/// <summary> This method should be called for every HTTP request, to login the current user either from the session of HTTP
/// request. This method will set the current user so that GetCurrentUser() will work properly. This method also
/// checks that the user's access is still enabled, unlocked, and unexpired before allowing login. For convenience
/// this method also returns the current user.
///
/// </summary>
/// <returns> The current user.
/// </returns>
/// <seealso cref="Owasp.Esapi.Interfaces.IAuthenticator.Login()">
/// </seealso>
public IUser Login()
{
IHttpRequest request = Context.Request;
IHttpResponse response = Context.Response;
// save the current request and response in the threadlocal variables
if (!Esapi.HttpUtilities().SecureChannel)
{
throw new AuthenticationCredentialsException("Session exposed", "Authentication attempt made over non-SSL connection. Check web.xml and server configuration");
}
User user = (User)null;
// if there's a user in the session then set that and quit
user = (User)GetUserFromSession(request);
if (user != null)
{
user.SetLastHostAddress(request.UserHostAddress);
user.SetFirstRequest(false);
}
else
{
// try to verify credentials
user = (User)LoginWithUsernameAndPassword(request, response);
user.SetFirstRequest(true);
}
// don't let anonyous user log in
if (user.Anonymous)
{
throw new AuthenticationLoginException("Login failed", "Anonymous user cannot be set to current user");
}
// don't let disabled users log in
if (!user.Enabled)
{
DateTime tempAux = DateTime.Now;
user.SetLastFailedLoginTime(tempAux);
throw new AuthenticationLoginException("Login failed", "Disabled user cannot be set to current user: "******"Login failed", "Locked user cannot be set to current user: "******"Login failed", "Expired user cannot be set to current user: " + user.AccountName);
}
SetCurrentUser(user);
return(user);
}
public IUser Login()
{
HttpRequest request = Context.Request;
HttpResponse response = Context.Response;
if (Owasp.Esapi.Esapi.SecurityConfiguration().RequireSecureChannel&& !Owasp.Esapi.Esapi.HttpUtilities().SecureChannel)
{
throw new AuthenticationCredentialsException("Session exposed", "Authentication attempt made over non-SSL connection. Check web.xml and server configuration");
}
User user = (User)GetUserFromSession(request);
if (user != null)
{
user.SetLastHostAddress(request.UserHostAddress);
user.SetFirstRequest(false);
}
else
{
user.SetFirstRequest(true);
}
if (user.Anonymous)
{
throw new AuthenticationLoginException("Login failed", "Anonymous user cannot be set to current user");
}
if (!user.Enabled)
{
DateTime now = DateTime.Now;
user.SetLastFailedLoginTime(now);
throw new AuthenticationLoginException("Login failed", "Disabled user cannot be set to current user: "******"Login failed", "Locked user cannot be set to current user: "******"Login failed", "Expired user cannot be set to current user: " + user.AccountName);
}
SetCurrentUser((IUser)user);
return((IUser)user);
}