MasterPasswordChangePage.java

/* (c) 2014 Open Source Geospatial Foundation - all rights reserved
 * (c) 2001 - 2013 OpenPlans
 * This code is licensed under the GPL 2.0 license, available at the root
 * application directory.
 */
package org.geoserver.security.web.passwd;

import java.io.IOException;

import org.apache.wicket.WicketRuntimeException;
import org.apache.wicket.ajax.AjaxRequestTarget;
import org.apache.wicket.ajax.markup.html.AjaxLink;
import org.apache.wicket.markup.html.basic.Label;
import org.apache.wicket.markup.html.form.Form;
import org.apache.wicket.markup.html.form.PasswordTextField;
import org.apache.wicket.markup.html.form.SubmitLink;
import org.apache.wicket.model.CompoundPropertyModel;
import org.apache.wicket.model.Model;
import org.geoserver.security.password.MasterPasswordConfig;
import org.geoserver.security.password.MasterPasswordProviderConfig;
import org.geoserver.security.web.AbstractSecurityPage;

public class MasterPasswordChangePage extends AbstractSecurityPage {

    public MasterPasswordChangePage() {
        MasterPasswordConfigModel configModel = new MasterPasswordConfigModel();
        
        Form form = new Form("form", new CompoundPropertyModel(configModel));
        add(form);

        form.add(new Label("providerName"));
        
        MasterPasswordConfig config = configModel.getObject();
        MasterPasswordProviderConfig providerConfig = null;
        try {
             providerConfig = 
                 getSecurityManager().loadMasterPassswordProviderConfig(config.getProviderName());
        } catch (IOException e) {
            throw new WicketRuntimeException(e);
        }

        //TODO: this will cause the master password to stored as a string in plain text, without the 
        // ability to scramble it... not much we can do because wicket works with strings... 
        // potentially look into a way to store as char or byte array so string never gets 
        // created
        form.add(new PasswordTextField("currentPassword", new Model()));
        form.add(new PasswordTextField("newPassword", new Model())
            .setEnabled(!providerConfig.isReadOnly()));
        form.add(new PasswordTextField("newPasswordConfirm", new Model()));

        form.add(new SubmitLink("save", form) {
            @Override
            public void onSubmit() {
                Form f = getForm();
                // @Justin, we cannot use getDefaultModelObjectAsString() because of special chars.
                // example: The password "mcrmcr&1" is converted to "mcrmcr&1".
                String currPasswd = 
                    //f.get("currentPassword").getDefaultModelObjectAsString();
                    (String) f.get("currentPassword").getDefaultModelObject();    
                String newPasswd = 
                    //f.get("newPassword").getDefaultModelObjectAsString();
                    (String) f.get("newPassword").getDefaultModelObject();
                String newPasswdConfirm = 
                    // f.get("newPasswordConfirm").getDefaultModelObjectAsString();
                    (String) f.get("newPasswordConfirm").getDefaultModelObject();

                MasterPasswordConfig mpConfig = (MasterPasswordConfig) getForm().getModelObject();
                try {
                    getSecurityManager().saveMasterPasswordConfig(mpConfig, currPasswd.toCharArray(), 
                        newPasswd != null ? newPasswd.toCharArray() : null, 
                        newPasswdConfirm.toCharArray());
                    doReturn();
                } catch (Exception e) {
                    error(e);
                }
            }
        });
        form.add(new AjaxLink("cancel") {
            @Override
            public void onClick(AjaxRequestTarget target) {
                doReturn();
            }
        });
    }

}