public boolean checkAndChangePassword(
final User user, final String oldPassword, final String password) throws MailException {
if (user.checkPassword(oldPassword)) {
((UserImpl) user).setPassword(password);
entityManager.merge(user);
final UserString email = user.getEmail();
if (email != null)
MailSender.sendPasswordChangeMail(user.getName().toString(), password, email.nonEscaped());
return true;
}
return false;
}
private void handleChangePasswordPost(Request request, HttpServletResponse httpServletResponse)
throws Exception {
LoginInfo loginInfo = userHelpers.getLoginInfo(request);
if (loginInfo == null) {
WebUtils.redirectToError("Couldn't determine the current user", request, httpServletResponse);
return;
}
String userId = loginInfo.userId;
String stringCrtPassword = request.getParameter(PARAM_CURRENT_PASSWORD);
String stringNewPassword = request.getParameter(PARAM_PASSWORD);
String stringNewPasswordConfirm = request.getParameter(PARAM_PASSWORD_CONFIRM);
if (!stringNewPassword.equals(stringNewPasswordConfirm)) {
showResult(
"Mismatch between password and password confirmation",
PATH_SETTINGS,
request,
httpServletResponse);
return;
}
User user =
userDb.get(
userId); // ttt1 crashes for wrong ID; 2013.07.20 - no longer have an idea what this is
// about
if (user == null) {
WebUtils.redirectToError("Couldn't find the current user", request, httpServletResponse);
return;
}
if (!user.checkPassword(stringCrtPassword)) {
showResult("Incorrect current password", PATH_SETTINGS, request, httpServletResponse);
return;
}
SecureRandom secureRandom = new SecureRandom();
String salt = "" + secureRandom.nextLong();
byte[] password = User.computeHashedPassword(stringNewPassword, salt);
user.salt = salt;
user.password = password;
// ttt3 2 clients can change the password simultaneously
userDb.add(user);
// httpServletResponse.sendRedirect(PATH_SETTINGS);
showResult("Password changed", PATH_SETTINGS, request, httpServletResponse);
}
/**
* Authenticate a user with the given username/email and password Note: this doesn't create a new
* session.
*
* @param userName The username/email of the user to authenticate.
* @param password The password to try.
* @return the user, if the username and password are correct, else null
*/
public User authenticate(String userName, String password) {
User u = where().or().username.equalTo(userName).or().email.equalTo(userName).findUnique();
if (u == null) {
// User doesn't exist.
return null;
} else {
if (u.checkPassword(password)) {
// password correct!
return u;
} else {
// incorrect password
return null;
}
}
}
/** Returns the User object with the specified name and password from this object's set. */
public User getUser(String name, String password) {
if (name == null) {
name = "";
}
if (password == null) {
password = "";
}
User user = get(name);
user.checkPassword(password);
return user;
}
@Test
public void testUserManagement() {
// Try to get non-existent
User user = _userManager.getUser("nonexistentuser");
assertNull(user);
// Clear DB as necessary
user = _userManager.getUser("testuser");
if (user != null) {
_userManager.deleteUser(user);
}
// Add
user = getTestUser();
Set<UserGroup> userGroups = new HashSet<UserGroup>();
UserGroup userGroup = _userManager.getUserGroup("testusergroup");
if (userGroup == null) {
userGroup = new UserGroup();
userGroup.setName("testusergroup");
userGroup.getAuthorities().add(new Authority("testauthority"));
}
userGroup.getUsers().add(user);
user.setUserGroups(userGroups);
_userManager.addUser(user);
// Update
user.setPassword("modifiedtestpw");
_userManager.updateUser(user);
user = _userManager.getUser("testuser");
assertNotNull(user);
assertTrue(user.checkPassword("modifiedtestpw"));
// Delete
_userManager.deleteUser(user);
user = _userManager.getUser("testuser");
assertNull(user);
}
/** Returns the User object with the specified name and password from this object's set. */
public User getUser(String name, String password) {
if (name == null) {
name = "";
}
if (password == null) {
password = "";
}
User user = (User) userList.get(name);
boolean isLocal = user != null && user.isLocalOnly;
if (extAuthenticationFunction == null || isLocal) {
user = get(name);
user.checkPassword(password);
return user;
}
/*
* Authentication returns String[]. When null, use the existing
* user object only, with existing privileges.
* When not null, ignore if user exists. Otherwise create a user and
* assign the list of roles to the user.
*/
Result result =
extAuthenticationFunction.invokeJavaMethodDirect(
new String[] {granteeManager.database.getUniqueName(), name, password});
if (result.isError()) {
throw Error.error(ErrorCode.X_28501, result.getMainString());
}
Object[] roles = (Object[]) result.getValueObject();
if (user == null) {
HsqlName hsqlName =
granteeManager.database.nameManager.newHsqlName(name, true, SchemaObject.GRANTEE);
user = createUser(null, hsqlName, "", false);
user.isExternalOnly = true;
}
if (roles == null) {
user.updateAllRights();
return user;
}
// this clears all existing privileges of the user
user.clearPrivileges();
// assigns the roles to the user
for (int i = 0; i < roles.length; i++) {
try {
Grantee role = granteeManager.getRole((String) roles[i]);
user.grant(role);
} catch (HsqlException e) {
}
}
user.updateAllRights();
for (int i = 0; i < roles.length; i++) {
Schema schema = granteeManager.database.schemaManager.findSchema((String) roles[i]);
if (schema != null) {
user.setInitialSchema(schema.getName());
break;
}
}
return user;
}
@Test
public void test1() {
assertEquals(true, User.checkPassword("saam", "stanford", connection));
}
private void handleLoginPost(
Request request, HttpServletResponse httpServletResponse, boolean secured) throws Exception {
String userId = request.getParameter(PARAM_USER_ID);
String password = request.getParameter(PARAM_PASSWORD);
String rememberAccountStr = request.getParameter(PARAM_REMEMBER_ACCOUNT);
boolean rememberAccount = Boolean.parseBoolean(rememberAccountStr);
LoginInfo.SessionInfo sessionInfo = UserHelpers.getSessionInfo(request);
logOut(sessionInfo.browserId);
User user = userDb.get(userId);
if (user == null) {
WebUtils.redirectToError("User " + userId + " not found", request, httpServletResponse);
return;
}
if (!user.checkPassword(password)) {
WebUtils.redirectToError("Invalid password", request, httpServletResponse);
return;
}
if (!user.active) {
WebUtils.redirectToError(
"Account for User " + userId + " needs to be activated", request, httpServletResponse);
return;
}
LOG.info("Logged in user " + userId);
sessionInfo.sessionId = null;
if (sessionInfo.browserId == null) {
sessionInfo.browserId = getRandomId();
} else {
for (LoginInfo loginInfo : loginInfoDb.getLoginsForBrowser(sessionInfo.browserId)) {
if (userId.equals(loginInfo.userId)) {
sessionInfo.sessionId = loginInfo.sessionId;
break;
}
}
}
long expireOn = System.currentTimeMillis() + Config.getConfig().loginExpireInterval;
if (sessionInfo.sessionId == null) {
sessionInfo.sessionId = getRandomId();
Config config = Config.getConfig();
loginInfoDb.add(
new LoginInfo(
sessionInfo.browserId,
sessionInfo.sessionId,
userId,
expireOn,
rememberAccount,
config.defaultStyle,
config.defaultItemsPerPage,
config.defaultFeedDateFormat));
LOG.info(String.format("Logging in in a new session. User: %s", user));
} else {
loginInfoDb.updateExpireTime(sessionInfo.browserId, sessionInfo.sessionId, expireOn);
LOG.info(String.format("Logging in in an existing session. User: %s", user));
}
WebUtils.saveCookies(
httpServletResponse, secured, sessionInfo.browserId, sessionInfo.sessionId);
httpServletResponse.sendRedirect("/");
}