From f15ca67765fe3d9e129398d4ee3daa27cedfe00d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Parm=C3=A9nides=20GV?= Date: Thu, 7 Nov 2013 16:24:58 +0100 Subject: Token based authentication implemented. We use the session id cookie in the SRP process, and then reset the cookie store (forgetting about that cookie) and store the authentication token in a static variable inside LeapSRPSession. --- src/se/leap/bitmaskclient/LeapSRPSession.java | 11 +++++++++++ src/se/leap/bitmaskclient/ProviderAPI.java | 14 +++++++++++--- 2 files changed, 22 insertions(+), 3 deletions(-) (limited to 'src') diff --git a/src/se/leap/bitmaskclient/LeapSRPSession.java b/src/se/leap/bitmaskclient/LeapSRPSession.java index 14a8bff2..0849f777 100644 --- a/src/se/leap/bitmaskclient/LeapSRPSession.java +++ b/src/se/leap/bitmaskclient/LeapSRPSession.java @@ -35,9 +35,12 @@ import org.jboss.security.srp.SRPParameters; */ public class LeapSRPSession { + private static String token = ""; + final public static String SALT = "salt"; final public static String M1 = "M1"; final public static String M2 = "M2"; + final public static String TOKEN = "token"; private SRPParameters params; private String username; @@ -312,6 +315,14 @@ public class LeapSRPSession { boolean valid = Arrays.equals(M2, myM2); return valid; } + + protected static void setToken(String token) { + LeapSRPSession.token = token; + } + + protected static String getToken() { + return token; + } /** * @return a new SHA-256 digest. diff --git a/src/se/leap/bitmaskclient/ProviderAPI.java b/src/se/leap/bitmaskclient/ProviderAPI.java index b23bdc7f..5c8b29ca 100644 --- a/src/se/leap/bitmaskclient/ProviderAPI.java +++ b/src/se/leap/bitmaskclient/ProviderAPI.java @@ -27,6 +27,7 @@ import java.net.CookieManager; import java.net.CookiePolicy; import java.net.MalformedURLException; import java.net.SocketTimeoutException; +import java.net.URISyntaxException; import java.net.URL; import java.net.URLConnection; import java.net.URLEncoder; @@ -343,6 +344,9 @@ public class ProviderAPI extends IntentService { session_idAndM2.put(ConfigHelper.SESSION_ID_COOKIE_KEY, session_id_cookie.getName()); session_idAndM2.put(ConfigHelper.SESSION_ID_KEY, session_id_cookie.getValue());*/ session_idAndM2.put(LeapSRPSession.M2, ConfigHelper.trim(M2_not_trimmed)); + CookieHandler.setDefault(null); // we don't need cookies anymore + String token = json_response.getString(LeapSRPSession.TOKEN); + LeapSRPSession.setToken(token); } return session_idAndM2; } @@ -516,6 +520,8 @@ public class ProviderAPI extends IntentService { provider_url = new URL(string_url); URLConnection url_connection = provider_url.openConnection(); url_connection.setConnectTimeout(seconds_of_timeout*1000); + if(!LeapSRPSession.getToken().isEmpty()) + url_connection.addRequestProperty(LeapSRPSession.TOKEN, LeapSRPSession.getToken()); json_file_content = new Scanner(url_connection.getInputStream()).useDelimiter("\\A").next(); } catch (MalformedURLException e) { json_file_content = formatErrorMessage(R.string.malformed_url); @@ -551,6 +557,8 @@ public class ProviderAPI extends IntentService { HttpsURLConnection urlConnection = (HttpsURLConnection)url.openConnection(); urlConnection.setSSLSocketFactory(getProviderSSLSocketFactory()); + if(!LeapSRPSession.getToken().isEmpty()) + urlConnection.addRequestProperty(LeapSRPSession.TOKEN, LeapSRPSession.getToken()); json_file_content = new Scanner(urlConnection.getInputStream()).useDelimiter("\\A").next(); } catch (CertificateException e) { // TODO Auto-generated catch block @@ -710,11 +718,11 @@ public class ProviderAPI extends IntentService { try { String type_of_certificate = task.getString(ConfigurationWizard.TYPE_OF_CERTIFICATE); JSONObject provider_json = ConfigHelper.getJsonFromSharedPref(Provider.KEY); - URL provider_main_url = new URL(provider_json.getString(Provider.API_URL)); - String new_cert_string_url = provider_main_url.toString() + "/" + provider_json.getString(Provider.API_VERSION) + "/" + EIP.CERTIFICATE; + String provider_main_url = provider_json.getString(Provider.API_URL); + URL new_cert_string_url = new URL(provider_main_url + "/" + provider_json.getString(Provider.API_VERSION) + "/" + EIP.CERTIFICATE); boolean danger_on = ConfigHelper.getBoolFromSharedPref(ProviderItem.DANGER_ON); - String cert_string = downloadWithProviderCA(new_cert_string_url, true); + String cert_string = downloadWithProviderCA(new_cert_string_url, danger_on); if(!cert_string.isEmpty()) { if(ConfigHelper.checkErroneousDownload(cert_string)) { String reason_to_fail = provider_json.getString(ERRORS); -- cgit v1.2.3