private void handleSignupPost(Request request, HttpServletResponse httpServletResponse)
throws Exception {
String userId = request.getParameter(PARAM_USER_ID);
String userName = request.getParameter(PARAM_USER_NAME);
String email = request.getParameter(PARAM_EMAIL);
String stringPassword = request.getParameter(PARAM_PASSWORD);
String stringPasswordConfirm = request.getParameter(PARAM_PASSWORD_CONFIRM);
if (!stringPassword.equals(stringPasswordConfirm)) {
WebUtils.redirectToError(
"Mismatch between password and password confirmation", request, httpServletResponse);
return;
}
SecureRandom secureRandom = new SecureRandom();
String salt = "" + secureRandom.nextLong();
byte[] password = User.computeHashedPassword(stringPassword, salt);
User user = userDb.get(userId);
if (user != null) {
WebUtils.redirectToError(
"There already exists a user with the ID " + userId, request, httpServletResponse);
return;
}
user =
new User(
userId,
userName,
password,
salt,
email,
new ArrayList<String>(),
Config.getConfig().activateAccountsAtCreation,
false);
// ttt2 add confirmation by email, captcha, ...
List<String> fieldErrors = user.checkFields();
if (!fieldErrors.isEmpty()) {
StringBuilder bld =
new StringBuilder("Invalid values when trying to create user with ID ")
.append(userId)
.append("<br/>");
for (String s : fieldErrors) {
bld.append(s).append("<br/>");
}
WebUtils.redirectToError(bld.toString(), request, httpServletResponse);
return;
}
// ttt2 2 clients can add the same userId simultaneously
userDb.add(user);
httpServletResponse.sendRedirect("/");
}
private void handleChangePasswordPost(Request request, HttpServletResponse httpServletResponse)
throws Exception {
LoginInfo loginInfo = userHelpers.getLoginInfo(request);
if (loginInfo == null) {
WebUtils.redirectToError("Couldn't determine the current user", request, httpServletResponse);
return;
}
String userId = loginInfo.userId;
String stringCrtPassword = request.getParameter(PARAM_CURRENT_PASSWORD);
String stringNewPassword = request.getParameter(PARAM_PASSWORD);
String stringNewPasswordConfirm = request.getParameter(PARAM_PASSWORD_CONFIRM);
if (!stringNewPassword.equals(stringNewPasswordConfirm)) {
showResult(
"Mismatch between password and password confirmation",
PATH_SETTINGS,
request,
httpServletResponse);
return;
}
User user =
userDb.get(
userId); // ttt1 crashes for wrong ID; 2013.07.20 - no longer have an idea what this is
// about
if (user == null) {
WebUtils.redirectToError("Couldn't find the current user", request, httpServletResponse);
return;
}
if (!user.checkPassword(stringCrtPassword)) {
showResult("Incorrect current password", PATH_SETTINGS, request, httpServletResponse);
return;
}
SecureRandom secureRandom = new SecureRandom();
String salt = "" + secureRandom.nextLong();
byte[] password = User.computeHashedPassword(stringNewPassword, salt);
user.salt = salt;
user.password = password;
// ttt3 2 clients can change the password simultaneously
userDb.add(user);
// httpServletResponse.sendRedirect(PATH_SETTINGS);
showResult("Password changed", PATH_SETTINGS, request, httpServletResponse);
}
public static void load(Properties properties)
throws NoSuchAlgorithmException, InstantiationException, IllegalAccessException,
ClassNotFoundException, IOException, NoSuchProviderException {
CsrfGuard csrfGuard = SingletonHolder.instance;
/** load simple properties * */
csrfGuard.setLogger(
(ILogger)
Class.forName(
properties.getProperty(
"org.owasp.csrfguard.Logger", "org.owasp.csrfguard.log.ConsoleLogger"))
.newInstance());
csrfGuard.setTokenName(
properties.getProperty("org.owasp.csrfguard.TokenName", "OWASP_CSRFGUARD"));
csrfGuard.setTokenLength(
Integer.parseInt(properties.getProperty("org.owasp.csrfguard.TokenLength", "32")));
csrfGuard.setRotate(
Boolean.valueOf(properties.getProperty("org.owasp.csrfguard.Rotate", "false")));
csrfGuard.setTokenPerPage(
Boolean.valueOf(properties.getProperty("org.owasp.csrfguard.TokenPerPage", "false")));
csrfGuard.setTokenPerPagePrecreate(
Boolean.valueOf(
properties.getProperty("org.owasp.csrfguard.TokenPerPagePrecreate", "false")));
csrfGuard.setPrng(
SecureRandom.getInstance(
properties.getProperty("org.owasp.csrfguard.PRNG", "SHA1PRNG"),
properties.getProperty("org.owasp.csrfguard.PRNG.Provider", "SUN")));
csrfGuard.setNewTokenLandingPage(
properties.getProperty("org.owasp.csrfguard.NewTokenLandingPage"));
// default to false if newTokenLandingPage is not set; default to true if set.
if (csrfGuard.getNewTokenLandingPage() == null) {
csrfGuard.setUseNewTokenLandingPage(
Boolean.valueOf(
properties.getProperty("org.owasp.csrfguard.UseNewTokenLandingPage", "false")));
} else {
csrfGuard.setUseNewTokenLandingPage(
Boolean.valueOf(
properties.getProperty("org.owasp.csrfguard.UseNewTokenLandingPage", "true")));
}
csrfGuard.setSessionKey(
properties.getProperty("org.owasp.csrfguard.SessionKey", "OWASP_CSRFGUARD_KEY"));
csrfGuard.setAjax(Boolean.valueOf(properties.getProperty("org.owasp.csrfguard.Ajax", "false")));
csrfGuard.setProtect(
Boolean.valueOf(properties.getProperty("org.owasp.csrfguard.Protect", "false")));
/** first pass: instantiate actions * */
Map<String, IAction> actionsMap = new HashMap<String, IAction>();
for (Object obj : properties.keySet()) {
String key = (String) obj;
if (key.startsWith(ACTION_PREFIX)) {
String directive = key.substring(ACTION_PREFIX.length());
int index = directive.indexOf('.');
/** action name/class * */
if (index < 0) {
String actionClass = properties.getProperty(key);
IAction action = (IAction) Class.forName(actionClass).newInstance();
action.setName(directive);
actionsMap.put(action.getName(), action);
csrfGuard.getActions().add(action);
}
}
}
/** second pass: initialize action parameters * */
for (Object obj : properties.keySet()) {
String key = (String) obj;
if (key.startsWith(ACTION_PREFIX)) {
String directive = key.substring(ACTION_PREFIX.length());
int index = directive.indexOf('.');
/** action name/class * */
if (index >= 0) {
String actionName = directive.substring(0, index);
IAction action = actionsMap.get(actionName);
if (action == null) {
throw new IOException(
String.format("action class %s has not yet been specified", actionName));
}
String parameterName = directive.substring(index + 1);
String parameterValue = properties.getProperty(key);
action.setParameter(parameterName, parameterValue);
}
}
}
/** ensure at least one action was defined * */
if (csrfGuard.getActions().size() <= 0) {
throw new IOException("failure to define at least one action");
}
/** initialize protected, unprotected pages * */
for (Object obj : properties.keySet()) {
String key = (String) obj;
if (key.startsWith(PROTECTED_PAGE_PREFIX)) {
String directive = key.substring(PROTECTED_PAGE_PREFIX.length());
int index = directive.indexOf('.');
/** page name/class * */
if (index < 0) {
String pageUri = properties.getProperty(key);
csrfGuard.getProtectedPages().add(Pattern.compile(pageUri));
}
}
if (key.startsWith(UNPROTECTED_PAGE_PREFIX)) {
String directive = key.substring(UNPROTECTED_PAGE_PREFIX.length());
int index = directive.indexOf('.');
/** page name/class * */
if (index < 0) {
String pageUri = properties.getProperty(key);
csrfGuard.getUnprotectedPages().add(Pattern.compile(pageUri));
}
}
}
/** initialize protected methods * */
String methodList = properties.getProperty("org.owasp.csrfguard.ProtectedMethods");
if (methodList != null && methodList.trim().length() != 0) {
for (String method : methodList.split(",")) {
csrfGuard.getProtectedMethods().add(method.trim());
}
}
}
private String getRandomId() {
SecureRandom secureRandom = new SecureRandom();
return "" + secureRandom.nextLong();
}