1 package org
.argeo
.cms
.integration
;
3 import java
.io
.IOException
;
4 import java
.security
.AccessControlContext
;
5 import java
.security
.PrivilegedAction
;
8 import javax
.security
.auth
.Subject
;
9 import javax
.security
.auth
.login
.LoginContext
;
10 import javax
.security
.auth
.login
.LoginException
;
11 import javax
.servlet
.http
.HttpServletRequest
;
12 import javax
.servlet
.http
.HttpServletResponse
;
14 import org
.argeo
.api
.cms
.CmsAuth
;
15 import org
.argeo
.cms
.auth
.RemoteAuthCallbackHandler
;
16 import org
.argeo
.cms
.auth
.RemoteAuthUtils
;
17 import org
.argeo
.cms
.servlet
.ServletHttpRequest
;
18 import org
.argeo
.cms
.servlet
.ServletHttpResponse
;
19 import org
.osgi
.service
.http
.context
.ServletContextHelper
;
21 /** Manages security access to servlets. */
22 public class CmsPrivateServletContext
extends ServletContextHelper
{
23 public final static String LOGIN_PAGE
= "argeo.cms.integration.loginPage";
24 public final static String LOGIN_SERVLET
= "argeo.cms.integration.loginServlet";
25 private String loginPage
;
26 private String loginServlet
;
28 public void init(Map
<String
, String
> properties
) {
29 loginPage
= properties
.get(LOGIN_PAGE
);
30 loginServlet
= properties
.get(LOGIN_SERVLET
);
34 * Add the {@link AccessControlContext} as a request attribute, or redirect to
38 public boolean handleSecurity(final HttpServletRequest req
, HttpServletResponse resp
) throws IOException
{
39 LoginContext lc
= null;
40 ServletHttpRequest request
= new ServletHttpRequest(req
);
41 ServletHttpResponse response
= new ServletHttpResponse(resp
);
43 String pathInfo
= req
.getPathInfo();
44 String servletPath
= req
.getServletPath();
45 if ((pathInfo
!= null && (servletPath
+ pathInfo
).equals(loginPage
)) || servletPath
.contentEquals(loginServlet
))
48 lc
= new LoginContext(CmsAuth
.LOGIN_CONTEXT_USER
, new RemoteAuthCallbackHandler(request
, response
));
50 } catch (LoginException e
) {
51 lc
= processUnauthorized(req
, resp
);
55 Subject
.doAs(lc
.getSubject(), new PrivilegedAction
<Void
>() {
59 // TODO also set login context in order to log out ?
60 RemoteAuthUtils
.configureRequestSecurity(request
);
70 public void finishSecurity(HttpServletRequest req
, HttpServletResponse resp
) {
71 RemoteAuthUtils
.clearRequestSecurity(new ServletHttpRequest(req
));
74 protected LoginContext
processUnauthorized(HttpServletRequest request
, HttpServletResponse response
) {
76 response
.sendRedirect(loginPage
);
77 } catch (IOException e
) {
78 throw new RuntimeException("Cannot redirect to login page", e
);