Changeset 38302 for main


Ignore:
Timestamp:
2023-10-11T17:55:40+13:00 (8 months ago)
Author:
anupama
Message:

Webswing authentication bypass when logged in, using JSessionID this time. But what should be in FROM attribute of response message from SystemAction? No response is coming from a service.

Location:
main/trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • main/trunk/gli/src/org/greenstone/gatherer/Gatherer.java

    r38259 r38302  
    21472147        return username;
    21482148        }
    2149 
    2150 
    2151         public boolean authenticate(String library_url_string) {
     2149       
     2150        public String doRequest(String new_url, boolean forSession) {
    21522151        String result;
    2153         if(username == null) {
    2154         PasswordAuthentication pa = getPasswordAuthentication();
    2155         if (pa == null) {
    2156             // user cancelled
    2157             System.err.println("Authentication cancelled.");
    2158             displayError(Dictionary.get("WebswingAuthenticationError.Cancelled"));
    2159             return false;
    2160 
    2161         }
    2162         username = pa.getUserName();
    2163        
    2164         String password = new String(pa.getPassword());
    2165 
    21662152        try {
    2167             String new_url = library_url_string+"?a=s&sa=authenticated-ping&excerptid=gs_content&un="+username+"&pw="+password;
    21682153            URL authenticationURL = new URL(new_url);
    2169             HttpURLConnection conn = (HttpURLConnection)authenticationURL.openConnection();     
     2154            HttpURLConnection conn = (HttpURLConnection)authenticationURL.openConnection();
     2155            if(forSession) {
     2156            conn.setRequestProperty("Cookie", "JSESSIONID="+this.userJSessionID);
     2157            }
     2158           
    21702159            BufferedReader reader = new BufferedReader(new InputStreamReader(conn.getInputStream()));
    21712160            result = "";
     
    21782167            System.err.println("There was an exception "+e.getMessage());
    21792168            displayError("There was an exception "+e.getMessage());
    2180             return false;
     2169            return null;
    21812170        }
    21822171        // Parse out the content nested inside <div ... id="gs_content"> </div>
     
    21912180            System.err.println("Authentication Error: "+result);
    21922181            displayError(result.replaceAll("&apos;", "'"));
     2182            return null;
     2183        }
     2184
     2185        return result;
     2186        }
     2187
     2188       
     2189        public boolean authenticate(String library_url_string) {
     2190        String result = null;
     2191        boolean authenticated = false;
     2192        if(username != null) {
     2193            String new_url = library_url_string+"?a=s&sa=get-groups-from-session&excerptid=gs_content&un="+username;
     2194           
     2195            result = doRequest(new_url, true);
     2196            if(result != null) {
     2197            authenticated = true;
     2198            }
     2199           
     2200        }
     2201        if(!authenticated) {
     2202        PasswordAuthentication pa = getPasswordAuthentication();
     2203        if (pa == null) {
     2204            // user cancelled
     2205            System.err.println("Authentication cancelled.");
     2206            displayError(Dictionary.get("WebswingAuthenticationError.Cancelled"));
    21932207            return false;
    2194         }
    2195           } else {
    2196           result = rawgroups;
    2197           }
     2208
     2209        }
     2210        username = pa.getUserName();
     2211       
     2212        String password = new String(pa.getPassword());
     2213        String new_url = library_url_string+"?a=s&sa=authenticated-ping&excerptid=gs_content&un="+username+"&pw="+password;
     2214        result = doRequest(new_url, false);     
     2215       
     2216        if(result == null) {
     2217            return false;
     2218        }
     2219        }
     2220
    21982221        groups = new HashSet<String>();
    21992222        String[] contents = result.split(",");

  • main/trunk/greenstone3/src/java/org/greenstone/gsdl3/action/SystemAction.java

    r34018 r38302  
    2525
    2626    String tempVal = "";
    27 
     27    protected static final String SYSTEM_ACTION = "SystemAction";
     28   
    2829    /** process a request */
    2930    public Node process(Node message_node)
     
    5253        else if(subaction.equals("authenticated-ping")) {
    5354            to = "RemoteAuthentication"; // not "Authentication/RemoteAuthentication": MessageRouter knows to map the RemoteAuthentication service to the Authentication module
     55        } else if(subaction.equals("get-groups-from-session")) {
     56            String msg = "";
     57           
     58            String suppliedUsername = (String) params.get(GSParams.UN);
     59            if(!suppliedUsername.equals(userContext.getUsername())) {
     60            msg = "Authentication failed: incorrect username for current session.";
     61            } else {
     62            String groups = userContext.getGroupsString();
     63            String suppliedCollection = params.containsKey("col") ? suppliedCollection = (String) params.get("col") : "";
     64           
     65            if(suppliedCollection.equals("")) {
     66                msg = groups;
     67            } else {                   
     68               
     69                if(groups.indexOf("all-collections-editor") != -1) { // Does this user have access to all collections?
     70                msg = groups;
     71                } else if(groups.indexOf("personal-collections-editor") != -1 && suppliedCollection.startsWith(suppliedUsername+"-")) { // Does this user have access to personal collections, and is this one?
     72                msg = groups;
     73                } else if(groups.indexOf(suppliedCollection+"-collection-editor") != -1) { //  Does this user have access to this collection?
     74                msg = groups;
     75                }
     76                else {
     77                msg = "Authentication failed: user is not in the required group.";
     78                //logger.error("*** Remote login failed. Groups did not match for the collection specified");
     79                }
     80            }
     81            }
     82
     83            Element response = doc.createElement(GSXML.RESPONSE_ELEM);
     84            response.setAttribute(GSXML.FROM_ATT, SYSTEM_ACTION);
     85            response.setAttribute(GSXML.TYPE_ATT, GSXML.REQUEST_TYPE_PROCESS);     
     86            Element s = GSXML.createTextElement(doc, GSXML.STATUS_ELEM, msg);
     87            response.appendChild(s);
     88           
     89            addSiteMetadata(response, userContext);
     90            addInterfaceOptions(response);
     91           
     92            result.appendChild(response);
     93            return result; // done, no need to call a service
    5494        }
    55 
     95       
    5696        Element mr_request_message = doc.createElement(GSXML.MESSAGE_ELEM);
    5797        Element mr_request = GSXML.createBasicRequest(doc, GSXML.REQUEST_TYPE_SYSTEM, to, userContext);
Note: See TracChangeset for help on using the changeset viewer.