Ignore:
Timestamp:
2019-06-24T14:13:12+12:00 (5 years ago)
Author:
kjdon
Message:

changed how we remember who has verified. Can't store in hte session as it just gets wiped by our session caching code - as hmvf never actually makes it though to LIbraryServlet via a command line, it just ges wiped and never put back. Anyway it wasn't a good choice as anyone could just ass hmvf=1 to URL to bypass T&C. Now we store in a hashtable session id for those who have verified - accompanied by a timer which will remove the entry after 24 hours. also, renamed _logger to logger to match all other classes as its a pain to have to remember to type the _. Debug messages left in for now. TODO: remove these once tested.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • main/trunk/greenstone3/src/java/org/greenstone/gsdl3/core/URLFilter.java

    r33181 r33212  
    66import java.util.Arrays;
    77import java.util.HashMap;
     8import java.util.Hashtable;
    89import java.util.Map;
    910
     
    2122import javax.servlet.http.HttpServletResponse;
    2223
     24import java.awt.event.ActionEvent;
     25import java.awt.event.ActionListener;
     26import javax.swing.Timer;
     27
    2328import org.apache.commons.io.FileUtils;
    2429import org.apache.commons.lang3.StringUtils;
     
    3843{
    3944  private FilterConfig _filterConfig = null;
    40   private static Logger _logger = Logger.getLogger(org.greenstone.gsdl3.core.URLFilter.class.getName());
     45  private static Logger logger = Logger.getLogger(org.greenstone.gsdl3.core.URLFilter.class.getName());
    4146
    4247  //Restricted URLs
     
    7277  protected static final String SYSTEM_SUBACTION_DEACTIVATE = "deactivate";
    7378
     79  // if we are showing terms and conditions to user, this remembers who has accepted already
     80  protected Hashtable<String, UserTimer> verifiedUserMap = null;
     81  protected static final int verifiedUserTimeout = 24 * 60 * 60 * 1000;
     82 
    7483  public void init(FilterConfig filterConfig) throws ServletException
    7584  {
     
    8796    if (!(request instanceof HttpServletRequest)) {
    8897      // Can this ever happen?
    89       _logger.error("The request was not an HttpServletRequest");
     98      logger.error("The request was not an HttpServletRequest");
    9099      return;
    91100    }
     
    94103    HttpServletRequest hRequest = ((HttpServletRequest) request);
    95104    HttpSession hSession = hRequest.getSession();
     105    String session_id = hSession.getId();
    96106    ServletContext context = hSession.getServletContext();
    97107   
     
    106116      return;
    107117    }
    108 
     118    logger.error("in do Filter: "+url);
    109119
    110120    // Run security checks on files requested from a collection's index/assoc folder
     
    125135               
    126136    if (gsRouter == null) { 
    127       _logger.error("Receptionist is null, stopping filter");
     137      logger.error("Receptionist is null, stopping filter");
    128138      return;
    129139    }
    130140    // Sometimes we have a // before the filename - that mucks up the following code, so lets remove them
    131141    url = url.replaceAll("//","/");
     142   
    132143    String dir = null;
    133144    int dirStart = url.indexOf(ASSOCIATED_FILE_PATH) + ASSOCIATED_FILE_PATH.length();
     
    205216                   
    206217    Element mr_response = (Element)gsRouter.process(securityMessage);
    207     _logger.debug("security response = "+XMLConverter.getPrettyString(mr_response));
     218    logger.debug("security response = "+XMLConverter.getPrettyString(mr_response));
    208219
    209220    boolean verifiable_file = true;
     
    242253          }
    243254      }
    244     // if got here have no groups.
     255    // if got here have no groups that we need to belong to
    245256    // do we have human verify thing?
    246257    if (verifiable_file) {
    247258      // we are asking for the main document - lets check human verify
    248                      
     259      logger.error("KATH verifiable file is true");
    249260      if (!securityResponse.getAttribute(GSXML.VERIFY_ATT).equals("")) {
    250261        // have we done the test previously?
    251         HttpSession this_session =  ((HttpServletRequest) request).getSession();
    252         if (this_session == null) {
    253           _logger.error("KATH session is null");
     262        boolean already_verified = false;
     263        if (verifiedUserMap == null) {
     264          // we haven't done this at all, set up the map
     265          verifiedUserMap = new Hashtable<String, UserTimer>();
     266          logger.error("KATH setting up new user map");
    254267        } else {
    255           _logger.error("KATH session id = "+this_session.getId());
     268          // check this map
     269          if (verifiedUserMap.containsKey(session_id)) {
     270        already_verified = true;
     271          }
    256272        }
    257         if (this_session.getAttribute(GSParams.VERIFIED) != null ) {
    258           _logger.error("KATH have verified in the session");
    259           // we don't need to re-verify
    260         } else {
    261           _logger.error("KATH verfied not in session");
    262                          
     273        logger.error("KATH already verified = "+already_verified);
     274
     275        if (!already_verified) {
    263276          // have we just  done the test?
    264277          String hmvf_response = gRequest.getParameter(GSParams.VERIFIED);
    265278          // hmvf param will be set by form if the verify page was submitted
    266279          if (hmvf_response != null && hmvf_response.equals("1")) {
     280        logger.error("user has submitted the form, check recaptcha response");
    267281        if (!securityResponse.getAttribute(GSXML.SITE_KEY_ATT).equals("")) {
    268282          String recaptcha_response = gRequest.getParameter(Authentication.RECAPTCHA_RESPONSE_PARAM);
    269283          String secret_key = securityResponse.getAttribute(GSXML.SECRET_KEY_ATT);
    270284          int result = Authentication.verifyRecaptcha(secret_key, recaptcha_response);
    271           _logger.debug("recaptcha result code = "+result);
     285          logger.error("recaptcha result code = "+result);
    272286          if (result == Authentication.NO_ERROR) {
    273             _logger.debug("RECAPTCHA SUCCESS, hopefully going to the document");
    274 
    275             this_session.setAttribute(GSParams.VERIFIED, "1");
     287            logger.error("RECAPTCHA SUCCESS, hopefully going to the document");
     288
     289           
    276290          } else {
    277             _logger.error("something went wrong with recaptcha, error="+result);
    278             _logger.error(Authentication.getErrorKey(result));
     291            logger.error("something went wrong with recaptcha, error="+result);
     292            logger.error(Authentication.getErrorKey(result));
    279293            // display error page
    280             //String new_url = context.getContextPath()+"/"+ context.getAttribute("LibraryName")+"?a=p&sa=error&c="+collection+"&ec=recap_fail";
    281294            String new_url = context.getContextPath()+"/"+ library_name+"?a=p&sa=error&c="+collection+"&ec=recap_fail";             
    282295            ((HttpServletResponse)response).sendRedirect(new_url);
     
    284297            return;
    285298          }
     299
     300          // store the fact that user has verified
     301          UserTimer timer = new UserTimer(verifiedUserTimeout, session_id);
     302          verifiedUserMap.put(session_id, timer);
     303          timer.start();
     304         
    286305        }
    287306                       
     
    289308        // hmvf param is not set - we haven't shown them the form yet
    290309        // we need to display the verify page
     310        logger.error("KATH display verify page");
    291311        //String new_url = context.getContextPath()+"/"+ context.getAttribute("LibraryName")+"?a=p&sa=verify&c="+collection+"&url="+url;
    292312        String new_url = context.getContextPath()+"/"+ library_name+"?a=p&sa=verify&c="+collection+"&url="+url;             
     
    295315          }
    296316        }
    297       }
    298     }
     317      } // end if we are asked to verify it
     318    } // end if verifiable file
    299319   
    300320           
     
    302322    // However, we need to remove the library_name from the URL. As can't change the
    303323    // existing URL, we need to forward to the new one.
     324    // (Can't do redirect as it will come back into this code and fail as there won't be library in the url)
    304325    // Remove the context and library name parts.
    305326    // don't know what happens with the rest of the filter chain? Does this bypass that??
     
    592613    if (metadataList.getLength() == 0) {
    593614     
    594       _logger.error("Could not find the document related to this url");
     615      logger.error("Could not find the document related to this url");
    595616      return null;
    596617    }
     
    605626 
    606627  }
     628
     629  private class UserTimer extends Timer implements ActionListener
     630  {
     631    String id = "";
     632   
     633    public UserTimer(int delay, String id)
     634    {
     635      super(delay, (ActionListener) null);
     636      addActionListener(this);
     637      this.id = id;
     638    }
     639   
     640    public void actionPerformed(ActionEvent e)
     641    {
     642      verifiedUserMap.remove(id);
     643      stop();
     644    }
     645   
     646  }
     647 
    607648 
    608649}
Note: See TracChangeset for help on using the changeset viewer.