MCPcopy Create free account
hub / github.com/OWASP/SecurityShepherd / doPost

Method doPost

src/main/java/servlets/ChangePassword.java:51–151  ·  view source on GitHub ↗

Initiated by index.jsp, getStarted.jsp. This changes a users password. If the user gets it wrong 3 times in a row, they'll be locked out (This is handed by database) @param csrfToken @param currentPassword User's current password @param newPassword Submitted new password @param passwordConfirmation

(HttpServletRequest request, HttpServletResponse response)

Source from the content-addressed store, hash-verified

49 * @param passwordConfirmation Confirmation of the new password
50 */
51 public void doPost (HttpServletRequest request, HttpServletResponse response)
52 throws ServletException, IOException
53 {
54 //Setting IpAddress To Log and taking header for original IP if forwarded from proxy
55 ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"));
56 log.debug("*** servlets.ChangePassword ***");
57 try
58 {
59 HttpSession ses = request.getSession(true);
60 if(Validate.validateSession(ses))
61 {
62 ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), ses.getAttribute("userName").toString());
63 log.debug("Current User: " + ses.getAttribute("userName").toString());
64 Cookie tokenCookie = Validate.getToken(request.getCookies());
65 Object tokenParmeter = request.getParameter("csrfToken");
66 if(Validate.validateTokens(tokenCookie, tokenParmeter))
67 {
68 log.debug("Getting Parameters");
69 String userName = (String) ses.getAttribute("userName");
70 String currentPassword = (String) request.getParameter("currentPassword");
71 String newPassword = (String) request.getParameter("newPassword");
72 String passwordConfirm = (String) request.getParameter("passwordConfirmation");
73 String ApplicationRoot = getServletContext().getRealPath("");
74
75 boolean validData = false;
76 boolean passwordChange = false;
77 boolean validPassword = false;
78 validData = newPassword.equalsIgnoreCase(passwordConfirm) && !newPassword.isEmpty() && newPassword != null;
79 passwordChange = !currentPassword.equalsIgnoreCase(newPassword);
80 validPassword = newPassword.length() > 4 && newPassword.length() <= 512;
81 if(validData && passwordChange && validPassword)
82 {
83 log.debug("Validating Current Password");
84 String user[] = Getter.authUser(ApplicationRoot, userName, currentPassword);
85 if(user != null)
86 {
87 log.debug("User Credentials were good! Password Change gets the go ahead");
88 Setter.updatePassword(ApplicationRoot, userName, currentPassword, newPassword);
89 ses.setAttribute("ChangePassword", "false");
90 }
91 else
92 {
93 log.error("Incorrect Password");
94 ses.setAttribute("errorMessage", "Incorrect Password... Don't lock yourself out!");
95 response.sendRedirect("index.jsp");
96 }
97 }
98 else
99 {
100 if(validData && passwordChange)
101 {
102 try
103 {
104 //User Account is Locked
105 log.debug("The user account is locked. Logging the user out");
106 Cookie cookieToken = Validate.getToken(request.getCookies());
107 BigInteger temp = new BigInteger(cookieToken.getValue());
108 response.sendRedirect("logout?csrfToken="+temp);

Callers

nothing calls this directly

Calls 7

setRequestIpMethod · 0.95
validateSessionMethod · 0.95
getTokenMethod · 0.95
validateTokensMethod · 0.95
authUserMethod · 0.95
updatePasswordMethod · 0.95
getSessionMethod · 0.80

Tested by

no test coverage detected