WebLogin.java | searchcode

/projects/compiere-330/base/src/org/compiere/util/WebLogin.java

https://gitlab.com/essere.lab.public/qualitas.class-corpus · Java · 712 lines · 480 code · 62 blank · 170 comment · 124 complexity · 6bbae67be1ff903021cc11baf7070e39 MD5 · raw file

/******************************************************************************
 * Product: Compiere ERP & CRM Smart Business Solution                        *
 * Copyright (C) 1999-2007 ComPiere, Inc. All Rights Reserved.                *
 * This program is free software, you can redistribute it and/or modify it    *
 * under the terms version 2 of the GNU General Public License as published   *
 * by the Free Software Foundation. This program is distributed in the hope   *
 * that it will be useful, but WITHOUT ANY WARRANTY, without even the implied *
 * warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.           *
 * See the GNU General Public License for more details.                       *
 * You should have received a copy of the GNU General Public License along    *
 * with this program, if not, write to the Free Software Foundation, Inc.,    *
 * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA.                     *
 * For the text or an alternative of this public license, you may reach us    *
 * ComPiere, Inc., 3600 Bridge Parkway #102, Redwood City, CA 94065, USA      *
 * or via info@compiere.org or http://www.compiere.org/license.html           *
 *****************************************************************************/
package org.compiere.util;



import java.io.*;
import java.util.logging.*;

import javax.servlet.*;
import javax.servlet.http.*;

import org.compiere.model.*;




/**

 *	WebLogin provides a standard interface to login

 *	from Webapps like WStore or CM

 *

 *  @author Yves Sandfort, Jorg Janke

 *  @version $Id$

 */

public class WebLogin

{
	/**	Logger	*/
    private static CLogger log = CLogger.getCLogger(WebLogin.class);


	private final static String		COOKIE_NAME = "CompiereWebUser";



	/** Forward Parameter					*/

	private String		P_ForwardTo = "ForwardTo";

	/** SalesRep Parameter					*/

	private String		P_SalesRep_ID = "SalesRep_ID";

	/** EMail Parameter					*/

	private String		P_EMail = "EMail";

	/** Password Parameter					*/

	private String		P_Password = "Password";

	/** Mode/Action Parameter				*/

	private String		P_Action = "Mode";



	/** Login Page							*/

	private String		m_login_page = "/login.jsp";

    /** Update Page                         */

    private String		m_update_page = "/update.jsp";



    /** Message					*/

    private String      		m_message = null;

	/** Context					*/

	private Ctx		 			m_ctx;

	/** HttpServletRequest		*/

	private HttpServletRequest	m_request;

	/** HttpServletResponse		*/

	private HttpServletResponse	m_response;

	/** HttpSession				*/

	private HttpSession			m_session;

	/** adressConfirm			*/

	private boolean 			m_addressConfirm;

	/** forward					*/

	private String 				m_forward;

	/** SalesRep				*/

	private String 				m_salesRep;

	/** EMail					*/

	private String 				m_email;

	/** Password				*/

	private String 				m_password;

	/** WebUser					*/

	private WebUser 			m_wu;

	/** Mode					*/

	private String 				m_mode;



	/**

	 * 	WebLogin

	 *	@param t_request

	 *	@param t_response

	 *	@param t_ctx

	 */

	public WebLogin (HttpServletRequest t_request, HttpServletResponse t_response, Ctx t_ctx)

	{

		m_request = t_request;

		m_response = t_response;

		m_ctx = t_ctx;

		// We will check the Request to see whether Parameters are overwritten

		if (m_request.getParameter ("P_ForwardTo")!=null)

			setP_ForwardTo (m_request.getParameter("P_ForwardTo"));

		if (m_request.getParameter ("SalesRep_ID")!=null)

			setP_SalesRep_ID (m_request.getParameter ("SalesRep_ID"));

		if (m_request.getParameter ("P_EMail")!=null)

			setP_EMail (m_request.getParameter ("P_EMail"));

		if (m_request.getParameter ("P_Password")!=null)

			setP_Password (m_request.getParameter ("P_Password"));

		if (m_request.getParameter ("P_Action")!=null)

			setP_Action (m_request.getParameter ("P_Action"));

		if (m_request.getParameter ("LOGIN_RelURL")!=null)

			setLogin_RelURL (m_request.getParameter ("LOGIN_RelURL"));

		if (m_request.getParameter ("update_page")!=null)

			setLogin_RelURL (m_request.getParameter ("update_page"));

	}	//	WebLogin



	/**

	 * 	Init will initialize the WebLogin Object for further use

	 *	@return true if init was successfull

	 */

	public boolean init()

	{

		m_session = m_request.getSession(true);	//	create new

		m_forward = WebUtil.getParameter (m_request, P_ForwardTo);			//	get forward from request

		if (m_forward != null)

			m_session.setAttribute(P_ForwardTo, m_forward);

		else

			m_forward = "";

		m_salesRep = WebUtil.getParameter (m_request, P_SalesRep_ID);		//	get SalesRep from request

		if (m_salesRep != null)

			m_session.setAttribute(P_SalesRep_ID, m_salesRep);



		//	Get Base Info

		m_email = WebUtil.getParameter (m_request, P_EMail);

		if (m_email == null)

			m_email = "";

		m_email = m_email.trim();

		if (m_email != null)

			m_session.setAttribute (P_EMail, m_email);

		m_password = WebUtil.getParameter (m_request, P_Password);

		if (m_password == null)

			m_password = "";	//	null loads w/o check

		m_password = m_password.trim();

		if (m_session.getAttribute (WebInfo.NAME)!=null)

		{

			WebInfo wi = (WebInfo)m_session.getAttribute(WebInfo.NAME);

			m_wu = wi.getWebUser ();

		}

		return true;

	}	//	init



	/**

	 * 	Action run functions against the Login process.

	 *	@return true if successful

	 *	@throws IOException

	 *	@throws ServletException

	 */

	public boolean action() throws IOException, ServletException

	{

		//	Mode

		if (getMode() == null)

		{

			String mode = WebUtil.getParameter (m_request, P_Action);

			setMode(mode);
			if (mode == null || mode.equals("null"))
				return false;

		}

		boolean deleteCookie = "deleteCookie".equals(m_mode);

		if (deleteCookie)

		{

			log.fine("** deleteCookie");

			WebUtil.deleteCookieWebUser (m_request, m_response, COOKIE_NAME);

		}

		//

		boolean logout = "logout".equals(m_mode);

		if (logout || deleteCookie)

		{

			log.fine("** logout");

			if (m_session != null)

			{

				MSession cSession = MSession.get (m_ctx);

				if (cSession != null)

					cSession.logout();
				m_session.removeAttribute("AD_Session_ID");

				//

				m_wu = (WebUser)m_session.getAttribute(WebUser.NAME);

				if (m_wu != null)

					m_wu.logout();



	            m_session.removeAttribute(WebUser.NAME);

	            m_session.setMaxInactiveInterval(1);

				m_session.invalidate ();

			}

			//	Forward to unsecure /

			WebUtil.createForwardPage(m_response, "Logout", "http://" + m_request.getServerName() + "/", 2);

		}

		//	Send EMail				***	Send Password EMail Request

		else if ("SendEMail".equals(m_mode))

		{

			log.info("** send mail");

			m_wu = WebUser.get (m_ctx, m_email);			//	find it

			if (!m_wu.isEMailValid())

				m_wu.setPasswordMessage("EMail not found in system");

			else

			{

				m_wu.setPassword();		//	set password to current

				//

				String msg = WebUtil.sendEMail (m_request, m_wu,

					X_W_MailMsg.MAILMSGTYPE_UserPassword, new Object[]{

						m_request.getServerName(),

						m_wu.getName(),

						WebUtil.getFrom(m_request),

						m_wu.getPassword()});

				if (EMail.SENT_OK.equals(msg))

					m_wu.setPasswordMessage ("EMail sent");

				else

					m_wu.setPasswordMessage ("Problem sending EMail: " + msg);

			}

			m_forward = getLogin_RelURL ();

		}	//	SendEMail

		//	Login

		else if ("Login".equals(m_mode))

		{

			log.info("** login " + m_email + "/" + m_password);

			//	add Cookie

			WebUtil.addCookieWebUser(m_request, m_response, m_email, COOKIE_NAME);



			//	Always re-query

			m_wu = WebUser.get (m_ctx, m_email, m_password, false);

			m_wu.login(m_password);

			//	Password valid

			if (m_wu.isLoggedIn())

			{

				if (m_forward==null || m_forward.equals(getLogin_RelURL ()))

					m_forward = "/index.jsp";

				//	Create Session with User ID

				MSession session = MSession.get (m_ctx, X_AD_Session.SESSIONTYPE_WebStore, true,
					m_request.getRemoteAddr(),

					m_request.getRemoteHost(), m_session.getId());
				if (session != null)
					m_session.setAttribute("AD_Session_ID", session.getAD_Session_ID());

			}

			else

			{

				m_forward = getLogin_RelURL ();

				log.fine("- PasswordMessage=" + m_wu.getPasswordMessage());

			}

			// If no session exists or is not loaded, load or create it

			if (m_session==null)

				m_session = m_request.getSession (true);



			m_session.setAttribute (WebInfo.NAME, new WebInfo (m_ctx, m_wu));

		}	//	Login



		//	Login New

		else if ("LoginNew".equals(m_mode))

		{

			log.info("** loginNew");

			WebUtil.addCookieWebUser(m_request, m_response, "", COOKIE_NAME);

			m_wu =  WebUser.get (m_ctx, "");

			m_forward = getLogin_RelURL ();

		}



		//	Submit - update/new Contact

		else if ("Submit".equals(m_mode))

		{

			log.info("** submit " + m_email + "/" + m_password + " - AddrConf=" + m_addressConfirm);

			//	we have a record for address update

			if (m_wu != null && m_wu.isLoggedIn() && m_addressConfirm)	//	address update

				;

			else	//	Submit - always re-load user record

				m_wu = WebUser.get (m_ctx, m_email, null, false); //	load w/o password check direct

			//

			if (m_wu.getAD_User_ID() != 0)		//	existing BPC

			{

				String passwordNew = WebUtil.getParameter (m_request, "PasswordNew");

				if (passwordNew == null)

					passwordNew = "";

				boolean passwordChange = passwordNew.length() > 0 && !passwordNew.equals(m_password);

				if (m_addressConfirm || m_wu.login (m_password))

				{

					//	Create / set session

					if (m_wu.isLoggedIn())

					{

						MSession session = MSession.get (m_ctx, X_AD_Session.SESSIONTYPE_WebStore, true,
							m_request.getRemoteAddr(),

							m_request.getRemoteHost(), m_session.getId());

						if (session != null)
							m_session.setAttribute("AD_Session_ID", session.getAD_Session_ID());
					}

					//

					if (passwordChange)

						log.fine("- update Pwd " + m_email + ", Old=" + m_password + ", DB=" + m_wu.getPassword() + ", New=" + passwordNew);

					if (WebUtil.updateFields(m_request, m_wu, passwordChange))

					{

						if (passwordChange)

							m_session.setAttribute(WebSessionCtx.HDR_MESSAGE, "Password changed");

					}

					else

					{

						m_forward = getLogin_RelURL ();

						log.warning(" - update not done");

					}

				}

				else

				{

					m_forward = getLogin_RelURL ();

					m_session.setAttribute(WebSessionCtx.HDR_MESSAGE, "Email/Password not correct");

					log.warning(" - update not confirmed");

				}

			}

			else	//	new

			{

				log.fine("** new " + m_email + "/" + m_password);

				m_wu.setEmail (m_email);

				m_wu.setPassword (m_password);

				if (WebUtil.updateFields (m_request, m_wu, true))

				{

					if (m_wu.login(m_password))

					{

						m_session.setAttribute (WebInfo.NAME, new WebInfo (m_ctx, m_wu));

						//	Create / set session

						MSession session = MSession.get (m_ctx, X_AD_Session.SESSIONTYPE_WebStore, true,
							m_request.getRemoteAddr(),

							m_request.getRemoteHost(), m_session.getId());

						if (session != null)
							m_session.setAttribute("AD_Session_ID", session.getAD_Session_ID());
		    			WebUtil.resendCode(m_request, m_wu);

					}

					else

						m_forward = getLogin_RelURL ();

				}

				else

				{

					log.fine("- failed - " + m_wu.getSaveErrorMessage() + " - " + m_wu.getPasswordMessage());

					m_forward = getLogin_RelURL ();

				}

			}	//	new

			if (m_wu!=null)

				m_session.setAttribute (WebInfo.NAME, new WebInfo (m_ctx, m_wu));

		}	//	Submit



		else if("email".equals(m_mode))

        {

            String email = WebUtil.getParameter (m_request, "EMail");

            if (email == null)

                email = "";

            email = email.trim();



            String emailNew = WebUtil.getParameter (m_request, "EMailNew");

            if (emailNew == null)

                emailNew = "";



            email = email.trim();

            if(emailNew.length() == 0||emailNew.equals(email))

            {

                setMessage("New EMail invalid.");

                return false;

            }



            if(!WebUtil.isEmailValid(emailNew))

            {

                setMessage("New EMail invalid.");

                return false;

            }



            m_wu.setEmail(emailNew);

            m_wu.save();

            m_session.setAttribute(WebSessionCtx.HDR_MESSAGE, "EMail Address Changed");

            m_session.setAttribute(WebInfo.NAME, new WebInfo(m_ctx, m_wu));

        }



        else if("password".equals(m_mode))

        {

    		if (m_wu == null)

    		{

    			log.warning("No web user");

    			return false;

    		}



            String password = WebUtil.getParameter (m_request, "Password");

            if (password == null)

                password = "";	//	null loads w/o check

            password = password.trim();



            if(!m_wu.login(password))

            {

                setMessage("Email/Password not correct");

                return false;

            }



            MSession session = MSession.get (m_ctx, X_AD_Session.SESSIONTYPE_WebStore, true,
            	m_request.getRemoteAddr(), m_request.getRemoteHost(), m_session.getId());

			if (session != null)
				m_session.setAttribute("AD_Session_ID", session.getAD_Session_ID());


            String passwordNew = WebUtil.getParameter (m_request, "PasswordNew");

            if (passwordNew == null)

                passwordNew = "";



            password = password.trim();

            if( passwordNew.length() == 0 || passwordNew.equals(password))

            {

                setMessage("New Password invalid.");

                return false;

            }



            m_wu.setPasswordMessage(null);

            m_wu.setPassword(passwordNew);

            if(m_wu.getPasswordMessage() != null)

            {

                setMessage("New Password invalid.");

                return false;

            }

            m_wu.save();

			if (m_forward==null || m_forward.equals(getLogin_RelURL ()))

				m_forward = "/index.jsp";

            m_session.setAttribute(WebSessionCtx.HDR_MESSAGE, "Password Changed");

            m_session.setAttribute(WebInfo.NAME, new WebInfo(m_ctx, m_wu));

        }



        else if("address".equals(m_mode))

        {

            m_wu.setC_Country_ID(WebUtil.getParamOrNull(m_request, "C_Country_ID"));

            m_wu.setC_Region_ID(WebUtil.getParamOrNull(m_request, "C_Region_ID"));

            m_wu.setRegionName(WebUtil.getParamOrNull(m_request, "RegionName"));

            m_wu.setName(WebUtil.getParamOrNull(m_request, "Name"));

            m_wu.setCompany(WebUtil.getParamOrNull(m_request, "Company"));

            m_wu.setTitle(WebUtil.getParamOrNull(m_request, "Title"));

            m_wu.setAddress(WebUtil.getParamOrNull(m_request, "Address"));

            m_wu.setAddress2(WebUtil.getParamOrNull(m_request, "Address2"));

            m_wu.setCity(WebUtil.getParamOrNull(m_request, "City"));

            m_wu.setPostal(WebUtil.getParamOrNull(m_request, "Postal"));

            m_wu.setPhone(WebUtil.getParamOrNull(m_request, "Phone"));

            m_wu.setFax(WebUtil.getParamOrNull(m_request, "Fax"));

            m_wu.save();

            m_session.setAttribute(WebSessionCtx.HDR_MESSAGE, "Contact Information Changed");

            m_session.setAttribute(WebInfo.NAME, new WebInfo(m_ctx, m_wu));

        }



        else if ("EMailVerify".equals(m_mode))

        {

    		if (m_wu == null)

    		{

    			log.warning("No web user");

    			return false;

    		}



    		log.info(m_forward + " - " + m_wu.toString());



    		String cmd = WebUtil.getParameter(m_request, "ReSend");

    		if (cmd != null && cmd.length() > 1)

    			WebUtil.resendCode(m_request, m_wu);

    		else
    		{

    			boolean success = m_wu.setEMailVerifyCode(
    					WebUtil.getParameter(m_request, "VerifyCode"), m_request.getRemoteAddr());
    			if (success)
    	            m_session.setAttribute(WebSessionCtx.HDR_MESSAGE, "EMail verified");
    		}

        }



        else if ("bankaccountach".equals(m_mode))

        {

    		if (m_wu == null)

    		{

    			log.warning("No web user");

    			return false;

    		}



    		log.info(m_forward + " - " + m_wu.toString());



    		MBPBankAccount thisBPBankAccount = m_wu.getBankAccount (true);

    		// As this sets bankaccountach

    		thisBPBankAccount.setIsACH (true);

    		thisBPBankAccount.setA_City (WebUtil.getParamOrNull (m_request, "A_City"));

    		thisBPBankAccount.setA_Name (WebUtil.getParamOrNull (m_request, "A_Name"));

    		thisBPBankAccount.setAccountNo (WebUtil.getParamOrNull (m_request, "AccountNo"));

    		if (WebUtil.getParamOrNull (m_request, "RoutingNo")!=null)

    		{

    			MBank[] thisBank = MBank.getByRoutingNo (m_ctx, WebUtil.getParamOrNull (m_request, "RoutingNo"));

    			if (thisBank!=null && thisBank.length>0) {

    				thisBPBankAccount.setC_Bank_ID (thisBank[0].get_ID ());

    			} else {

    				// Create Bank

    				MBank newBank = new MBank(m_ctx, 0, null);

    				newBank.setName (WebUtil.getParamOrNull (m_request, "A_City"));

    				newBank.setRoutingNo (WebUtil.getParamOrNull (m_request, "RoutingNo"));

    				newBank.save ();

    				thisBPBankAccount.setC_Bank_ID (newBank.get_ID ());

    			}

        		thisBPBankAccount.setRoutingNo (WebUtil.getParamOrNull (m_request, "RoutingNo"));

    		}

    		thisBPBankAccount.save ();

        }

		else

			log.log(Level.WARNING, "Unknown request='" + m_mode + "'");



		return true;

	}	//	action



	/**

	 * setMessage to set a Message

	 * @param newVal

	 */

	public void setMessage(String newVal)

	{

		if (newVal!=null)

			m_message = newVal;

	}



	/**

	 * getMessage back

	 * @return Message

	 */

	public String getMessage()

	{

		return m_message;

	}



	/**

	 * 	setP_ForwardTo to overwrite default "ForwardTo" Parameter

	 *	@param newVal new value to look for

	 */

	public void setP_ForwardTo(String newVal)

	{

		if (newVal!=null)

			P_ForwardTo = newVal;

	}



	/**

	 * 	getP_ForwardTo

	 *	@return ForwardTo request parameter

	 */

	public String getP_ForwardTo()

	{

		return P_ForwardTo;

	}



	/**

	 * 	setP_EMail to overwrite default "EMail" Parameter

	 *	@param newVal new value to look for

	 */

	public void setP_EMail(String newVal)

	{

		if (newVal!=null)

			P_EMail = newVal;

	}



	/**

	 * 	getP_EMail

	 *	@return EMail request parameter

	 */

	public String getP_EMail()

	{

		return P_EMail;

	}



	/**

	 * 	setP_Password to overwrite default "Password" Parameter

	 *	@param newVal new value to look for

	 */

	public void setP_Password(String newVal)

	{

		if (newVal!=null)

			P_Password = newVal;

	}



	/**

	 * 	getP_Password

	 *	@return Password request parameter

	 */

	public String getP_Password()

	{

		return P_Password;

	}



	/**

	 * 	setP_SalesRep_ID to overwrite default "SalesRep_ID" Parameter

	 *	@param newVal new value to look for

	 */

	public void setP_SalesRep_ID(String newVal)

	{

		if (newVal!=null)

			P_SalesRep_ID = newVal;

	}



	/**

	 * 	getP_SalesRep_ID

	 *	@return SalesRep_ID request parameter

	 */

	public String getP_SalesRep_ID()

	{

		return P_SalesRep_ID;

	}



	/**

	 * 	setP_Action to overwrite default "Action/Mode" Parameter

	 *	@param newVal new value to look for

	 */

	public void setP_Action(String newVal)

	{

		if (newVal!=null)

			P_Action = newVal;

	}



	/**

	 * 	getP_SalesRep_ID

	 *	@return SalesRep_ID request parameter

	 */

	public String getP_Action()

	{

		return P_Action;

	}



	/**

	 * 	setLogin_RelURL to overwrite default Login Relative URL

	 *	@param newVal new relative URL inside Domain to goto

	 */

	public void setLogin_RelURL(String newVal)

	{

		if (newVal!=null)

			m_login_page = newVal;

	}



	/**

	 * 	getLogin_RelURL

	 *	@return Login_RelURL request parameter

	 */

	public String getLogin_RelURL()

	{

		return m_login_page;

	}



	/**

	 * 	setLogin_RelURL to overwrite default Login Relative URL

	 *	@param newVal new relative URL inside Domain to goto

	 */

	public void setUpdate_page(String newVal)

	{

		if (newVal!=null)

			m_update_page = newVal;

	}



	/**

	 * 	getLogin_RelURL

	 *	@return Login_RelURL request parameter

	 */

	public String getUpdate_page()

	{

		return m_update_page;

	}



	/**

	 * 	setForward updates Forward URL

	 *	@param newVal

	 */

	public void setForward(String newVal)

	{

		if (newVal!=null)

			m_forward = newVal;

	}



	/**

	 * 	getForward

	 *	@return URL to forward request on to

	 */

	public String getForward()

	{

		return m_forward;

	}



	/**

	 * 	getSalesRep_ID

	 *	@return SalesRep_ID of the SalesRep_ID in the Request

	 */

	public String getSalesRep_ID()

	{

		return m_salesRep;

	}



	/**

	 * 	setAddressConfirm

	 *	@param newVal new addressConfirm

	 */

	public void setAddressConfirm(boolean newVal)

	{

			m_addressConfirm = newVal;

	}



	/**

	 * 	getAdressConfirm

	 *	@return boolean addressConfirm

	 */

	public boolean getAddressConfirm()

	{

		return m_addressConfirm;

	}



	public WebUser getWebUser()

	{

		return m_wu;

	}


	/**
	 * 	Set Mode
	 *	@param t_mode mode
	 */

	public void setMode(String t_mode)

	{

		m_mode = t_mode;

	}



	public String getMode()

	{

		return m_mode;

	}

}	//	WebLogin
Tech Fingerprint

Alerts (9)

'import' Maintainability Info: Wildcard imports (e.g., `import java.util.*;`) can obscure the origin of classes and lead to namespace collisions. Prefer importing specific classes explicitly.
19 20 22 23 25
'HttpServletRequest' Security Warning: Ensure input size from HttpServletRequest is limited (e.g., via server config like maxPostSize, framework limits like Spring's @Size, or filter/interceptor) to prevent Denial of Service through large requests.
63 89
'password = "' Security Critical: Storing passwords or sensitive secrets directly in String objects is insecure. Strings are immutable and pooled, making them hard to clear from memory reliably. Use `char[]` instead and explicitly clear it after use.
136
Complexity hotspot; line 263 (total complexity: 4)
263