AbstractLoginForm.java

/**
 * Copyright 2014 55 Minutes (http://www.55minutes.com)
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *    http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package fiftyfive.wicket.shiro.markup;

import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.subject.Subject;
import org.apache.wicket.Component;
import org.apache.wicket.markup.html.form.StatelessForm;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/**
 * A form that authenticates the user via Shiro when an email and password are submitted.
 * Also supports "remember me". Subclasses are expected to provide the actual markup and Wicket
 * components for the email and password fields. Refer to {@link LoginForm} for a reference
 * implementation.
 *
 * @see #getEmailField
 * @see #getPasswordField
 * @see #remember
 * @since 3.0
 */
public abstract class AbstractLoginForm extends StatelessForm<Void>
{
    private static final Logger LOGGER = LoggerFactory.getLogger(LoginForm.class);
    
    public AbstractLoginForm(String id)
    {
        super(id);
    }

    /**
     * Returns the email form field component. It is the responsibility of the subclass to
     * construct this component, give it a String model, and insert it into the component
     * hierarchy according to the desired markup. When the form is submitted the model of
     * this email field component will be used as the email address for authentication.
     */
    protected abstract Component getEmailField();

    /**
     * Returns the password form field component. It is the responsibility of the subclass to
     * construct this component, give it a String model, and insert it into the component
     * hierarchy according to the desired markup. When the form is submitted the model of
     * this password field component will be used as the password for authentication.
     */
    protected abstract Component getPasswordField();
    
    /**
     * Delegate to {@link #loginShiro loginShiro()} to peform the authentication; if it
     * succeeds, redirect to the user's original intended destination or to the
     * application home page.
     */
    @Override
    protected void onSubmit()
    {
        String email = getEmailField().getDefaultModelObjectAsString();
        String password = getPasswordField().getDefaultModelObjectAsString();
        
        // Convert email to lowercase just in case the backend authentication system
        // is case sensitive and the user accidentally typed in uppercase.
        if(email != null)
        {
            email = email.toLowerCase();
        }

        if(loginShiro(email, password, remember()))
        {
            if(!continueToOriginalDestination())
            {
                setResponsePage(getApplication().getHomePage());
            }
        }
    }
    
    /**
     * Peform the actual authentication using Shiro's {@link Subject#login login()}.
     * <p>
     * <b>Important:</b> this method is written to ensure that the user's session
     * is replaced with a new session before authentication is performed. This is to
     * prevent a <a href="https://www.owasp.org/index.php/Session_Fixation">session fixation</a>
     * attack. As a side effect, any existing session data will therefore be lost.
     * 
     * @return {@code true} if authentication succeeded
     */
    protected boolean loginShiro(String email, String password, boolean remember)
    {
        Subject currentUser = SecurityUtils.getSubject();

        // Force a new session to prevent fixation attack.
        // We have to invalidate via both Shiro and Wicket; otherwise it doesn't work.
        currentUser.getSession().stop(); // Shiro
        getSession().replaceSession();   // Wicket
        
        UsernamePasswordToken token;
        token = new UsernamePasswordToken(email, password, remember);
        try
        {
            currentUser.login(token);
            return true;
        }
        catch (AuthenticationException ae)
        {
            onAuthenticationException(ae);
        }
        return false;
    }
    
    /**
     * Handle any exceptions that are thrown upon login failure by setting an appropriate
     * feedback message. The default implemention adds an error feedback message with the key
     * {@code loginFailed} to the email field.
     */
    protected void onAuthenticationException(AuthenticationException ae)
    {
        LOGGER.debug("Shiro Subject.login() failed", ae);
        getEmailField().error(getString("loginFailed", null, "Invalid email and/or password."));
    }
    
    /**
     * Override this method to return {@code true} if you want to enable
     * Shiro's "remember me" feature. By default this returns {@code false}.
     */
    protected boolean remember()
    {
        return false;
    }
}