public boolean isSessionValid(UserSession userSession, RequestContext request) { String remoteUser = null; Cookie SSOCookie = ControllerUtils.getCookie("JforumSSO"); // my app login cookie logger.info("DEBUG - CustomSSO - isSessionValid - Getting JForumSSO Cookie!"); if (SSOCookie != null) remoteUser = SSOCookie.getValue(); // jforum username if (remoteUser == null) { logger.info("DEBUG - CustomSSO - isSessionValid - JForumSSO Cookie is NULL!"); JForumExecutionContext.setRedirect(SystemGlobals.getValue(ConfigKeys.SSO_REDIRECT)); return false; } else if (remoteUser.equals("")) { logger.info("DEBUG - CustomSSO - isSessionValid - JForumSSO Cookie is empty!"); JForumExecutionContext.setRedirect(SystemGlobals.getValue(ConfigKeys.SSO_REDIRECT)); return false; // user has since logged in } else if (remoteUser != null && userSession.getUserId() == SystemGlobals.getIntValue(ConfigKeys.ANONYMOUS_USER_ID)) { logger.info("DEBUG - CustomSSO - isSessionValid - JForumSSO Cookie is Anonymous!"); return false; // user has changed user } else if (remoteUser != null && !remoteUser.equals(userSession.getUsername())) { logger.info("DEBUG - CustomSSO - isSessionValid - JForumSSO Cookie User Mismatch"); return false; } logger.info("DEBUG - CustomSSO - isSessionValid - Returning True"); return true; // sso pool apps user and forum user the same }
public static String getMessage(String m, UserSession us) { if (us == null || us.getLang() == null || us.getLang().equals("")) { return getMessage(defaultName, m); } return getMessage(us.getLang(), m); }
/** * Gets all forums available to the user. * * @param us An <code>UserSession</code> instance with user information * @param anonymousUserId The id which represents the anonymous user * @param tracking <code>Map</code> instance with information about the topics read by the user * @param checkUnreadPosts <code>true</code> if is to search for unread topics inside the forums, * or <code>false</code> if this action is not needed. * @return A <code>List</code> instance where each record is an instance of a <code>Category * </code> object */ public static List getAllCategoriesAndForums( UserSession us, int anonymousUserId, Map tracking, boolean checkUnreadPosts) { long lastVisit = 0; int userId = anonymousUserId; if (us != null) { lastVisit = us.getLastVisit().getTime(); userId = us.getUserId(); } // Do not check for unread posts if the user is not logged in checkUnreadPosts = checkUnreadPosts && (userId != anonymousUserId); List categories = ForumRepository.getAllCategories(userId); if (!checkUnreadPosts) { return categories; } List returnCategories = new ArrayList(); for (Iterator iter = categories.iterator(); iter.hasNext(); ) { Category c = new Category((Category) iter.next()); for (Iterator tmpIterator = c.getForums().iterator(); tmpIterator.hasNext(); ) { Forum f = (Forum) tmpIterator.next(); ForumCommon.checkUnreadPosts(f, tracking, lastVisit); } returnCategories.add(c); } return returnCategories; }
/** * @see #getAllCategoriesAndForums(boolean) * @return List */ public static List getAllCategoriesAndForums() { LOG.trace("getAllCategoriesAndForums"); UserSession us = SessionFacade.getUserSession(); boolean checkUnread = (us != null && us.getUserId() != SystemGlobals.getIntValue(ConfigKeys.ANONYMOUS_USER_ID)); return getAllCategoriesAndForums(checkUnread); }
/** * Gets the language name for the current request. The method will first look at {@link * UserSession#getLang()} and use it if any value is found. Otherwise, the default board language * will be used * * @return String */ public static String getUserLanguage() { UserSession us = SessionFacade.getUserSession(); if (us == null || us.getLang() == null || us.getLang().trim().equals("")) { return defaultName; } return us.getLang(); }
/** * Makes the current logged user watch a specific topic. * * @param topicId the id of the topic to watch */ @SecurityConstraint(value = AuthenticatedRule.class, displayLogin = true) public void watch(long topicId) { Topic topic = new Topic(); topic.setId(topicId); UserSession userSession = this.userSession; this.watchService.watch(topic, userSession.getUser()); this.result.redirectTo(Actions.LIST + "/" + topicId); }
/** * Checks user credentials / automatic login. * * @param userSession The UserSession instance associated to the user's session * @return <code>true</code> if auto login was enabled and the user was sucessfuly logged in. * @throws DatabaseException */ protected boolean checkAutoLogin(UserSession userSession) { LOG.trace("checkAutoLogin"); String cookieName = SystemGlobals.getValue(ConfigKeys.COOKIE_NAME_DATA); Cookie cookie = this.getCookieTemplate(cookieName); Cookie hashCookie = this.getCookieTemplate(SystemGlobals.getValue(ConfigKeys.COOKIE_USER_HASH)); Cookie autoLoginCookie = this.getCookieTemplate(SystemGlobals.getValue(ConfigKeys.COOKIE_AUTO_LOGIN)); if (hashCookie != null && cookie != null && !cookie.getValue().equals(SystemGlobals.getValue(ConfigKeys.ANONYMOUS_USER_ID)) && autoLoginCookie != null && "1".equals(autoLoginCookie.getValue())) { String uid = cookie.getValue(); String uidHash = hashCookie.getValue(); // Load the user-specific security hash from the database try { UserDAO userDao = DataAccessDriver.getInstance().newUserDAO(); String userHash = userDao.getUserAuthHash(Integer.parseInt(uid)); if (userHash == null || userHash.trim().length() == 0) { return false; } String securityHash = MD5.crypt(userHash); if (securityHash.equals(uidHash)) { int userId = Integer.parseInt(uid); userSession.setUserId(userId); User user = userDao.selectById(userId); if (user == null || user.getId() != userId || user.isDeleted()) { userSession.makeAnonymous(); return false; } this.configureUserSession(userSession, user); return true; } } catch (Exception e) { throw new DatabaseException(e); } userSession.makeAnonymous(); } return false; }
/** * Check if the logged user has access to the role. This method gets user's id from its session. * * @param roleName The role name to verify * @param value The value relacted to the role to verify for access * @return <code>true</code> if the user has access to the role, <code>false</code> if access is * denied */ public static boolean canAccess(String roleName, String value) { UserSession us = SessionFacade.getUserSession(); if (us == null) { logger.warn( "Found null userSession. Going anonymous. Session id #" + JForumExecutionContext.getRequest().getSessionContext().getId()); us = new UserSession(); us.makeAnonymous(); } return canAccess(us.getUserId(), roleName, value); }
/** * @see #getMessage(String, String, Object[]) * @param messageName String * @param params Object * @return String */ public static String getMessage(String messageName, Object params[]) { String lang = ""; UserSession us = SessionFacade.getUserSession(); if (us != null && us.getLang() != null) { lang = us.getLang(); } if ("".equals(lang)) { return getMessage(defaultName, messageName, params); } return getMessage(lang, messageName, params); }
/** * Makes the current user to unwatch a specific topic * * @param topicId the id of the topic to unwatch */ @SecurityConstraint(value = AuthenticatedRule.class, displayLogin = true) public void unwatch(long topicId) { Topic topic = new Topic(); topic.setId(topicId); this.watchService.unwatch(topic, userSession.getUser()); this.result.redirectTo(this).list(topicId); }
@Extends(Actions.LIST) public void afterList() { boolean isWatching = false; UserSession userSession = this.userSession; if (userSession.isLogged()) { Topic topic = (Topic) this.result.included().get("topic"); TopicWatch subscription = this.watchService.getSubscription(topic, userSession.getUser()); isWatching = subscription != null; if (!subscription.isRead()) { subscription.markAsRead(); } } this.result.include("isUserWatchingTopic", isWatching); }
/** * Setup optios and values for the user's session if authentication was ok. * * @param userSession The UserSession instance of the user * @param user The User instance of the authenticated user */ protected void configureUserSession(UserSession userSession, User user) { LOG.trace("configureUserSession"); userSession.dataToUser(user); // As an user may come back to the forum before its // last visit's session expires, we should check for // existent user information and then, if found, store // it to the database before getting his information back. String sessionId = SessionFacade.isUserInSession(user.getId()); UserSession tmpUs; if (sessionId != null) { SessionFacade.storeSessionData(sessionId, JForumExecutionContext.getConnection()); tmpUs = SessionFacade.getUserSession(sessionId); SessionFacade.remove(sessionId); } else { UserSessionDAO sm = DataAccessDriver.getInstance().newUserSessionDAO(); tmpUs = sm.selectById(userSession, JForumExecutionContext.getConnection()); } if (tmpUs == null) { userSession.setLastVisit(new Date(System.currentTimeMillis())); } else { // Update last visit and session start time userSession.setLastVisit(new Date(tmpUs.getStartTime().getTime() + tmpUs.getSessionTime())); } // If the execution point gets here, then the user // has chosen "autoLogin" userSession.setAutoLogin(true); SessionFacade.makeLogged(); I18n.load(user.getLang()); }
@Test public void moveTopics() { when(userSession.getUser()).thenReturn(user); when(roleManager.getCanMoveTopics()).thenReturn(true); controller.moveTopics(1, "return path", moderationLog, 2, 3, 4); verify(service).moveTopics(1, moderationLog, 2, 3, 4); verify(mockResult).redirectTo("return path"); }
@Test public void lockUnlock() { when(userSession.getUser()).thenReturn(user); when(roleManager.getCanLockUnlockTopics()).thenReturn(true); when(mockResult.redirectTo(ForumController.class)).thenReturn(mockForumController); controller.lockUnlock(1, null, moderationLog, new int[] {1, 2, 3}); verify(service).lockUnlock(new int[] {1, 2, 3}, moderationLog); verify(mockForumController).show(1, 0); }
@Test public void deleteTopicsExpectSuccess() { when(userSession.getUser()).thenReturn(user); when(roleManager.getCanDeletePosts()).thenReturn(true); when(topicRepository.get(4)).thenReturn(new Topic()); when(topicRepository.get(5)).thenReturn(new Topic()); when(mockResult.redirectTo(ForumController.class)).thenReturn(mockForumController); controller.deleteTopics(1, null, new int[] {4, 5}, moderationLog); verify(service).deleteTopics(Arrays.asList(new Topic(), new Topic()), moderationLog); // TODO pass zero? verify(mockForumController).show(1, 0); }
/** * Checks for user authentication using some SSO implementation * * @param userSession UserSession */ protected void checkSSO(UserSession userSession) { LOG.trace("checkSSO"); try { SSO sso = (SSO) Class.forName(SystemGlobals.getValue(ConfigKeys.SSO_IMPLEMENTATION)).newInstance(); String username = sso.authenticateUser(JForumExecutionContext.getRequest()); if (username == null || username.trim().equals("")) { userSession.makeAnonymous(); } else { SSOUtils utils = new SSOUtils(); if (!utils.userExists(username)) { SessionContext session = JForumExecutionContext.getRequest().getSessionContext(); String email = (String) session.getAttribute(SystemGlobals.getValue(ConfigKeys.SSO_EMAIL_ATTRIBUTE)); String password = (String) session.getAttribute(SystemGlobals.getValue(ConfigKeys.SSO_PASSWORD_ATTRIBUTE)); if (email == null) { email = SystemGlobals.getValue(ConfigKeys.SSO_DEFAULT_EMAIL); } if (password == null) { password = SystemGlobals.getValue(ConfigKeys.SSO_DEFAULT_PASSWORD); } utils.register(password, email); } this.configureUserSession(userSession, utils.getUser()); } } catch (Exception e) { e.printStackTrace(); throw new ForumException("Error while executing SSO actions: " + e); } }
/** * Do a refresh in the user's session. This method will update the last visit time for the current * user, as well checking for authentication if the session is new or the SSO user has changed */ public void refreshSession() { LOG.trace("refreshSession"); UserSession userSession = SessionFacade.getUserSession(); RequestContext request = JForumExecutionContext.getRequest(); if (userSession == null) { userSession = new UserSession(); userSession.registerBasicInfo(); userSession.setSessionId(request.getSessionContext().getId()); userSession.setIp(request.getRemoteAddr()); SessionFacade.makeUnlogged(); if (!JForumExecutionContext.getForumContext().isBot()) { // Non-SSO authentications can use auto login if (!ConfigKeys.TYPE_SSO.equals(SystemGlobals.getValue(ConfigKeys.AUTHENTICATION_TYPE))) { if (SystemGlobals.getBoolValue(ConfigKeys.AUTO_LOGIN_ENABLED)) { this.checkAutoLogin(userSession); } else { userSession.makeAnonymous(); } } else { this.checkSSO(userSession); } } SessionFacade.add(userSession); } else if (ConfigKeys.TYPE_SSO.equals(SystemGlobals.getValue(ConfigKeys.AUTHENTICATION_TYPE))) { SSO sso; try { sso = (SSO) Class.forName(SystemGlobals.getValue(ConfigKeys.SSO_IMPLEMENTATION)).newInstance(); } catch (Exception e) { throw new ForumException(e); } // If SSO, then check if the session is valid if (!sso.isSessionValid(userSession, request)) { SessionFacade.remove(userSession.getSessionId()); refreshSession(); } } else { SessionFacade.getUserSession().updateSessionTime(); } }
/** * @see net.jforum.security.AccessRule#shouldProceed(net.jforum.entities.UserSession, * javax.servlet.http.HttpServletRequest) */ @Override public boolean shouldProceed(UserSession userSession, HttpServletRequest request) { return userSession.getRoleManager().isModerator(); }