cms/org.argeo.cms.integration/src/org/argeo/cms/integration/CmsPrivateServletContext.java

   1 package org.argeo.cms.integration;
   2
   3 import java.io.IOException;
   4 import java.security.AccessControlContext;
   5 import java.security.PrivilegedAction;
   6 import java.util.Map;
   7
   8 import javax.security.auth.Subject;
   9 import javax.security.auth.login.LoginContext;
  10 import javax.security.auth.login.LoginException;
  11 import javax.servlet.http.HttpServletRequest;
  12 import javax.servlet.http.HttpServletResponse;
  13
  14 import org.argeo.api.cms.CmsAuth;
  15 import org.argeo.cms.auth.RemoteAuthCallbackHandler;
  16 import org.argeo.cms.auth.RemoteAuthUtils;
  17 import org.argeo.cms.servlet.ServletHttpRequest;
  18 import org.argeo.cms.servlet.ServletHttpResponse;
  19 import org.osgi.service.http.context.ServletContextHelper;
  20
  21 /** Manages security access to servlets. */
  22 public class CmsPrivateServletContext extends ServletContextHelper {
  23         public final static String LOGIN_PAGE = "argeo.cms.integration.loginPage";
  24         public final static String LOGIN_SERVLET = "argeo.cms.integration.loginServlet";
  25         private String loginPage;
  26         private String loginServlet;
  27
  28         public void init(Map<String, String> properties) {
  29                 loginPage = properties.get(LOGIN_PAGE);
  30                 loginServlet = properties.get(LOGIN_SERVLET);
  31         }
  32
  33         /**
  34          * Add the {@link AccessControlContext} as a request attribute, or redirect to
  35          * the login page.
  36          */
  37         @Override
  38         public boolean handleSecurity(final HttpServletRequest req, HttpServletResponse resp) throws IOException {
  39                 LoginContext lc = null;
  40                 ServletHttpRequest request = new ServletHttpRequest(req);
  41                 ServletHttpResponse response = new ServletHttpResponse(resp);
  42
  43                 String pathInfo = req.getPathInfo();
  44                 String servletPath = req.getServletPath();
  45                 if ((pathInfo != null && (servletPath + pathInfo).equals(loginPage)) || servletPath.contentEquals(loginServlet))
  46                         return true;
  47                 try {
  48                         lc = new LoginContext(CmsAuth.LOGIN_CONTEXT_USER, new RemoteAuthCallbackHandler(request, response));
  49                         lc.login();
  50                 } catch (LoginException e) {
  51                         lc = processUnauthorized(req, resp);
  52                         if (lc == null)
  53                                 return false;
  54                 }
  55                 Subject.doAs(lc.getSubject(), new PrivilegedAction<Void>() {
  56
  57                         @Override
  58                         public Void run() {
  59                                 // TODO also set login context in order to log out ?
  60                                 RemoteAuthUtils.configureRequestSecurity(request);
  61                                 return null;
  62                         }
  63
  64                 });
  65
  66                 return true;
  67         }
  68
  69         @Override
  70         public void finishSecurity(HttpServletRequest req, HttpServletResponse resp) {
  71                 RemoteAuthUtils.clearRequestSecurity(new ServletHttpRequest(req));
  72         }
  73
  74         protected LoginContext processUnauthorized(HttpServletRequest request, HttpServletResponse response) {
  75                 try {
  76                         response.sendRedirect(loginPage);
  77                 } catch (IOException e) {
  78                         throw new RuntimeException("Cannot redirect to login page", e);
  79                 }
  80                 return null;
  81         }
  82 }