You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@roller.apache.org by sn...@apache.org on 2012/06/07 04:25:07 UTC
svn commit: r1347316 - in
/roller/branches/roller_5.0/weblogger-web/src/main/java/org/apache/roller/weblogger/ui/core/filters:
LoadSaltFilter.java ValidateSaltFilter.java
Author: snoopdave
Date: Thu Jun 7 02:25:07 2012
New Revision: 1347316
URL: http://svn.apache.org/viewvc?rev=1347316&view=rev
Log:
per user salt values
Modified:
roller/branches/roller_5.0/weblogger-web/src/main/java/org/apache/roller/weblogger/ui/core/filters/LoadSaltFilter.java
roller/branches/roller_5.0/weblogger-web/src/main/java/org/apache/roller/weblogger/ui/core/filters/ValidateSaltFilter.java
Modified: roller/branches/roller_5.0/weblogger-web/src/main/java/org/apache/roller/weblogger/ui/core/filters/LoadSaltFilter.java
URL: http://svn.apache.org/viewvc/roller/branches/roller_5.0/weblogger-web/src/main/java/org/apache/roller/weblogger/ui/core/filters/LoadSaltFilter.java?rev=1347316&r1=1347315&r2=1347316&view=diff
==============================================================================
--- roller/branches/roller_5.0/weblogger-web/src/main/java/org/apache/roller/weblogger/ui/core/filters/LoadSaltFilter.java (original)
+++ roller/branches/roller_5.0/weblogger-web/src/main/java/org/apache/roller/weblogger/ui/core/filters/LoadSaltFilter.java Thu Jun 7 02:25:07 2012
@@ -25,6 +25,10 @@ import javax.servlet.http.HttpServletReq
import org.apache.commons.lang.RandomStringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
+import org.apache.roller.weblogger.WebloggerException;
+import org.apache.roller.weblogger.business.UserManager;
+import org.apache.roller.weblogger.business.WebloggerFactory;
+import org.apache.roller.weblogger.pojos.User;
import org.apache.roller.weblogger.ui.rendering.util.cache.SaltCache;
/**
@@ -37,12 +41,33 @@ public class LoadSaltFilter implements F
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
- HttpServletRequest httpReq = (HttpServletRequest) request;
- SaltCache saltCache = SaltCache.getInstance();
- String salt = RandomStringUtils.random(20, 0, 0, true, true, null, new SecureRandom());
- saltCache.put(salt, Boolean.TRUE);
- httpReq.setAttribute("salt", salt);
+ try {
+
+ HttpServletRequest httpReq = (HttpServletRequest) request;
+ final User authenticUser;
+ UserManager umgr = WebloggerFactory.getWeblogger().getUserManager();
+ if (httpReq.getUserPrincipal() != null) {
+ try {
+ authenticUser = umgr.getUserByUserName(httpReq.getUserPrincipal().getName(), Boolean.TRUE);
+ } catch (WebloggerException ex) {
+ log.error("ERROR checking user rile", ex);
+ throw new ServletException("Security Violation");
+ }
+ } else {
+ authenticUser = null;
+ }
+
+ if (authenticUser != null) {
+ SaltCache saltCache = SaltCache.getInstance();
+ String salt = RandomStringUtils.random(20, 0, 0, true, true, null, new SecureRandom());
+ saltCache.put(salt, authenticUser.getId());
+ httpReq.setAttribute("salt", salt);
+ }
+
+ } catch (Exception e) {
+ log.error("Error loading salt", e);
+ }
chain.doFilter(request, response);
}
Modified: roller/branches/roller_5.0/weblogger-web/src/main/java/org/apache/roller/weblogger/ui/core/filters/ValidateSaltFilter.java
URL: http://svn.apache.org/viewvc/roller/branches/roller_5.0/weblogger-web/src/main/java/org/apache/roller/weblogger/ui/core/filters/ValidateSaltFilter.java?rev=1347316&r1=1347315&r2=1347316&view=diff
==============================================================================
--- roller/branches/roller_5.0/weblogger-web/src/main/java/org/apache/roller/weblogger/ui/core/filters/ValidateSaltFilter.java (original)
+++ roller/branches/roller_5.0/weblogger-web/src/main/java/org/apache/roller/weblogger/ui/core/filters/ValidateSaltFilter.java Thu Jun 7 02:25:07 2012
@@ -23,6 +23,10 @@ import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
+import org.apache.roller.weblogger.WebloggerException;
+import org.apache.roller.weblogger.business.UserManager;
+import org.apache.roller.weblogger.business.WebloggerFactory;
+import org.apache.roller.weblogger.pojos.User;
import org.apache.roller.weblogger.ui.rendering.util.cache.SaltCache;
/**
@@ -36,15 +40,34 @@ public class ValidateSaltFilter implemen
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
- HttpServletRequest httpReq = (HttpServletRequest) request;
-
- if (httpReq.getMethod().equals("POST")) {
- String salt = (String) httpReq.getParameter("salt");
- SaltCache saltCache = SaltCache.getInstance();
- if (salt == null || saltCache.get(salt) == null || saltCache.get(salt).equals(false)) {
- throw new ServletException("Security Violation");
+
+ try {
+ HttpServletRequest httpReq = (HttpServletRequest) request;
+ final User authenticUser;
+ UserManager umgr = WebloggerFactory.getWeblogger().getUserManager();
+ if (httpReq.getUserPrincipal() != null) {
+ try {
+ authenticUser = umgr.getUserByUserName(httpReq.getUserPrincipal().getName(), Boolean.TRUE);
+ } catch (WebloggerException ex) {
+ log.error("ERROR checking user rile", ex);
+ throw new ServletException("Security Violation");
+ }
+ } else {
+ authenticUser = null;
}
+
+ if (httpReq.getMethod().equals("POST") && authenticUser != null) {
+ String salt = (String) httpReq.getParameter("salt");
+ SaltCache saltCache = SaltCache.getInstance();
+ if (salt == null || saltCache.get(salt) == null || !saltCache.get(salt).equals(authenticUser.getId())) {
+ throw new ServletException("Security Violation");
+ }
+ }
+
+ } catch (Exception e) {
+ log.error("Error validating salt", e);
}
+
chain.doFilter(request, response);
}