Changeset 33212

Show
Ignore:
Timestamp:
24.06.2019 14:13:12 (3 weeks ago)
Author:
kjdon
Message:

changed how we remember who has verified. Can't store in hte session as it just gets wiped by our session caching code - as hmvf never actually makes it though to LIbraryServlet via a command line, it just ges wiped and never put back. Anyway it wasn't a good choice as anyone could just ass hmvf=1 to URL to bypass T&C. Now we store in a hashtable session id for those who have verified - accompanied by a timer which will remove the entry after 24 hours. also, renamed _logger to logger to match all other classes as its a pain to have to remember to type the _. Debug messages left in for now. TODO: remove these once tested.

Files:
1 modified

Legend:

Unmodified
Added
Removed
  • main/trunk/greenstone3/src/java/org/greenstone/gsdl3/core/URLFilter.java

    r33181 r33212  
    66import java.util.Arrays; 
    77import java.util.HashMap; 
     8import java.util.Hashtable; 
    89import java.util.Map; 
    910 
     
    2122import javax.servlet.http.HttpServletResponse; 
    2223 
     24import java.awt.event.ActionEvent; 
     25import java.awt.event.ActionListener; 
     26import javax.swing.Timer; 
     27 
    2328import org.apache.commons.io.FileUtils; 
    2429import org.apache.commons.lang3.StringUtils; 
     
    3843{ 
    3944  private FilterConfig _filterConfig = null; 
    40   private static Logger _logger = Logger.getLogger(org.greenstone.gsdl3.core.URLFilter.class.getName()); 
     45  private static Logger logger = Logger.getLogger(org.greenstone.gsdl3.core.URLFilter.class.getName()); 
    4146 
    4247  //Restricted URLs 
     
    7277  protected static final String SYSTEM_SUBACTION_DEACTIVATE = "deactivate"; 
    7378 
     79  // if we are showing terms and conditions to user, this remembers who has accepted already 
     80  protected Hashtable<String, UserTimer> verifiedUserMap = null; 
     81  protected static final int verifiedUserTimeout = 24 * 60 * 60 * 1000;  
     82   
    7483  public void init(FilterConfig filterConfig) throws ServletException 
    7584  { 
     
    8796    if (!(request instanceof HttpServletRequest)) { 
    8897      // Can this ever happen? 
    89       _logger.error("The request was not an HttpServletRequest"); 
     98      logger.error("The request was not an HttpServletRequest"); 
    9099      return; 
    91100    } 
     
    94103    HttpServletRequest hRequest = ((HttpServletRequest) request); 
    95104    HttpSession hSession = hRequest.getSession(); 
     105    String session_id = hSession.getId(); 
    96106    ServletContext context = hSession.getServletContext(); 
    97107     
     
    106116      return; 
    107117    } 
    108  
     118    logger.error("in do Filter: "+url); 
    109119 
    110120    // Run security checks on files requested from a collection's index/assoc folder 
     
    125135                 
    126136    if (gsRouter == null) {   
    127       _logger.error("Receptionist is null, stopping filter"); 
     137      logger.error("Receptionist is null, stopping filter"); 
    128138      return; 
    129139    } 
    130140    // Sometimes we have a // before the filename - that mucks up the following code, so lets remove them 
    131141    url = url.replaceAll("//","/"); 
     142     
    132143    String dir = null; 
    133144    int dirStart = url.indexOf(ASSOCIATED_FILE_PATH) + ASSOCIATED_FILE_PATH.length(); 
     
    205216                     
    206217    Element mr_response = (Element)gsRouter.process(securityMessage); 
    207     _logger.debug("security response = "+XMLConverter.getPrettyString(mr_response)); 
     218    logger.debug("security response = "+XMLConverter.getPrettyString(mr_response)); 
    208219 
    209220    boolean verifiable_file = true; 
     
    242253          } 
    243254      } 
    244     // if got here have no groups. 
     255    // if got here have no groups that we need to belong to 
    245256    // do we have human verify thing? 
    246257    if (verifiable_file) { 
    247258      // we are asking for the main document - lets check human verify 
    248                        
     259      logger.error("KATH verifiable file is true"); 
    249260      if (!securityResponse.getAttribute(GSXML.VERIFY_ATT).equals("")) { 
    250261        // have we done the test previously? 
    251         HttpSession this_session =  ((HttpServletRequest) request).getSession(); 
    252         if (this_session == null) { 
    253           _logger.error("KATH session is null"); 
     262        boolean already_verified = false; 
     263        if (verifiedUserMap == null) { 
     264          // we haven't done this at all, set up the map 
     265          verifiedUserMap = new Hashtable<String, UserTimer>(); 
     266          logger.error("KATH setting up new user map"); 
    254267        } else { 
    255           _logger.error("KATH session id = "+this_session.getId()); 
     268          // check this map 
     269          if (verifiedUserMap.containsKey(session_id)) { 
     270        already_verified = true; 
     271          } 
    256272        } 
    257         if (this_session.getAttribute(GSParams.VERIFIED) != null ) { 
    258           _logger.error("KATH have verified in the session"); 
    259           // we don't need to re-verify 
    260         } else { 
    261           _logger.error("KATH verfied not in session"); 
    262                            
     273        logger.error("KATH already verified = "+already_verified); 
     274 
     275        if (!already_verified) { 
    263276          // have we just  done the test? 
    264277          String hmvf_response = gRequest.getParameter(GSParams.VERIFIED); 
    265278          // hmvf param will be set by form if the verify page was submitted 
    266279          if (hmvf_response != null && hmvf_response.equals("1")) { 
     280        logger.error("user has submitted the form, check recaptcha response"); 
    267281        if (!securityResponse.getAttribute(GSXML.SITE_KEY_ATT).equals("")) { 
    268282          String recaptcha_response = gRequest.getParameter(Authentication.RECAPTCHA_RESPONSE_PARAM); 
    269283          String secret_key = securityResponse.getAttribute(GSXML.SECRET_KEY_ATT); 
    270284          int result = Authentication.verifyRecaptcha(secret_key, recaptcha_response); 
    271           _logger.debug("recaptcha result code = "+result); 
     285          logger.error("recaptcha result code = "+result); 
    272286          if (result == Authentication.NO_ERROR) { 
    273             _logger.debug("RECAPTCHA SUCCESS, hopefully going to the document"); 
    274  
    275             this_session.setAttribute(GSParams.VERIFIED, "1"); 
     287            logger.error("RECAPTCHA SUCCESS, hopefully going to the document"); 
     288 
     289             
    276290          } else { 
    277             _logger.error("something went wrong with recaptcha, error="+result); 
    278             _logger.error(Authentication.getErrorKey(result)); 
     291            logger.error("something went wrong with recaptcha, error="+result); 
     292            logger.error(Authentication.getErrorKey(result)); 
    279293            // display error page 
    280             //String new_url = context.getContextPath()+"/"+ context.getAttribute("LibraryName")+"?a=p&sa=error&c="+collection+"&ec=recap_fail"; 
    281294            String new_url = context.getContextPath()+"/"+ library_name+"?a=p&sa=error&c="+collection+"&ec=recap_fail";              
    282295            ((HttpServletResponse)response).sendRedirect(new_url); 
     
    284297            return; 
    285298          } 
     299 
     300          // store the fact that user has verified 
     301          UserTimer timer = new UserTimer(verifiedUserTimeout, session_id); 
     302          verifiedUserMap.put(session_id, timer); 
     303          timer.start(); 
     304           
    286305        } 
    287306                         
     
    289308        // hmvf param is not set - we haven't shown them the form yet 
    290309        // we need to display the verify page 
     310        logger.error("KATH display verify page"); 
    291311        //String new_url = context.getContextPath()+"/"+ context.getAttribute("LibraryName")+"?a=p&sa=verify&c="+collection+"&url="+url; 
    292312        String new_url = context.getContextPath()+"/"+ library_name+"?a=p&sa=verify&c="+collection+"&url="+url;              
     
    295315          } 
    296316        } 
    297       } 
    298     } 
     317      } // end if we are asked to verify it 
     318    } // end if verifiable file 
    299319     
    300320             
     
    302322    // However, we need to remove the library_name from the URL. As can't change the 
    303323    // existing URL, we need to forward to the new one. 
     324    // (Can't do redirect as it will come back into this code and fail as there won't be library in the url) 
    304325    // Remove the context and library name parts. 
    305326    // don't know what happens with the rest of the filter chain? Does this bypass that?? 
     
    592613    if (metadataList.getLength() == 0) { 
    593614       
    594       _logger.error("Could not find the document related to this url"); 
     615      logger.error("Could not find the document related to this url"); 
    595616      return null; 
    596617    } 
     
    605626  
    606627  } 
     628 
     629  private class UserTimer extends Timer implements ActionListener 
     630  { 
     631    String id = ""; 
     632     
     633    public UserTimer(int delay, String id) 
     634    { 
     635      super(delay, (ActionListener) null); 
     636      addActionListener(this); 
     637      this.id = id; 
     638    } 
     639     
     640    public void actionPerformed(ActionEvent e) 
     641    { 
     642      verifiedUserMap.remove(id); 
     643      stop(); 
     644    } 
     645     
     646  } 
     647   
    607648   
    608649}