/*
* Created on Aug 14, 2004
*
* To change the template for this generated file go to
* Window>Preferences>Java>Code Generation>Code and Comments
*/
package net.reliableresponse.notification.web.servlets;
import java.io.IOException;
import java.util.Date;
import javax.naming.ldap.InitialLdapContext;
import javax.servlet.RequestDispatcher;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import net.reliableresponse.notification.Notification;
import net.reliableresponse.notification.NotificationException;
import net.reliableresponse.notification.actions.SendNotification;
import net.reliableresponse.notification.broker.AuthenticationBroker;
import net.reliableresponse.notification.broker.BrokerFactory;
import net.reliableresponse.notification.broker.impl.LDAPAuthenticationBroker;
import net.reliableresponse.notification.broker.impl.MultiRealmAuthenticationBroker;
import net.reliableresponse.notification.ldap.LDAPLibrary;
import net.reliableresponse.notification.sender.EmailSender;
import net.reliableresponse.notification.usermgmt.Roles;
import net.reliableresponse.notification.usermgmt.User;
import net.reliableresponse.notification.util.StringUtils;
import net.reliableresponse.notification.web.actions.ActionRequest;
/**
* @author drig
*
* To change the template for this generated type comment go to
* Window>Preferences>Java>Code Generation>Code and Comments
*/
public class AuthenticationServlet extends HttpServlet {
/*
* (non-Javadoc)
*
* @see javax.servlet.http.HttpServlet#doGet(javax.servlet.http.HttpServletRequest,
* javax.servlet.http.HttpServletResponse)
*/
protected void doGet(HttpServletRequest arg0, HttpServletResponse arg1)
throws ServletException, IOException {
// TODO Auto-generated method stub
doPost(arg0, arg1);
}
private void sendResetEmail(User user, String token) {
String message =
"Someone has asked Reliable Response to reset your password. \n"+
"If that was you, please go to this URL:\n"+
BrokerFactory.getConfigurationBroker().getStringValue("base.url")+
"/ForgotPasswordServlet?token="+token;
Notification notification = new Notification(null, user,
new EmailSender("passwordchange@reliableresponse.net"),
"Reset Your Password", message);
try {
SendNotification.getInstance().doSend(notification);
BrokerFactory.getLoggingBroker().logDebug("Sent password reset notification to "+user);
} catch (NotificationException e) {
BrokerFactory.getLoggingBroker().logError(e);
}
}
public boolean isLDAPEnabled() {
String ldapLogin = BrokerFactory.getConfigurationBroker()
.getStringValue("ldap.authn.compare");
if (StringUtils.isEmpty(ldapLogin)) {
return false;
}
String host = BrokerFactory.getConfigurationBroker().getStringValue("ldap.host");
if (StringUtils.isEmpty(host)) {
return false;
}
AuthenticationBroker authnBroker = BrokerFactory.getAuthenticationBroker();
if (authnBroker instanceof MultiRealmAuthenticationBroker) {
MultiRealmAuthenticationBroker multiAuthn = (MultiRealmAuthenticationBroker)authnBroker;
AuthenticationBroker[] realBrokers =multiAuthn.getAuthenticationBrokers();
for (int i = 0; i < realBrokers.length; i++) {
if (realBrokers[i] instanceof LDAPAuthenticationBroker) {
return true;
}
}
} else if (authnBroker instanceof LDAPAuthenticationBroker) {
return true;
}
return false;
}
/*
* (non-Javadoc)
*
* @see javax.servlet.http.HttpServlet#doPost(javax.servlet.http.HttpServletRequest,
* javax.servlet.http.HttpServletResponse)
*/
protected void doPost(HttpServletRequest request,
HttpServletResponse response) throws ServletException, IOException {
ActionRequest actionRequest = new ActionRequest((HttpServletRequest)request);
RequestDispatcher loginPage = request.getRequestDispatcher("login.jsp");
// Check to see if the user hit "forgot password"
if (request.getParameter("forgot.x") != null) {
String username = request.getParameter("username");
if ((username == null) || (username.length() == 0)) {
actionRequest.addParameter("authentication.message", "Please enter a user ID.");
loginPage.forward(actionRequest, response);
return;
}
User user = BrokerFactory.getAuthenticationBroker().getUserByIdentifier(username);
String token = "";
if (user == null) {
// TODO: This is insecure, but it's good ease-of-use. I need to review this to see if the
// security considerations outweight ease of use.
if (isLDAPEnabled()) {
actionRequest.addParameter("authentication.message", "Your user could not be found. "+
"If your account is stored on a corporate directory, please check "+
"with your directory administrator.");
} else {
actionRequest.addParameter("authentication.message", "Your user could not be found. Please check your ID.");
}
loginPage.forward(actionRequest, response);
return;
} else {
AuthenticationBroker authnBroker = BrokerFactory.getAuthenticationBroker();
token = authnBroker.getPasswordChangeToken(user);
}
// Mail out the info
sendResetEmail(user, token);
// Return to the login page
actionRequest.addParameter("authentication.message", "A notification has been sent to you with instructions on setting your password");
loginPage.forward(actionRequest, response);
return;
}
// Handle the login request
String username = request.getParameter("username");
String originatingAddress = request.getRemoteAddr();
if ((username == null) || (username.length() == 0)) {
actionRequest.addParameter("authentication.message", "Your password was not accepted. Please try again.");
loginPage.forward(actionRequest, response);
BrokerFactory.getAuthenticationBroker().logAuthentication(false, username, null, originatingAddress, new Date());
return;
}
String password = request.getParameter("password");
if ((password == null) || (password.length() == 0)) {
actionRequest.addParameter("authentication.message", "Your password was not accepted. Please try again.");
loginPage.forward(actionRequest, response);
BrokerFactory.getAuthenticationBroker().logAuthentication(false, username, null, originatingAddress, new Date());
return;
}
User user = BrokerFactory.getAuthenticationBroker().authenticate(username, password);
if (user != null) {
request.getSession().setAttribute("user", user.getUuid());
BrokerFactory.getAuthenticationBroker().logAuthentication(true, username, user, originatingAddress, new Date());
String referer = (String)request.getSession().getAttribute("referer");
// If this is a managed (ie, hosted) user, just go tot he index page. Or else,
// we get into AJAX problems.
if (BrokerFactory.getAuthorizationBroker().isUserInRole(user, Roles.MANAGED)) {
referer = "index.jsp";
}
if ((referer == null) || (referer.endsWith("login.jsp"))) referer = "index.jsp";
response.sendRedirect(referer);
return;
} else {
actionRequest.addParameter("authentication.message", "Your password was not accepted. Please try again.");
loginPage.forward(actionRequest, response);
BrokerFactory.getAuthenticationBroker().logAuthentication(false, username, null, originatingAddress, new Date());
return;
}
}
}