Exemplo n.º 1
0
  private void handleSignupPost(Request request, HttpServletResponse httpServletResponse)
      throws Exception {
    String userId = request.getParameter(PARAM_USER_ID);
    String userName = request.getParameter(PARAM_USER_NAME);
    String email = request.getParameter(PARAM_EMAIL);
    String stringPassword = request.getParameter(PARAM_PASSWORD);
    String stringPasswordConfirm = request.getParameter(PARAM_PASSWORD_CONFIRM);

    if (!stringPassword.equals(stringPasswordConfirm)) {
      WebUtils.redirectToError(
          "Mismatch between password and password confirmation", request, httpServletResponse);
      return;
    }

    SecureRandom secureRandom = new SecureRandom();
    String salt = "" + secureRandom.nextLong();
    byte[] password = User.computeHashedPassword(stringPassword, salt);
    User user = userDb.get(userId);
    if (user != null) {
      WebUtils.redirectToError(
          "There already exists a user with the ID " + userId, request, httpServletResponse);
      return;
    }

    user =
        new User(
            userId,
            userName,
            password,
            salt,
            email,
            new ArrayList<String>(),
            Config.getConfig().activateAccountsAtCreation,
            false);
    // ttt2 add confirmation by email, captcha, ...
    List<String> fieldErrors = user.checkFields();
    if (!fieldErrors.isEmpty()) {
      StringBuilder bld =
          new StringBuilder("Invalid values when trying to create user with ID ")
              .append(userId)
              .append("<br/>");
      for (String s : fieldErrors) {
        bld.append(s).append("<br/>");
      }
      WebUtils.redirectToError(bld.toString(), request, httpServletResponse);
      return;
    }

    // ttt2 2 clients can add the same userId simultaneously
    userDb.add(user);

    httpServletResponse.sendRedirect("/");
  }
Exemplo n.º 2
0
  private void handleChangePasswordPost(Request request, HttpServletResponse httpServletResponse)
      throws Exception {

    LoginInfo loginInfo = userHelpers.getLoginInfo(request);
    if (loginInfo == null) {
      WebUtils.redirectToError("Couldn't determine the current user", request, httpServletResponse);
      return;
    }

    String userId = loginInfo.userId;
    String stringCrtPassword = request.getParameter(PARAM_CURRENT_PASSWORD);
    String stringNewPassword = request.getParameter(PARAM_PASSWORD);
    String stringNewPasswordConfirm = request.getParameter(PARAM_PASSWORD_CONFIRM);

    if (!stringNewPassword.equals(stringNewPasswordConfirm)) {
      showResult(
          "Mismatch between password and password confirmation",
          PATH_SETTINGS,
          request,
          httpServletResponse);
      return;
    }

    User user =
        userDb.get(
            userId); // ttt1 crashes for wrong ID; 2013.07.20 - no longer have an idea what this is
                     // about
    if (user == null) {
      WebUtils.redirectToError("Couldn't find the current user", request, httpServletResponse);
      return;
    }

    if (!user.checkPassword(stringCrtPassword)) {
      showResult("Incorrect current password", PATH_SETTINGS, request, httpServletResponse);
      return;
    }

    SecureRandom secureRandom = new SecureRandom();
    String salt = "" + secureRandom.nextLong();
    byte[] password = User.computeHashedPassword(stringNewPassword, salt);
    user.salt = salt;
    user.password = password;

    // ttt3 2 clients can change the password simultaneously
    userDb.add(user);

    // httpServletResponse.sendRedirect(PATH_SETTINGS);
    showResult("Password changed", PATH_SETTINGS, request, httpServletResponse);
  }
Exemplo n.º 3
0
  public static void load(Properties properties)
      throws NoSuchAlgorithmException, InstantiationException, IllegalAccessException,
          ClassNotFoundException, IOException, NoSuchProviderException {
    CsrfGuard csrfGuard = SingletonHolder.instance;

    /** load simple properties * */
    csrfGuard.setLogger(
        (ILogger)
            Class.forName(
                    properties.getProperty(
                        "org.owasp.csrfguard.Logger", "org.owasp.csrfguard.log.ConsoleLogger"))
                .newInstance());
    csrfGuard.setTokenName(
        properties.getProperty("org.owasp.csrfguard.TokenName", "OWASP_CSRFGUARD"));
    csrfGuard.setTokenLength(
        Integer.parseInt(properties.getProperty("org.owasp.csrfguard.TokenLength", "32")));
    csrfGuard.setRotate(
        Boolean.valueOf(properties.getProperty("org.owasp.csrfguard.Rotate", "false")));
    csrfGuard.setTokenPerPage(
        Boolean.valueOf(properties.getProperty("org.owasp.csrfguard.TokenPerPage", "false")));
    csrfGuard.setTokenPerPagePrecreate(
        Boolean.valueOf(
            properties.getProperty("org.owasp.csrfguard.TokenPerPagePrecreate", "false")));
    csrfGuard.setPrng(
        SecureRandom.getInstance(
            properties.getProperty("org.owasp.csrfguard.PRNG", "SHA1PRNG"),
            properties.getProperty("org.owasp.csrfguard.PRNG.Provider", "SUN")));
    csrfGuard.setNewTokenLandingPage(
        properties.getProperty("org.owasp.csrfguard.NewTokenLandingPage"));

    // default to false if newTokenLandingPage is not set; default to true if set.
    if (csrfGuard.getNewTokenLandingPage() == null) {
      csrfGuard.setUseNewTokenLandingPage(
          Boolean.valueOf(
              properties.getProperty("org.owasp.csrfguard.UseNewTokenLandingPage", "false")));
    } else {
      csrfGuard.setUseNewTokenLandingPage(
          Boolean.valueOf(
              properties.getProperty("org.owasp.csrfguard.UseNewTokenLandingPage", "true")));
    }
    csrfGuard.setSessionKey(
        properties.getProperty("org.owasp.csrfguard.SessionKey", "OWASP_CSRFGUARD_KEY"));
    csrfGuard.setAjax(Boolean.valueOf(properties.getProperty("org.owasp.csrfguard.Ajax", "false")));
    csrfGuard.setProtect(
        Boolean.valueOf(properties.getProperty("org.owasp.csrfguard.Protect", "false")));

    /** first pass: instantiate actions * */
    Map<String, IAction> actionsMap = new HashMap<String, IAction>();

    for (Object obj : properties.keySet()) {
      String key = (String) obj;

      if (key.startsWith(ACTION_PREFIX)) {
        String directive = key.substring(ACTION_PREFIX.length());
        int index = directive.indexOf('.');

        /** action name/class * */
        if (index < 0) {
          String actionClass = properties.getProperty(key);
          IAction action = (IAction) Class.forName(actionClass).newInstance();

          action.setName(directive);
          actionsMap.put(action.getName(), action);
          csrfGuard.getActions().add(action);
        }
      }
    }

    /** second pass: initialize action parameters * */
    for (Object obj : properties.keySet()) {
      String key = (String) obj;

      if (key.startsWith(ACTION_PREFIX)) {
        String directive = key.substring(ACTION_PREFIX.length());
        int index = directive.indexOf('.');

        /** action name/class * */
        if (index >= 0) {
          String actionName = directive.substring(0, index);
          IAction action = actionsMap.get(actionName);

          if (action == null) {
            throw new IOException(
                String.format("action class %s has not yet been specified", actionName));
          }

          String parameterName = directive.substring(index + 1);
          String parameterValue = properties.getProperty(key);

          action.setParameter(parameterName, parameterValue);
        }
      }
    }

    /** ensure at least one action was defined * */
    if (csrfGuard.getActions().size() <= 0) {
      throw new IOException("failure to define at least one action");
    }

    /** initialize protected, unprotected pages * */
    for (Object obj : properties.keySet()) {
      String key = (String) obj;

      if (key.startsWith(PROTECTED_PAGE_PREFIX)) {
        String directive = key.substring(PROTECTED_PAGE_PREFIX.length());
        int index = directive.indexOf('.');

        /** page name/class * */
        if (index < 0) {
          String pageUri = properties.getProperty(key);

          csrfGuard.getProtectedPages().add(Pattern.compile(pageUri));
        }
      }

      if (key.startsWith(UNPROTECTED_PAGE_PREFIX)) {
        String directive = key.substring(UNPROTECTED_PAGE_PREFIX.length());
        int index = directive.indexOf('.');

        /** page name/class * */
        if (index < 0) {
          String pageUri = properties.getProperty(key);

          csrfGuard.getUnprotectedPages().add(Pattern.compile(pageUri));
        }
      }
    }

    /** initialize protected methods * */
    String methodList = properties.getProperty("org.owasp.csrfguard.ProtectedMethods");
    if (methodList != null && methodList.trim().length() != 0) {
      for (String method : methodList.split(",")) {
        csrfGuard.getProtectedMethods().add(method.trim());
      }
    }
  }
Exemplo n.º 4
0
 private String getRandomId() {
   SecureRandom secureRandom = new SecureRandom();
   return "" + secureRandom.nextLong();
 }