/** * Copyright 2014 55 Minutes (http://www.55minutes.com) * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package fiftyfive.wicket.shiro.markup; import org.apache.shiro.SecurityUtils; import org.apache.shiro.authc.AuthenticationException; import org.apache.shiro.authc.UsernamePasswordToken; import org.apache.shiro.subject.Subject; import org.apache.wicket.Component; import org.apache.wicket.markup.html.form.StatelessForm; import org.slf4j.Logger; import org.slf4j.LoggerFactory; /** * A form that authenticates the user via Shiro when an email and password are submitted. * Also supports "remember me". Subclasses are expected to provide the actual markup and Wicket * components for the email and password fields. Refer to {@link LoginForm} for a reference * implementation. * * @see #getEmailField * @see #getPasswordField * @see #remember * @since 3.0 */ public abstract class AbstractLoginForm extends StatelessForm<Void> { private static final Logger LOGGER = LoggerFactory.getLogger(LoginForm.class); public AbstractLoginForm(String id) { super(id); } /** * Returns the email form field component. It is the responsibility of the subclass to * construct this component, give it a String model, and insert it into the component * hierarchy according to the desired markup. When the form is submitted the model of * this email field component will be used as the email address for authentication. */ protected abstract Component getEmailField(); /** * Returns the password form field component. It is the responsibility of the subclass to * construct this component, give it a String model, and insert it into the component * hierarchy according to the desired markup. When the form is submitted the model of * this password field component will be used as the password for authentication. */ protected abstract Component getPasswordField(); /** * Delegate to {@link #loginShiro loginShiro()} to peform the authentication; if it * succeeds, redirect to the user's original intended destination or to the * application home page. */ @Override protected void onSubmit() { String email = getEmailField().getDefaultModelObjectAsString(); String password = getPasswordField().getDefaultModelObjectAsString(); // Convert email to lowercase just in case the backend authentication system // is case sensitive and the user accidentally typed in uppercase. if(email != null) { email = email.toLowerCase(); } if(loginShiro(email, password, remember())) { if(!continueToOriginalDestination()) { setResponsePage(getApplication().getHomePage()); } } } /** * Peform the actual authentication using Shiro's {@link Subject#login login()}. * <p> * <b>Important:</b> this method is written to ensure that the user's session * is replaced with a new session before authentication is performed. This is to * prevent a <a href="https://www.owasp.org/index.php/Session_Fixation">session fixation</a> * attack. As a side effect, any existing session data will therefore be lost. * * @return {@code true} if authentication succeeded */ protected boolean loginShiro(String email, String password, boolean remember) { Subject currentUser = SecurityUtils.getSubject(); // Force a new session to prevent fixation attack. // We have to invalidate via both Shiro and Wicket; otherwise it doesn't work. currentUser.getSession().stop(); // Shiro getSession().replaceSession(); // Wicket UsernamePasswordToken token; token = new UsernamePasswordToken(email, password, remember); try { currentUser.login(token); return true; } catch (AuthenticationException ae) { onAuthenticationException(ae); } return false; } /** * Handle any exceptions that are thrown upon login failure by setting an appropriate * feedback message. The default implemention adds an error feedback message with the key * {@code loginFailed} to the email field. */ protected void onAuthenticationException(AuthenticationException ae) { LOGGER.debug("Shiro Subject.login() failed", ae); getEmailField().error(getString("loginFailed", null, "Invalid email and/or password.")); } /** * Override this method to return {@code true} if you want to enable * Shiro's "remember me" feature. By default this returns {@code false}. */ protected boolean remember() { return false; } }