diff --git a/gerrit-gwtui/src/main/java/com/google/gerrit/client/Gerrit.java b/gerrit-gwtui/src/main/java/com/google/gerrit/client/Gerrit.java index b17b6969f8..b421e486c3 100644 --- a/gerrit-gwtui/src/main/java/com/google/gerrit/client/Gerrit.java +++ b/gerrit-gwtui/src/main/java/com/google/gerrit/client/Gerrit.java @@ -207,6 +207,7 @@ public class Gerrit implements EntryPoint { switch (myConfig.getAuthType()) { case HTTP: case HTTP_LDAP: + case CLIENT_SSL_CERT_LDAP: Location.assign(Location.getPath() + "login/" + token); break; diff --git a/gerrit-httpd/src/main/java/com/google/gerrit/httpd/auth/container/HttpsClientSslCertLoginServlet.java b/gerrit-httpd/src/main/java/com/google/gerrit/httpd/auth/container/HttpsClientSslCertLoginServlet.java new file mode 100644 index 0000000000..61254051c2 --- /dev/null +++ b/gerrit-httpd/src/main/java/com/google/gerrit/httpd/auth/container/HttpsClientSslCertLoginServlet.java @@ -0,0 +1,78 @@ +//Copyright (C) 2011 The Android Open Source Project +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package com.google.gerrit.httpd.auth.container; + +import com.google.gerrit.common.PageLinks; +import com.google.gerrit.httpd.WebSession; +import com.google.gerrit.server.config.CanonicalWebUrl; +import com.google.inject.Inject; +import com.google.inject.Provider; +import com.google.inject.Singleton; + +import java.io.IOException; + +import javax.annotation.Nullable; +import javax.servlet.http.HttpServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +/** + * Servlet bound to {@code /login/*} to redirect after client SSL certificate + * login. + *

+ * When using client SSL certificate one should normally never see the sign in + * dialog. However, this will happen if users session gets invalidated in some + * way. Like in other authentication types, we need to force page to fully + * reload in order to initialize a new session and create a valid xsrfKey. + */ +@Singleton +public class HttpsClientSslCertLoginServlet extends HttpServlet { + private static final long serialVersionUID = 1L; + + private final Provider webSession; + private final Provider urlProvider; + + @Inject + public HttpsClientSslCertLoginServlet(final Provider webSession, + @CanonicalWebUrl @Nullable final Provider urlProvider) { + this.webSession = webSession; + this.urlProvider = urlProvider; + } + + @Override + protected void doGet(final HttpServletRequest req, + final HttpServletResponse rsp) throws IOException { + final StringBuilder rdr = new StringBuilder(); + rdr.append(urlProvider.get()); + rdr.append('#'); + rdr.append(getToken(req)); + + rsp.setHeader("Expires", "Fri, 01 Jan 1980 00:00:00 GMT"); + rsp.setHeader("Pragma", "no-cache"); + rsp.setHeader("Cache-Control", "no-cache, must-revalidate"); + rsp.sendRedirect(rdr.toString()); + } + + private String getToken(final HttpServletRequest req) { + String token = req.getPathInfo(); + if (token != null && token.startsWith("/")) { + token = token.substring(1); + } + if (token == null || token.isEmpty()) { + token = PageLinks.MINE; + } + return token; + } +} diff --git a/gerrit-httpd/src/main/java/com/google/gerrit/httpd/auth/container/HttpsClientSslCertModule.java b/gerrit-httpd/src/main/java/com/google/gerrit/httpd/auth/container/HttpsClientSslCertModule.java index f0976f3ed5..7d32ac8ca7 100644 --- a/gerrit-httpd/src/main/java/com/google/gerrit/httpd/auth/container/HttpsClientSslCertModule.java +++ b/gerrit-httpd/src/main/java/com/google/gerrit/httpd/auth/container/HttpsClientSslCertModule.java @@ -21,5 +21,6 @@ public class HttpsClientSslCertModule extends ServletModule { @Override protected void configureServlets() { filter("/").through(HttpsClientSslCertAuthFilter.class); + serve("/login/*").with(HttpsClientSslCertLoginServlet.class); } }