Force all console pages to SSL.

This commit is contained in:
MarkBryanMilligan 2022-02-17 15:26:32 -06:00
parent dabefd1e7c
commit c916b25427
7 changed files with 84 additions and 50 deletions

View File

@ -0,0 +1,56 @@
package com.lanternsoftware.currentmonitor.servlet.console;
import com.lanternsoftware.currentmonitor.context.Globals;
import com.lanternsoftware.util.CollectionUtils;
import com.lanternsoftware.util.NullUtils;
import com.lanternsoftware.util.dao.DaoSerializer;
import com.lanternsoftware.util.dao.auth.AuthCode;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
public abstract class AuthenticatedConsoleServlet extends SecureConsoleServlet {
@Override
protected void get(HttpServletRequest _req, HttpServletResponse _rep) {
AuthCode code = getAuthCode(_req, _rep);
if (code != null)
get(code, _req, _rep);
}
protected void get(AuthCode _authCode, HttpServletRequest _req, HttpServletResponse _rep) {
}
@Override
protected void post(HttpServletRequest _req, HttpServletResponse _rep) {
AuthCode code = getAuthCode(_req, _rep);
if (code != null)
post(code, _req, _rep);
}
private AuthCode getAuthCode(HttpServletRequest _req, HttpServletResponse _rep) {
String sRequestURL = _req.getRequestURL().toString();
String sURL = sRequestURL.replaceFirst("http://", "https://");
if (!sURL.equals(sRequestURL)) {
String sQuery = _req.getQueryString();
if (NullUtils.isNotEmpty(sQuery))
sURL += "?" + sQuery;
redirect(_rep, sURL);
return null;
}
AuthCode authCode = Globals.dao.decryptAuthCode(DaoSerializer.toString(_req.getSession().getAttribute("auth_code")));
if (authCode == null) {
Cookie authCookie = CollectionUtils.filterOne(CollectionUtils.asArrayList(_req.getCookies()), _c-> NullUtils.isEqual(_c.getName(), "auth_code"));
if (authCookie != null)
authCode = Globals.dao.decryptAuthCode(authCookie.getValue());
}
if (authCode == null) {
redirect(_rep, _req.getContextPath() + "/login");
return null;
}
return authCode;
}
protected void post(AuthCode _authCode, HttpServletRequest _req, HttpServletResponse _rep) {
}
}

View File

@ -9,7 +9,7 @@ import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
@WebServlet("")
public class ConsoleServlet extends SecureConsoleServlet {
public class ConsoleServlet extends AuthenticatedConsoleServlet {
private static final Logger logger = LoggerFactory.getLogger(ConsoleServlet.class);
@Override

View File

@ -40,7 +40,7 @@ import java.util.zip.ZipInputStream;
import java.util.zip.ZipOutputStream;
@WebServlet("/export/*")
public class ExportServlet extends SecureConsoleServlet {
public class ExportServlet extends AuthenticatedConsoleServlet {
private static final Logger logger = LoggerFactory.getLogger(ExportServlet.class);
@Override

View File

@ -1,6 +1,5 @@
package com.lanternsoftware.currentmonitor.servlet.console;
import com.lanternsoftware.currentmonitor.servlet.FreemarkerCMServlet;
import com.lanternsoftware.currentmonitor.util.GoogleAuthHelper;
import com.lanternsoftware.util.NullUtils;
@ -10,14 +9,14 @@ import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
@WebServlet("/gso")
public class GsoServlet extends FreemarkerCMServlet {
public class GsoServlet extends SecureConsoleServlet {
@Override
protected void doGet(HttpServletRequest _req, HttpServletResponse _rep) {
protected void get(HttpServletRequest _req, HttpServletResponse _rep) {
render(_rep, "login.ftl", model(_req));
}
@Override
protected void doPost(HttpServletRequest _req, HttpServletResponse _rep) {
protected void post(HttpServletRequest _req, HttpServletResponse _rep) {
String code = getRequestPayloadAsString(_req);
if (NullUtils.isNotEmpty(code)) {
String authCode = GoogleAuthHelper.signin(code, null);

View File

@ -1,31 +1,22 @@
package com.lanternsoftware.currentmonitor.servlet.console;
import com.lanternsoftware.currentmonitor.context.Globals;
import com.lanternsoftware.currentmonitor.servlet.FreemarkerCMServlet;
import com.lanternsoftware.currentmonitor.util.GoogleAuthHelper;
import com.lanternsoftware.util.DateUtils;
import com.lanternsoftware.util.NullUtils;
import com.lanternsoftware.util.dao.DaoEntity;
import com.lanternsoftware.util.dao.DaoSerializer;
import com.lanternsoftware.util.dao.auth.AuthCode;
import com.lanternsoftware.util.servlet.LanternServlet;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
@WebServlet("/login")
public class LoginServlet extends FreemarkerCMServlet {
public class LoginServlet extends SecureConsoleServlet {
@Override
protected void doGet(HttpServletRequest _req, HttpServletResponse _rep) {
protected void get(HttpServletRequest _req, HttpServletResponse _rep) {
render(_rep, "login.ftl", model(_req));
}
@Override
protected void doPost(HttpServletRequest _req, HttpServletResponse _rep) {
protected void post(HttpServletRequest _req, HttpServletResponse _rep) {
String username = _req.getParameter("username");
String password = _req.getParameter("password");
String authCode = Globals.dao.authenticateAccount(username, password);

View File

@ -1,18 +1,14 @@
package com.lanternsoftware.currentmonitor.servlet.console;
import com.lanternsoftware.currentmonitor.servlet.FreemarkerCMServlet;
import com.lanternsoftware.currentmonitor.util.GoogleAuthHelper;
import com.lanternsoftware.util.NullUtils;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
@WebServlet("/logout")
public class LogoutServlet extends FreemarkerCMServlet {
public class LogoutServlet extends AuthenticatedConsoleServlet {
@Override
protected void doGet(HttpServletRequest _req, HttpServletResponse _rep) {
protected void get(HttpServletRequest _req, HttpServletResponse _rep) {
_req.getSession().removeAttribute("auth_code");
Cookie authCookie = new Cookie("auth_code", "");
authCookie.setMaxAge(0);
@ -22,6 +18,6 @@ public class LogoutServlet extends FreemarkerCMServlet {
}
@Override
protected void doPost(HttpServletRequest _req, HttpServletResponse _rep) {
protected void post(HttpServletRequest _req, HttpServletResponse _rep) {
}
}

View File

@ -1,48 +1,40 @@
package com.lanternsoftware.currentmonitor.servlet.console;
import com.lanternsoftware.currentmonitor.context.Globals;
import com.lanternsoftware.currentmonitor.servlet.FreemarkerCMServlet;
import com.lanternsoftware.util.CollectionUtils;
import com.lanternsoftware.util.NullUtils;
import com.lanternsoftware.util.dao.DaoSerializer;
import com.lanternsoftware.util.dao.auth.AuthCode;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
public abstract class SecureConsoleServlet extends FreemarkerCMServlet {
@Override
protected void doGet(HttpServletRequest _req, HttpServletResponse _rep) {
AuthCode code = getAuthCode(_req, _rep);
if (code != null)
get(code, _req, _rep);
if (isSecure(_req, _rep))
get(_req, _rep);
}
protected void get(AuthCode _authCode, HttpServletRequest _req, HttpServletResponse _rep) {
protected void get(HttpServletRequest _req, HttpServletResponse _rep) {
}
@Override
protected void doPost(HttpServletRequest _req, HttpServletResponse _rep) {
AuthCode code = getAuthCode(_req, _rep);
if (code != null)
post(code, _req, _rep);
if (isSecure(_req, _rep))
post(_req, _rep);
}
private AuthCode getAuthCode(HttpServletRequest _req, HttpServletResponse _rep) {
AuthCode authCode = Globals.dao.decryptAuthCode(DaoSerializer.toString(_req.getSession().getAttribute("auth_code")));
if (authCode == null) {
Cookie authCookie = CollectionUtils.filterOne(CollectionUtils.asArrayList(_req.getCookies()), _c-> NullUtils.isEqual(_c.getName(), "auth_code"));
if (authCookie != null)
authCode = Globals.dao.decryptAuthCode(authCookie.getValue());
}
if (authCode == null) {
redirect(_rep, _req.getContextPath() + "/login");
return null;
}
return authCode;
protected void post(HttpServletRequest _req, HttpServletResponse _rep) {
}
protected void post(AuthCode _authCode, HttpServletRequest _req, HttpServletResponse _rep) {
private boolean isSecure(HttpServletRequest _req, HttpServletResponse _rep) {
String sRequestURL = _req.getRequestURL().toString();
String sURL = sRequestURL.replaceFirst("http://", "https://");
if (!sURL.equals(sRequestURL)) {
String sQuery = _req.getQueryString();
if (NullUtils.isNotEmpty(sQuery))
sURL += "?" + sQuery;
redirect(_rep, sURL);
return false;
}
return true;
}
}