.assertNull(p.getAcl().getAclEntry(new WikiPrincipal(newLogin)));
Assertions.assertNull(p.getAcl().getAclEntry(new WikiPrincipal(newName)));
Assertions.assertTrue(authManager.checkPermission(session, PermissionFactory.getPagePermission(p, "view")), "Test User view page");
Assertions.assertFalse(authManager.checkPermission(bobSession, PermissionFactory.getPagePermission(p, "view")), "Bob !view page");
// Test 8: our page text should have been re-written
// (The new full name should be in the ACL, but the login name should have been removed)
expectedText = "[{ALLOW view Alice," + oldName + "}]\nMore test text. More text.\r\n";
actualText = m_engine.getManager(PageManager.class).getText(pageName);
Assertions.assertEquals(expectedText, actualText);
// CLEANUP: delete the profile; user and page; should be back to old counts
m_db.deleteByLoginName(newLogin);
Assertions.assertEquals(oldUserCount, m_db.getWikiNames().length);
groupManager.removeGroup(group.getName());
Assertions.assertEquals(oldGroupCount, groupManager.getRoles().length);
m_engine.getManager(PageManager.class).deletePage(pageName);
Assertions.assertEquals(oldPageCount, pageManager.getTotalPageCount());
}
Also used :
Context(org.apache.wiki.api.core.Context)
Group(org.apache.wiki.auth.authorize.Group)
UserProfile(org.apache.wiki.auth.user.UserProfile)
Page(org.apache.wiki.api.core.Page)
GroupManager(org.apache.wiki.auth.authorize.GroupManager)
PageManager(org.apache.wiki.pages.PageManager)
Principal(java.security.Principal)
Session(org.apache.wiki.api.core.Session)
WikiSessionTest(org.apache.wiki.WikiSessionTest)
Test(org.junit.jupiter.api.Test)
Aggregations
Session (org.apache.wiki.api.core.Session)51
Test (org.junit.jupiter.api.Test)25
WikiSessionTest (org.apache.wiki.WikiSessionTest)19
Principal (java.security.Principal)18
MockHttpServletRequest (net.sourceforge.stripes.mock.MockHttpServletRequest)11
AllPermission (org.apache.wiki.auth.permissions.AllPermission)9
PageManager (org.apache.wiki.pages.PageManager)9
HttpSession (javax.servlet.http.HttpSession)8
Group (org.apache.wiki.auth.authorize.Group)8
PagePermission (org.apache.wiki.auth.permissions.PagePermission)8
Permission (java.security.Permission)7
Page (org.apache.wiki.api.core.Page)7
AuthenticationManager (org.apache.wiki.auth.AuthenticationManager)7
WikiPermission (org.apache.wiki.auth.permissions.WikiPermission)7
UnresolvedPrincipal (org.apache.wiki.auth.acl.UnresolvedPrincipal)6
UserProfile (org.apache.wiki.auth.user.UserProfile)6
GroupPrincipal (org.apache.wiki.auth.GroupPrincipal)5
WikiPrincipal (org.apache.wiki.auth.WikiPrincipal)5
Role (org.apache.wiki.auth.authorize.Role)5
HttpServletRequest (javax.servlet.http.HttpServletRequest)4
