Login.java

/**
 *    Copyright 2010 John Schutz <john@lisedex.com>
 *
 *  Licensed under the Apache License, Version 2.0 (the "License");
 *  you may not use this file except in compliance with the License.
 *  You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 *  Unless required by applicable law or agreed to in writing, software
 *  distributed under the License is distributed on an "AS IS" BASIS,
 *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 **/
package com.lisedex.volinfoman.server.authenticate;

import java.io.IOException;
import java.io.PrintWriter;
import java.util.logging.Logger;

import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;

import com.google.inject.Inject;
import com.lisedex.volinfoman.server.Dao;
import com.lisedex.volinfoman.server.SessionHandler;
import com.lisedex.volinfoman.shared.StringSafety;
import com.lisedex.volinfoman.shared.User;

/**
 * Authenticate user, matching username and password, and user
 * status as being confirmed.  Generates a session, and passes it back
 * to the client to be used as a cookie
 * 
 * @author John Schutz <john@lisedex.com>
 *
 */
@SuppressWarnings("serial")
public class Login extends HttpServlet {

	@Inject 
	Dao dao;
	
    @SuppressWarnings("unused")
	private static final Logger log = Logger.getLogger(Login.class.getName());

	@Override
	public void doPost(HttpServletRequest req, HttpServletResponse resp)
			throws IOException {
		
		PrintWriter output = resp.getWriter();

		// build HTML response page
		resp.setContentType("text/html");
		resp.setCharacterEncoding("utf-8");
		
		String username = req.getParameter("username");
		String password = req.getParameter("password");
		
		if ((username == null) || (password == null)) {
			output.println("<head><title>VolunteerIM login</title></head>");
			output.println("<body>Please fill out both username and password fields.</body>");
			return;
		}
		
		if (!StringSafety.isSafe(username)) {
			output.println("<head><title>VolunteerIM login</title></head>");
			output.println("<body>Username invalid, please go back and try again.</body>");
			return;
		}
		
		if (!StringSafety.isSafe(password)) {
			output.println("<head><title>VolunteerIM login</title></head>");
			output.println("<body>Password invalid, please go back and try again.</body>");
			return;
		}
		
		if (dao.checkUserPassword(username, password)) {
			if (dao.getUser(username).getStatus() == User.STATUS_CONFIRMED) {
				HttpSession session = req.getSession();
				SessionHandler.setAuthenticated(session, true);
				resp.sendRedirect(resp.encodeRedirectURL("/Volinfoman.html"));
				return;
			} else {
				output.println("<head><title>VolunteerIM login</title></head>");
				output.println("<body>Sorry, your account has not yet been confirmed.  Please check the email account you used during sign up for a link you must visit to confirm your account.  Thank you!</body>");
				return;
			}
		} else {
			output.println("<head><title>VolunteerIM login</title></head>");
			output.println("<body>Username and password do not match.  Please try again.</body>");
			return;
		}
	}
}