org.argeo.cms/src/org/argeo/cms/servlet/CmsServletContext.java

   1 package org.argeo.cms.servlet;
   2
   3 import java.io.IOException;
   4 import java.net.URL;
   5 import java.security.PrivilegedAction;
   6 import java.util.Map;
   7
   8 import javax.security.auth.Subject;
   9 import javax.security.auth.login.LoginContext;
  10 import javax.security.auth.login.LoginException;
  11 import javax.servlet.http.HttpServletRequest;
  12 import javax.servlet.http.HttpServletResponse;
  13
  14 import org.apache.commons.logging.Log;
  15 import org.apache.commons.logging.LogFactory;
  16 import org.argeo.api.NodeConstants;
  17 import org.argeo.cms.auth.HttpRequestCallbackHandler;
  18 import org.argeo.cms.internal.http.HttpUtils;
  19 import org.osgi.framework.Bundle;
  20 import org.osgi.framework.FrameworkUtil;
  21 import org.osgi.service.http.context.ServletContextHelper;
  22
  23 /**
  24  * Default servlet context degrading to anonymous if the the sesison is not
  25  * pre-authenticated.
  26  */
  27 public class CmsServletContext extends ServletContextHelper {
  28         private final static Log log = LogFactory.getLog(CmsServletContext.class);
  29         // use CMS bundle for resources
  30         private Bundle bundle = FrameworkUtil.getBundle(getClass());
  31
  32         public void init(Map<String, String> properties) {
  33
  34         }
  35
  36         public void destroy() {
  37
  38         }
  39
  40         @Override
  41         public boolean handleSecurity(HttpServletRequest request, HttpServletResponse response) throws IOException {
  42                 if (log.isTraceEnabled())
  43                         HttpUtils.logRequestHeaders(log, request);
  44                 LoginContext lc;
  45                 try {
  46                         lc = new LoginContext(NodeConstants.LOGIN_CONTEXT_USER, new HttpRequestCallbackHandler(request, response));
  47                         lc.login();
  48                 } catch (LoginException e) {
  49                         lc = processUnauthorized(request, response);
  50                         if (log.isTraceEnabled())
  51                                 HttpUtils.logResponseHeaders(log, response);
  52                         if (lc == null)
  53                                 return false;
  54                 }
  55
  56                 Subject subject = lc.getSubject();
  57                 //log.debug("SERVLET CONTEXT: "+subject);
  58                 Subject.doAs(subject, new PrivilegedAction<Void>() {
  59
  60                         @Override
  61                         public Void run() {
  62                                 // TODO also set login context in order to log out ?
  63                                 ServletAuthUtils.configureRequestSecurity(request);
  64                                 return null;
  65                         }
  66
  67                 });
  68                 return true;
  69         }
  70
  71         @Override
  72         public void finishSecurity(HttpServletRequest request, HttpServletResponse response) {
  73                 ServletAuthUtils.clearRequestSecurity(request);
  74         }
  75
  76         protected LoginContext processUnauthorized(HttpServletRequest request, HttpServletResponse response) {
  77                 // anonymous
  78                 try {
  79                         LoginContext lc = new LoginContext(NodeConstants.LOGIN_CONTEXT_ANONYMOUS,
  80                                         new HttpRequestCallbackHandler(request, response));
  81                         lc.login();
  82                         return lc;
  83                 } catch (LoginException e1) {
  84                         if (log.isDebugEnabled())
  85                                 log.error("Cannot log in as anonymous", e1);
  86                         return null;
  87                 }
  88         }
  89
  90         @Override
  91         public URL getResource(String name) {
  92                 return bundle.getResource(name);
  93         }
  94
  95 }