[Sandev-cvs] sand/platform/tools/src/org/sandev/tools/UIProcessor XHTMLSandUIServlet.java, 1.36, 1.37

[Eric P. <th...@us...>]

Update of /cvsroot/sandev/sand/platform/tools/src/org/sandev/tools/UIProcessor
In directory fdv4jf1.ch3.sourceforge.com:/tmp/cvs-serv18282

Modified Files:
	XHTMLSandUIServlet.java 
Log Message:
support for encrypted login credentials passed with the URL.


Index: XHTMLSandUIServlet.java
===================================================================
RCS file: /cvsroot/sandev/sand/platform/tools/src/org/sandev/tools/UIProcessor/XHTMLSandUIServlet.java,v
retrieving revision 1.36
retrieving revision 1.37
diff -C2 -d -r1.36 -r1.37
*** XHTMLSandUIServlet.java	24 Sep 2009 21:44:03 -0000	1.36
--- XHTMLSandUIServlet.java	5 Oct 2009 01:42:19 -0000	1.37
***************
*** 57,60 ****
--- 57,61 ----
  import org.sandev.basics.sandmessages.TestRunStatus;
  import org.sandev.basics.util.UIFormOwner;
+ import org.sandev.basics.util.CommBridge;
  import org.sandev.basics.util.UIRenderInput;
  import org.sandev.basics.util.UIRenderOutputStream;
***************
*** 71,77 ****
--- 72,80 ----
  import org.sandev.basics.util.SandEncryptor;
  import org.sandev.basics.util.SandEncryptorException;
+ import org.sandev.basics.util.SampleEncryptor;
  import org.sandev.basics.util.UserWorkLog;
  import org.sandev.basics.util.ArrayUtils;
  import org.sandev.basics.util.XMLTextProcessing;
+ import org.sandev.basics.util.StringUtil;
  import org.sandev.basics.MessageDriver.MessageDriverNodeInstance;
  import org.sandev.basics.MessageDriver.MessageDriverNode;
***************
*** 956,967 ****
          String username=req.getParameter("username");
          String password=req.getParameter("password");
!         if((username!=null)&&(!username.equals(""))) {
              AuthUser user=null;
!             try {
!                 user=getFormOwner().getUserFromLogin(username,password);
!             } catch(SandException e) {
!                 //if anything goes wrong, then login fails.
!                 debugout("XHTMLSandUIServlet.authLogin caught " + e);
!             }
              if(user!=null) {
                  debugout(username + " has logged in");
--- 959,965 ----
          String username=req.getParameter("username");
          String password=req.getParameter("password");
!         if(StringUtil.haveValue(username)) {
              AuthUser user=null;
!             user=getFormOwner().getUserFromLogin(username,password);
              if(user!=null) {
                  debugout(username + " has logged in");
***************
*** 1396,1427 ****
  
      /**
!      * Read the URL parameters for username password information and return
!      * the associated AuthUser uniqueID if found.  Return the defaultAuthID
!      * if not found.  Specifying the username and password as URL parameters
!      * is generally bad practice since this can be observed in transit and
!      * gets recorded in firewall logs and everywhere.  However there are
!      * times when this can be a useful mechanism.
       *
!      * <p>One example is access to our demo heap.  The demo heap provides
!      * access as requested, and all passwords are "demo" so it doesn't
!      * matter if we send that info as a URL parameter.  By specifying the
!      * username/password info, we can automatically set up a user account 
!      * if the requestor doesn't already have one. </p>
       */
      public long readAuthParameters(long defaultAuthID,HttpServletRequest req)
              throws SandException
      {
          String username=req.getParameter("user");
          String password=req.getParameter("pass");
!         if((username==null)||(username.trim().equals(""))) {
!             return defaultAuthID; }
!         debugout("readAuthParameters finding user " + username);
!         AuthUser user=getFormOwner().getUserFromLogin(username,password);
!         if(user!=null) {
!             debugout("readAuthParameters: user " + username +
!                      " (id " + user.getUniqueID() + ") found");
!             return user.getUniqueID(); }
!         debugout("readAuthParameters: user " + username + " not found");
!         return defaultAuthID;
      }
  
--- 1394,1456 ----
  
      /**
!      * Read the URL parameters for username password information and
!      * return the associated AuthUser uniqueID if found.  Return the
!      * defaultAuthID if not found.  Specifying the username and
!      * password as URL parameters is a REALLY BAD IDEA since this can
!      * be observed in transit, gets recorded in firewall logs etc.
!      * However there are times when this can be a useful mechanism,
!      * such as providing access to a demo account that is not the
!      * default guest account.  It's not secured, but still requires a
!      * login.  This is one way to handle those situations.
       *
!      * <p>The enclogin param is only slightly more reasonable to use,
!      * since anyone seeing it can just be pass this string along
!      * themselves to impersonate the user.  Cosmetically they don't
!      * see a plaintext "password" field in the URL, but it's
!      * completely useless in terms of actual security.  The only real
!      * way to do a login is to actually go through the login process,
!      * typically involving POSTing parameters over https. </p>
       */
      public long readAuthParameters(long defaultAuthID,HttpServletRequest req)
              throws SandException
      {
+         long retval=defaultAuthID;
          String username=req.getParameter("user");
          String password=req.getParameter("pass");
!         String enclogin=req.getParameter("enclogin");
!         if(StringUtil.haveValue(enclogin)) {
!             try {
!                 debugout("XHTMLSandUIServlet.readAuthParameters enclogin");
!                 SandEncryptor sec=null;
!                 if(getFormOwner() instanceof CommBridge) {
!                     sec=((CommBridge)getFormOwner()).getEncryptor(); }
!                 else {
!                     sec=new SampleEncryptor(); }
!                 long userID=sec.getCypherUserID(enclogin);
!                 AuthUser cand=getFormOwner().getUserForID(userID);
!                 //if(cand!=null) {
!                 //    debugout("cand " + userID); }
!                 String userpass=sec.decrypt(cand,enclogin);
!                 username=userpass.substring(0,userpass.indexOf(":"));
!                 password=userpass.substring(userpass.indexOf(":")+1);
!                 //debugout("    cand.username: " + cand.getUsername());
!                 //debugout("    user.username: " + username);
!                 //debugout("    cand.password: " + cand.getPassword());
!                 //debugout("    user.password: " + password);
!                 if((cand.getUsername().equals(username))&&
!                    (cand.getPassword().equals(password))) {
!                     retval=cand.getUniqueID();
!                     debugout("enclogin found user " + retval + 
!                              " (" + username + ")"); }
!             } catch(Exception e) {
!                 debugout("XHTMLSandUIServlet enclogin caught " + e);
!             } }
!         else if(StringUtil.haveValue(username)) {
!             AuthUser user=getFormOwner().getUserFromLogin(username,password);
!             if(user!=null) {
!                 retval=user.getUniqueID();
!                 debugout("readAuthParameters found user " + retval +
!                          " (" + username + ")"); } }
!         return retval;
      }