Make threadlocals non-static - minor non-security relevant change

planetlevel · planetlevel · commit 409caacaf111 · 2008-03-15T02:32:06.000Z
diff --git a/.classpath b/.classpath
@@ -20,5 +20,6 @@
 	<classpathentry kind="lib" path="lib/servlet-api.jar" sourcepath="C:/Users/jwilliams/Workbench/codereview/libraries/j2ee-1_4_1-src-scsl.zip"/>
 	<classpathentry kind="con" path="org.eclipse.jdt.junit.JUNIT_CONTAINER/3"/>
 	<classpathentry kind="con" path="org.eclipse.jdt.launching.JRE_CONTAINER/org.eclipse.jdt.internal.debug.ui.launcher.StandardVMType/jdk1.4.2_16"/>
+	<classpathentry kind="lib" path="lib/jsp-api.jar"/>
 	<classpathentry kind="output" path="build"/>
 </classpath>
diff --git a/build.number b/build.number
@@ -0,0 +1,3 @@
+#Build Number for ANT. Do not edit!
+#Fri Mar 14 18:23:40 EDT 2008
+build.number=92
diff --git a/resources/ESAPI.properties b/resources/ESAPI.properties
@@ -55,8 +55,8 @@ Validator.HTTPHeaderName=^[a-zA-Z0-9\\-]{0,32}$
 Validator.HTTPHeaderValue=^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:& ]*$
 
 # Validation of file related input
-Validator.FileName=^[a-zA-Z0-9.-_ ]{0,255}$
-Validator.DirectoryName=^[a-zA-Z0-9.-_ ]{0,255}$
+Validator.FileName=^[a-zA-Z0-9.\\-_ ]{0,255}$
+Validator.DirectoryName=^[a-zA-Z0-9.-\\_ ]{0,255}$
 
 # File upload configuration
 ValidExtensions=.zip,.pdf,.doc,.docx,.ppt,.pptx,.tar,.gz,.tgz,.rar,.war,.jar,.ear,.xls,.rtf,.properties,.java,.class,.txt,.xml,.jsp,.jsf,.exe,.dll
diff --git a/src/org/owasp/esapi/Authenticator.java b/src/org/owasp/esapi/Authenticator.java
@@ -143,9 +143,9 @@ public static void main(String[] args) throws Exception {
      * the ThreadLocal approach simplifies things greatly. <P> As a possible extension, one could create a delegation
      * framework by adding another ThreadLocal to hold the delegating user identity.
      */
-    private static ThreadLocalUser currentUser = new ThreadLocalUser();
+    private ThreadLocalUser currentUser = new ThreadLocalUser();
 
-    private static class ThreadLocalUser extends InheritableThreadLocal {
+    private class ThreadLocalUser extends InheritableThreadLocal {
         
         public Object initialValue() {
         	return anonymous;
@@ -166,9 +166,9 @@ public void setUser(IUser newUser) {
      * application. This enables API's for actions that require the request to be much simpler. For example, the logout()
      * method in the Authenticator class requires the currentRequest to get the session in order to invalidate it.
      */
-    private static ThreadLocalRequest currentRequest = new ThreadLocalRequest();
+    private ThreadLocalRequest currentRequest = new ThreadLocalRequest();
 
-    private static class ThreadLocalRequest extends InheritableThreadLocal {
+    private class ThreadLocalRequest extends InheritableThreadLocal {
         
         public Object initialValue() {
         	return null;
@@ -188,9 +188,9 @@ public void setUser(HttpServletRequest newRequest) {
      * application. This enables API's for actions that require the response to be much simpler. For example, the logout()
      * method in the Authenticator class requires the currentResponse to kill the JSESSIONID cookie.
      */
-    private static ThreadLocalResponse currentResponse = new ThreadLocalResponse();
+    private ThreadLocalResponse currentResponse = new ThreadLocalResponse();
 
-    private static class ThreadLocalResponse extends InheritableThreadLocal {
+    private class ThreadLocalResponse extends InheritableThreadLocal {
         
         public Object initialValue() {
         	return null;
@@ -550,9 +550,6 @@ public User login(HttpServletRequest request, HttpServletResponse response) thro
     	// save the current request and response in the threadlocal variables
     	setCurrentHTTP(request, response);
     	
-        if ( !ESAPI.httpUtilities().isSecureChannel() ) {
-            new AuthenticationCredentialsException( "Session exposed", "Authentication attempt made over non-SSL connection. Check web.xml and server configuration" );
-        }
         User user = null;
 
         // if there's a user in the session then use that
@@ -567,31 +564,36 @@ public User login(HttpServletRequest request, HttpServletResponse response) thro
             user.setFirstRequest(true);
         }
 
+        // warn if this authentication request came over a non-SSL connection, exposing credentials or session id
+        if ( !ESAPI.httpUtilities().isSecureChannel() ) {
+            new AuthenticationCredentialsException( "Session or credentials exposed", "Authentication attempt made over non-SSL connection. Check web.xml and server configuration. User: " + user.getAccountName() );
+        }
+                
         // don't let anonymous user log in
         if (user.isAnonymous()) {
         	user.logout();
-            throw new AuthenticationLoginException("Login failed", "Anonymous user cannot be set to current user");
+            throw new AuthenticationLoginException("Login failed", "Anonymous user cannot be set to current user. User: " + user.getAccountName() );
         }
 
         // don't let disabled users log in
         if (!user.isEnabled()) {
         	user.logout();
             user.setLastFailedLoginTime(new Date());
-            throw new AuthenticationLoginException("Login failed", "Disabled user cannot be set to current user: " + user.getAccountName());
+            throw new AuthenticationLoginException("Login failed", "Disabled user cannot be set to current user. User: " + user.getAccountName() );
         }
 
         // don't let locked users log in
         if (user.isLocked()) {
         	user.logout();
             user.setLastFailedLoginTime(new Date());
-            throw new AuthenticationLoginException("Login failed", "Locked user cannot be set to current user: " + user.getAccountName());
+            throw new AuthenticationLoginException("Login failed", "Locked user cannot be set to current user. User: " + user.getAccountName() );
         }
 
         // don't let expired users log in
         if (user.isExpired()) {
         	user.logout();
             user.setLastFailedLoginTime(new Date());
-            throw new AuthenticationLoginException("Login failed", "Expired user cannot be set to current user: " + user.getAccountName());
+            throw new AuthenticationLoginException("Login failed", "Expired user cannot be set to current user. User: " + user.getAccountName() );
         }
 
         setCurrentUser(user);
diff --git a/src/org/owasp/esapi/HTTPUtilities.java b/src/org/owasp/esapi/HTTPUtilities.java
@@ -529,5 +529,6 @@ public void setNoCacheHeaders() {
 		response.setHeader("Pragma","no-cache");
 		response.setDateHeader("Expires", -1);
 	}
+
 	
 }
diff --git a/test/testresources/ESAPI.properties b/test/testresources/ESAPI.properties
@@ -55,8 +55,8 @@ Validator.HTTPHeaderName=^[a-zA-Z0-9\\-]{0,32}$
 Validator.HTTPHeaderValue=^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:& ]*$
 
 # Validation of file related input
-Validator.FileName=^[a-zA-Z0-9.-_ ]{0,255}$
-Validator.DirectoryName=^[a-zA-Z0-9.-_ ]{0,255}$
+Validator.FileName=^[a-zA-Z0-9.\\-_ ]{0,255}$
+Validator.DirectoryName=^[a-zA-Z0-9.-\\_ ]{0,255}$
 
 # File upload configuration
 ValidExtensions=.zip,.pdf,.doc,.docx,.ppt,.pptx,.tar,.gz,.tgz,.rar,.war,.jar,.ear,.xls,.rtf,.properties,.java,.class,.txt,.xml,.jsp,.jsf,.exe,.dll

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+#Build Number for ANT. Do not edit!`
	`2`	`+#Fri Mar 14 18:23:40 EDT 2008`
	`3`	`+build.number=92`
Original file line number	Diff line number	Diff line change
`@@ -529,5 +529,6 @@ public void setNoCacheHeaders() {`
`529`	`529`	`response.setHeader("Pragma","no-cache");`
`530`	`530`	`response.setDateHeader("Expires", -1);`
`531`	`531`	`}`
	`532`	`+`
`532`	`533`
`533`	`534`	`}`