diff --git a/build.gradle b/build.gradle
index f249716621b2f3b054668ef2ab5547ff86caac54..bc56306ddd203e46215ffa78aa4282df7b61bf81 100644
--- a/build.gradle
+++ b/build.gradle
@@ -390,7 +390,7 @@ dependencies {
compile "net.sourceforge.saxon:saxon:${vSaxon}"
compile "xalan:xalan:2.7.2"
- compile "nl.bitwalker:UserAgentUtils:1.2.4"
+ compile "eu.bitwalker:UserAgentUtils:1.20"
compile "com.twmacinta:fast-md5:2.7.1"
compile "com.h2database:h2:1.4.191"
compile "com.lowagie:itext:4.2.1"
diff --git a/src/main/java/org/nrg/xnat/restlet/guard/XnatSecureGuard.java b/src/main/java/org/nrg/xnat/restlet/guard/XnatSecureGuard.java
index ea38961e584bb21f4d09d90e623e87ceac47b279..ebbcdb058197cf1b11397530c8c5d4b86d1a0ec8 100644
--- a/src/main/java/org/nrg/xnat/restlet/guard/XnatSecureGuard.java
+++ b/src/main/java/org/nrg/xnat/restlet/guard/XnatSecureGuard.java
@@ -30,8 +30,6 @@ import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpSession;
-import java.util.UUID;
public class XnatSecureGuard extends Filter {
private static final Logger logger = LoggerFactory.getLogger(XnatSecureGuard.class);
@@ -109,14 +107,11 @@ public class XnatSecureGuard extends Filter {
if (challengeResponse != null) {
user = authenticateBasic(challengeResponse);
if (user != null) {
- httpRequest.getSession().setAttribute("XNAT_CSRF", UUID.randomUUID().toString());
return true;
}
}
else if (!XDAT.getSiteConfigPreferences().getRequireLogin()) {
try {
- HttpSession session = httpRequest.getSession();
- session.removeAttribute("loggedin");
user=Users.getGuest();
if (user!=null) {
return true;
diff --git a/src/main/java/org/nrg/xnat/restlet/resources/SecureResource.java b/src/main/java/org/nrg/xnat/restlet/resources/SecureResource.java
index 08b451f0a58cae5623b8b1f94775c26087927d12..49409e2b6c9bd502e79481dec9ed93de1723ae4e 100644
--- a/src/main/java/org/nrg/xnat/restlet/resources/SecureResource.java
+++ b/src/main/java/org/nrg/xnat/restlet/resources/SecureResource.java
@@ -133,8 +133,6 @@ public abstract class SecureResource extends Resource {
public String requested_format = null;
public String filepath = null;
- protected String csrfToken = null;
-
private final SerializerService _serializer;
public SecureResource(Context context, Request request, Response response) {
diff --git a/src/main/java/org/nrg/xnat/restlet/resources/UserSession.java b/src/main/java/org/nrg/xnat/restlet/resources/UserSession.java
index 6d0ba78e7197f37d293fd961b132f4e01ed15c6a..026536bc68718a3fa196fb7782bed9b438b0289a 100644
--- a/src/main/java/org/nrg/xnat/restlet/resources/UserSession.java
+++ b/src/main/java/org/nrg/xnat/restlet/resources/UserSession.java
@@ -21,8 +21,6 @@ import org.restlet.resource.ResourceException;
import org.restlet.resource.StringRepresentation;
import org.restlet.resource.Variant;
-import java.util.UUID;
-
public class UserSession extends SecureResource {
protected UserI user = null;
@@ -33,7 +31,6 @@ public class UserSession extends SecureResource {
// copy the user from the request into the session
getHttpSession().setAttribute("userHelper", UserHelper.getUserHelperService(user));
- getHttpSession().setAttribute("XNAT_CSRF", UUID.randomUUID().toString());
}
@Override
diff --git a/src/main/java/org/nrg/xnat/security/OnXnatLogin.java b/src/main/java/org/nrg/xnat/security/OnXnatLogin.java
index f8e20eff78af4e2216a21defb4ec5d63e336e07d..09d5d5a9719f2e39c1bc29299e6a99027f907336 100644
--- a/src/main/java/org/nrg/xnat/security/OnXnatLogin.java
+++ b/src/main/java/org/nrg/xnat/security/OnXnatLogin.java
@@ -10,28 +10,25 @@
*/
package org.nrg.xnat.security;
-import java.io.IOException;
-import java.util.UUID;
-
-import javax.servlet.ServletException;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.nrg.xdat.XDAT;
import org.nrg.xdat.security.helpers.UserHelper;
-import org.nrg.xdat.security.helpers.Users;
import org.nrg.xdat.turbine.utils.AccessLogger;
import org.nrg.xft.XFTItem;
import org.nrg.xft.event.EventUtils;
import org.nrg.xft.security.UserI;
import org.nrg.xft.utils.SaveItemHelper;
import org.springframework.security.core.Authentication;
-import org.springframework.security.core.context.SecurityContext;
-import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import java.util.Calendar;
+import java.util.Date;
+
public class OnXnatLogin extends SavedRequestAwareAuthenticationSuccessHandler {
protected final Log logger = LogFactory.getLog(getClass());
@@ -47,20 +44,20 @@ public class OnXnatLogin extends SavedRequestAwareAuthenticationSuccessHandler {
try{
final UserI user = XDAT.getUserDetails();
- request.getSession().setAttribute("XNAT_CSRF", UUID.randomUUID().toString());
-
- java.util.Date today = java.util.Calendar.getInstance(java.util.TimeZone.getDefault()).getTime();
- XFTItem item = XFTItem.NewItem("xdat:user_login",user);
- item.setProperty("xdat:user_login.user_xdat_user_id", user.getID());
- item.setProperty("xdat:user_login.login_date",today);
- item.setProperty("xdat:user_login.ip_address", AccessLogger.GetRequestIp(request));
- item.setProperty("xdat:user_login.session_id", request.getSession().getId());
- SaveItemHelper.authorizedSave(item,null,true,false, EventUtils.DEFAULT_EVENT(user,null));
-
- request.getSession().setAttribute("userHelper", UserHelper.getUserHelperService(user));
- }
- catch(Exception e){
- logger.error(e);
+
+ if (user != null) {
+ Date today = Calendar.getInstance(java.util.TimeZone.getDefault()).getTime();
+ XFTItem item = XFTItem.NewItem("xdat:user_login", user);
+ item.setProperty("xdat:user_login.user_xdat_user_id", user.getID());
+ item.setProperty("xdat:user_login.login_date", today);
+ item.setProperty("xdat:user_login.ip_address", AccessLogger.GetRequestIp(request));
+ item.setProperty("xdat:user_login.session_id", request.getSession().getId());
+ SaveItemHelper.authorizedSave(item, null, true, false, EventUtils.DEFAULT_EVENT(user, null));
+
+ request.getSession().setAttribute("userHelper", UserHelper.getUserHelperService(user));
+ }
+ } catch (Exception e) {
+ logger.error(e);
}
super.onAuthenticationSuccess(request, response, authentication);
}
diff --git a/src/main/java/org/nrg/xnat/security/XnatBasicAuthenticationFilter.java b/src/main/java/org/nrg/xnat/security/XnatBasicAuthenticationFilter.java
index 3f78e5c302dbff21e245cd6c03eac236615f2a63..21d71b33f900ad461a2895a80fe913647924d661 100644
--- a/src/main/java/org/nrg/xnat/security/XnatBasicAuthenticationFilter.java
+++ b/src/main/java/org/nrg/xnat/security/XnatBasicAuthenticationFilter.java
@@ -39,8 +39,9 @@ import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
+import java.util.Calendar;
+import java.util.Date;
import java.util.Map;
-import java.util.UUID;
public class XnatBasicAuthenticationFilter extends BasicAuthenticationFilter {
@@ -152,23 +153,24 @@ public class XnatBasicAuthenticationFilter extends BasicAuthenticationFilter {
Authentication authResult) throws IOException {
try {
final UserI user = XDAT.getUserDetails();
- Object lock = locks.get(user.getID());
- if (lock == null) {
- locks.put(user.getID(), new Object());
- lock = locks.get(user.getID());
- }
+ if (user != null) {
+ Object lock = locks.get(user.getID());
+ if (lock == null) {
+ locks.put(user.getID(), new Object());
+ lock = locks.get(user.getID());
+ }
- synchronized (lock) {
- java.util.Date today = java.util.Calendar.getInstance(java.util.TimeZone.getDefault()).getTime();
- XFTItem item = XFTItem.NewItem("xdat:user_login", user);
- item.setProperty("xdat:user_login.user_xdat_user_id", user.getID());
- item.setProperty("xdat:user_login.login_date", today);
- item.setProperty("xdat:user_login.ip_address", AccessLogger.GetRequestIp(request));
- item.setProperty("xdat:user_login.session_id", request.getSession().getId());
- SaveItemHelper.authorizedSave(item, null, true, false, EventUtils.DEFAULT_EVENT(user, null));
+ synchronized (lock) {
+ Date today = Calendar.getInstance(java.util.TimeZone.getDefault()).getTime();
+ XFTItem item = XFTItem.NewItem("xdat:user_login", user);
+ item.setProperty("xdat:user_login.user_xdat_user_id", user.getID());
+ item.setProperty("xdat:user_login.login_date", today);
+ item.setProperty("xdat:user_login.ip_address", AccessLogger.GetRequestIp(request));
+ item.setProperty("xdat:user_login.session_id", request.getSession().getId());
+ SaveItemHelper.authorizedSave(item, null, true, false, EventUtils.DEFAULT_EVENT(user, null));
+ }
+ request.getSession().setAttribute("userHelper", UserHelper.getUserHelperService(user));
}
- request.getSession().setAttribute("XNAT_CSRF", UUID.randomUUID().toString());
- request.getSession().setAttribute("userHelper", UserHelper.getUserHelperService(user));
} catch (Exception e) {
logger.error(e);
}