]> git.argeo.org Git - lgpl/argeo-commons.git/blobdiff - org.argeo.cms/src/org/argeo/cms/internal/kernel/DataHttp.java
Make CMS production ready
[lgpl/argeo-commons.git] / org.argeo.cms / src / org / argeo / cms / internal / kernel / DataHttp.java
index 2838180869995cde45789cc3c2d58fa485b5afb2..88f79c5ea1b8b6810f8b1e41ac05bab01fcbcf93 100644 (file)
@@ -33,15 +33,19 @@ import org.apache.jackrabbit.server.remoting.davex.JcrRemotingServlet;
 import org.apache.jackrabbit.webdav.simple.SimpleWebdavServlet;
 import org.argeo.cms.CmsException;
 import org.argeo.cms.auth.AuthConstants;
-import org.argeo.cms.auth.CurrentUser;
 import org.argeo.cms.auth.HttpRequestCallback;
 import org.argeo.cms.auth.HttpRequestCallbackHandler;
 import org.argeo.jcr.ArgeoJcrConstants;
 import org.argeo.jcr.JcrUtils;
+import org.osgi.framework.BundleContext;
+import org.osgi.framework.FrameworkUtil;
+import org.osgi.framework.ServiceReference;
 import org.osgi.service.http.HttpContext;
 import org.osgi.service.http.HttpService;
 import org.osgi.service.http.NamespaceException;
 import org.osgi.service.useradmin.Authorization;
+import org.osgi.util.tracker.ServiceTracker;
+import org.osgi.util.tracker.ServiceTrackerCustomizer;
 
 /**
  * Intercepts and enriches http access, mainly focusing on security and
@@ -52,24 +56,30 @@ class DataHttp implements KernelConstants, ArgeoJcrConstants {
 
        // private final static String ATTR_AUTH = "auth";
        private final static String HEADER_AUTHORIZATION = "Authorization";
-       // private final static String HEADER_WWW_AUTHENTICATE = "WWW-Authenticate";
+       private final static String HEADER_WWW_AUTHENTICATE = "WWW-Authenticate";
 
+       private final static String DEFAULT_PROTECTED_HANDLERS = "/org/argeo/cms/internal/kernel/protectedHandlers.xml";
+
+       private final BundleContext bc;
        private final HttpService httpService;
+       private final ServiceTracker<Repository, Repository> repositories;
 
        // FIXME Make it more unique
-       // private String httpAuthRealm = "Argeo";
+       private String httpAuthRealm = "Argeo";
 
        // WebDav / JCR remoting
        private OpenInViewSessionProvider sessionProvider;
 
        DataHttp(HttpService httpService) {
-               this.httpService = httpService;
+               this.bc = FrameworkUtil.getBundle(getClass()).getBundleContext();
                sessionProvider = new OpenInViewSessionProvider();
-               // registerRepositoryServlets(ALIAS_NODE, node);
+               this.httpService = httpService;
+               repositories = new ServiceTracker<>(bc, Repository.class, new RepositoriesStc());
+               repositories.open();
        }
 
        public void destroy() {
-               // unregisterRepositoryServlets(ALIAS_NODE);
+               repositories.close();
        }
 
        void registerRepositoryServlets(String alias, Repository repository) {
@@ -78,56 +88,66 @@ class DataHttp implements KernelConstants, ArgeoJcrConstants {
                        registerWebdavServlet(alias, repository, false);
                        registerRemotingServlet(alias, repository, true);
                        registerRemotingServlet(alias, repository, false);
+                       if (log.isDebugEnabled())
+                               log.debug("Registered servlets for repository '" + alias + "'");
                } catch (Exception e) {
-                       throw new CmsException(
-                                       "Could not register servlets for repository " + alias, e);
+                       throw new CmsException("Could not register servlets for repository '" + alias + "'", e);
                }
        }
 
        void unregisterRepositoryServlets(String alias) {
-               // FIXME unregister servlets
+               try {
+                       httpService.unregister(webdavPath(alias, true));
+                       httpService.unregister(webdavPath(alias, false));
+                       httpService.unregister(remotingPath(alias, true));
+                       httpService.unregister(remotingPath(alias, false));
+                       if (log.isDebugEnabled())
+                               log.debug("Unregistered servlets for repository '" + alias + "'");
+               } catch (Exception e) {
+                       log.error("Could not unregister servlets for repository '" + alias + "'", e);
+               }
        }
 
-       void registerWebdavServlet(String alias, Repository repository,
-                       boolean anonymous) throws NamespaceException, ServletException {
-               WebdavServlet webdavServlet = new WebdavServlet(repository,
-                               sessionProvider);
-               String pathPrefix = anonymous ? WEBDAV_PUBLIC : WEBDAV_PRIVATE;
-               String path = pathPrefix + "/" + alias;
+       void registerWebdavServlet(String alias, Repository repository, boolean anonymous)
+                       throws NamespaceException, ServletException {
+               WebdavServlet webdavServlet = new WebdavServlet(repository, sessionProvider);
+               String path = webdavPath(alias, anonymous);
                Properties ip = new Properties();
                ip.setProperty(WebdavServlet.INIT_PARAM_RESOURCE_CONFIG, WEBDAV_CONFIG);
                ip.setProperty(WebdavServlet.INIT_PARAM_RESOURCE_PATH_PREFIX, path);
-               httpService.registerServlet(path, webdavServlet, ip,
-                               new DataHttpContext(anonymous));
+               httpService.registerServlet(path, webdavServlet, ip, new DataHttpContext(anonymous));
        }
 
-       void registerRemotingServlet(String alias, Repository repository,
-                       boolean anonymous) throws NamespaceException, ServletException {
-               String pathPrefix = anonymous ? REMOTING_PUBLIC : REMOTING_PRIVATE;
-               RemotingServlet remotingServlet = new RemotingServlet(repository,
-                               sessionProvider);
-               String path = pathPrefix + "/" + alias;
+       void registerRemotingServlet(String alias, Repository repository, boolean anonymous)
+                       throws NamespaceException, ServletException {
+               RemotingServlet remotingServlet = new RemotingServlet(repository, sessionProvider);
+               String path = remotingPath(alias, anonymous);
                Properties ip = new Properties();
                ip.setProperty(JcrRemotingServlet.INIT_PARAM_RESOURCE_PATH_PREFIX, path);
 
                // Looks like a bug in Jackrabbit remoting init
-               ip.setProperty(RemotingServlet.INIT_PARAM_HOME,
-                               KernelUtils.getOsgiInstanceDir() + "/tmp/jackrabbit");
+               ip.setProperty(RemotingServlet.INIT_PARAM_HOME, KernelUtils.getOsgiInstanceDir() + "/tmp/jackrabbit");
                ip.setProperty(RemotingServlet.INIT_PARAM_TMP_DIRECTORY, "remoting");
-               // in order to avoid annoying warning.
-               ip.setProperty(RemotingServlet.INIT_PARAM_PROTECTED_HANDLERS_CONFIG, "");
-               httpService.registerServlet(path, remotingServlet, ip,
-                               new DataHttpContext(anonymous));
+               ip.setProperty(RemotingServlet.INIT_PARAM_PROTECTED_HANDLERS_CONFIG, DEFAULT_PROTECTED_HANDLERS);
+               httpService.registerServlet(path, remotingServlet, ip, new DataHttpContext(anonymous));
+       }
+
+       private String webdavPath(String alias, boolean anonymous) {
+               String pathPrefix = anonymous ? WEBDAV_PUBLIC : WEBDAV_PRIVATE;
+               return pathPrefix + "/" + alias;
+       }
+
+       private String remotingPath(String alias, boolean anonymous) {
+               String pathPrefix = anonymous ? REMOTING_PUBLIC : REMOTING_PRIVATE;
+               return pathPrefix + "/" + alias;
        }
 
        private Subject subjectFromRequest(HttpServletRequest request) {
-               Authorization authorization = (Authorization) request
-                               .getAttribute(HttpContext.AUTHORIZATION);
+               Authorization authorization = (Authorization) request.getAttribute(HttpContext.AUTHORIZATION);
                if (authorization == null)
                        throw new CmsException("Not authenticated");
                try {
-                       LoginContext lc = new LoginContext(
-                                       AuthConstants.LOGIN_CONTEXT_USER,
+                       LoginContext lc = new LoginContext(AuthConstants.LOGIN_CONTEXT_USER,
                                        new HttpRequestCallbackHandler(request));
                        lc.login();
                        return lc.getSubject();
@@ -136,6 +156,33 @@ class DataHttp implements KernelConstants, ArgeoJcrConstants {
                }
        }
 
+       private class RepositoriesStc implements ServiceTrackerCustomizer<Repository, Repository> {
+
+               @Override
+               public Repository addingService(ServiceReference<Repository> reference) {
+                       Repository repository = bc.getService(reference);
+                       Object jcrRepoAlias = reference.getProperty(ArgeoJcrConstants.JCR_REPOSITORY_ALIAS);
+                       if (jcrRepoAlias != null) {
+                               String alias = jcrRepoAlias.toString();
+                               registerRepositoryServlets(alias, repository);
+                       }
+                       return repository;
+               }
+
+               @Override
+               public void modifiedService(ServiceReference<Repository> reference, Repository service) {
+               }
+
+               @Override
+               public void removedService(ServiceReference<Repository> reference, Repository service) {
+                       Object jcrRepoAlias = reference.getProperty(ArgeoJcrConstants.JCR_REPOSITORY_ALIAS);
+                       if (jcrRepoAlias != null) {
+                               String alias = jcrRepoAlias.toString();
+                               unregisterRepositoryServlets(alias);
+                       }
+               }
+       }
+
        private class DataHttpContext implements HttpContext {
                private final boolean anonymous;
 
@@ -144,14 +191,12 @@ class DataHttp implements KernelConstants, ArgeoJcrConstants {
                }
 
                @Override
-               public boolean handleSecurity(final HttpServletRequest request,
-                               HttpServletResponse response) throws IOException {
+               public boolean handleSecurity(final HttpServletRequest request, HttpServletResponse response)
+                               throws IOException {
 
                        if (anonymous) {
                                Subject subject = KernelUtils.anonymousLogin();
-                               Authorization authorization = subject
-                                               .getPrivateCredentials(Authorization.class).iterator()
-                                               .next();
+                               Authorization authorization = subject.getPrivateCredentials(Authorization.class).iterator().next();
                                request.setAttribute(REMOTE_USER, AuthConstants.ROLE_ANONYMOUS);
                                request.setAttribute(AUTHORIZATION, authorization);
                                return true;
@@ -160,15 +205,13 @@ class DataHttp implements KernelConstants, ArgeoJcrConstants {
                        if (log.isTraceEnabled())
                                KernelUtils.logRequestHeaders(log, request);
                        try {
-                               new LoginContext(LOGIN_CONTEXT_USER,
-                                               new HttpRequestCallbackHandler(request)).login();
+                               new LoginContext(LOGIN_CONTEXT_USER, new HttpRequestCallbackHandler(request)).login();
                                return true;
                        } catch (CredentialNotFoundException e) {
                                CallbackHandler token = basicAuth(request);
                                if (token != null) {
                                        try {
-                                               LoginContext lc = new LoginContext(LOGIN_CONTEXT_USER,
-                                                               token);
+                                               LoginContext lc = new LoginContext(LOGIN_CONTEXT_USER, token);
                                                lc.login();
                                                // Note: this is impossible to reliably clear the
                                                // authorization header when access from a browser.
@@ -177,7 +220,9 @@ class DataHttp implements KernelConstants, ArgeoJcrConstants {
                                                throw new CmsException("Could not login", e1);
                                        }
                                } else {
-                                       // requestBasicAuth(request, response);
+                                       String path = request.getServletPath();
+                                       if (path.startsWith(REMOTING_PRIVATE))
+                                               requestBasicAuth(request, response);
                                        return false;
                                }
                        } catch (LoginException e) {
@@ -187,7 +232,7 @@ class DataHttp implements KernelConstants, ArgeoJcrConstants {
 
                @Override
                public URL getResource(String name) {
-                       return Activator.getBundleContext().getBundle().getResource(name);
+                       return KernelUtils.getBundleContext(DataHttp.class).getBundle().getResource(name);
                }
 
                @Override
@@ -195,13 +240,11 @@ class DataHttp implements KernelConstants, ArgeoJcrConstants {
                        return null;
                }
 
-               // private void requestBasicAuth(HttpServletRequest request,
-               // HttpServletResponse response) {
-               // response.setStatus(401);
-               // response.setHeader(HEADER_WWW_AUTHENTICATE, "basic realm=\""
-               // + httpAuthRealm + "\"");
-               // // request.getSession().setAttribute(ATTR_AUTH, Boolean.TRUE);
-               // }
+               private void requestBasicAuth(HttpServletRequest request, HttpServletResponse response) {
+                       response.setStatus(401);
+                       response.setHeader(HEADER_WWW_AUTHENTICATE, "basic realm=\"" + httpAuthRealm + "\"");
+                       // request.getSession().setAttribute(ATTR_AUTH, Boolean.TRUE);
+               }
 
                private CallbackHandler basicAuth(final HttpServletRequest httpRequest) {
                        String authHeader = httpRequest.getHeader(HEADER_AUTHORIZATION);
@@ -212,38 +255,29 @@ class DataHttp implements KernelConstants, ArgeoJcrConstants {
                                        if (basic.equalsIgnoreCase("Basic")) {
                                                try {
                                                        // TODO manipulate char[]
-                                                       String credentials = new String(
-                                                                       Base64.decodeBase64(st.nextToken()),
-                                                                       "UTF-8");
+                                                       String credentials = new String(Base64.decodeBase64(st.nextToken()), "UTF-8");
                                                        // log.debug("Credentials: " + credentials);
                                                        int p = credentials.indexOf(":");
                                                        if (p != -1) {
-                                                               final String login = credentials
-                                                                               .substring(0, p).trim();
-                                                               final char[] password = credentials
-                                                                               .substring(p + 1).trim().toCharArray();
+                                                               final String login = credentials.substring(0, p).trim();
+                                                               final char[] password = credentials.substring(p + 1).trim().toCharArray();
                                                                return new CallbackHandler() {
                                                                        public void handle(Callback[] callbacks) {
                                                                                for (Callback cb : callbacks) {
                                                                                        if (cb instanceof NameCallback)
-                                                                                               ((NameCallback) cb)
-                                                                                                               .setName(login);
+                                                                                               ((NameCallback) cb).setName(login);
                                                                                        else if (cb instanceof PasswordCallback)
-                                                                                               ((PasswordCallback) cb)
-                                                                                                               .setPassword(password);
+                                                                                               ((PasswordCallback) cb).setPassword(password);
                                                                                        else if (cb instanceof HttpRequestCallback)
-                                                                                               ((HttpRequestCallback) cb)
-                                                                                                               .setRequest(httpRequest);
+                                                                                               ((HttpRequestCallback) cb).setRequest(httpRequest);
                                                                                }
                                                                        }
                                                                };
                                                        } else {
-                                                               throw new CmsException(
-                                                                               "Invalid authentication token");
+                                                               throw new CmsException("Invalid authentication token");
                                                        }
                                                } catch (Exception e) {
-                                                       throw new CmsException(
-                                                                       "Couldn't retrieve authentication", e);
+                                                       throw new CmsException("Couldn't retrieve authentication", e);
                                                }
                                        }
                                }
@@ -257,23 +291,19 @@ class DataHttp implements KernelConstants, ArgeoJcrConstants {
         * Implements an open session in view patter: a new JCR session is created
         * for each request
         */
-       private class OpenInViewSessionProvider implements SessionProvider,
-                       Serializable {
+       private class OpenInViewSessionProvider implements SessionProvider, Serializable {
                private static final long serialVersionUID = 2270957712453841368L;
 
-               public Session getSession(HttpServletRequest request, Repository rep,
-                               String workspace) throws javax.jcr.LoginException,
-                               ServletException, RepositoryException {
+               public Session getSession(HttpServletRequest request, Repository rep, String workspace)
+                               throws javax.jcr.LoginException, ServletException, RepositoryException {
                        return login(request, rep, workspace);
                }
 
-               protected Session login(HttpServletRequest request,
-                               Repository repository, String workspace)
+               protected Session login(HttpServletRequest request, Repository repository, String workspace)
                                throws RepositoryException {
                        if (log.isTraceEnabled())
-                               log.trace("Login to workspace "
-                                               + (workspace == null ? "<default>" : workspace)
-                                               + " in web session " + request.getSession().getId());
+                               log.trace("Login to workspace " + (workspace == null ? "<default>" : workspace) + " in web session "
+                                               + request.getSession().getId());
                        return repository.login(workspace);
                }
 
@@ -288,8 +318,7 @@ class DataHttp implements KernelConstants, ArgeoJcrConstants {
                private static final long serialVersionUID = -4687354117811443881L;
                private final Repository repository;
 
-               public WebdavServlet(Repository repository,
-                               SessionProvider sessionProvider) {
+               public WebdavServlet(Repository repository, SessionProvider sessionProvider) {
                        this.repository = repository;
                        setSessionProvider(sessionProvider);
                }
@@ -299,16 +328,16 @@ class DataHttp implements KernelConstants, ArgeoJcrConstants {
                }
 
                @Override
-               protected void service(final HttpServletRequest request,
-                               final HttpServletResponse response) throws ServletException,
-                               IOException {
+               protected void service(final HttpServletRequest request, final HttpServletResponse response)
+                               throws ServletException, IOException {
                        try {
                                Subject subject = subjectFromRequest(request);
-                               if (CurrentUser.isAnonymous(subject)
-                                               && request.getMethod().equals("GET")) {
-                                       response.setHeader("Cache-Control",
-                                                       "no-transform, public, max-age=300, s-maxage=900");
-                               }
+                               // TODO make it stronger, with eTags.
+                               // if (CurrentUser.isAnonymous(subject) &&
+                               // request.getMethod().equals("GET")) {
+                               // response.setHeader("Cache-Control", "no-transform, public,
+                               // max-age=300, s-maxage=900");
+                               // }
 
                                Subject.doAs(subject, new PrivilegedExceptionAction<Void>() {
                                        @Override
@@ -318,8 +347,7 @@ class DataHttp implements KernelConstants, ArgeoJcrConstants {
                                        }
                                });
                        } catch (PrivilegedActionException e) {
-                               throw new CmsException("Cannot process webdav request",
-                                               e.getException());
+                               throw new CmsException("Cannot process webdav request", e.getException());
                        }
                }
        }
@@ -329,8 +357,7 @@ class DataHttp implements KernelConstants, ArgeoJcrConstants {
                private final Repository repository;
                private final SessionProvider sessionProvider;
 
-               public RemotingServlet(Repository repository,
-                               SessionProvider sessionProvider) {
+               public RemotingServlet(Repository repository, SessionProvider sessionProvider) {
                        this.repository = repository;
                        this.sessionProvider = sessionProvider;
                }
@@ -346,9 +373,8 @@ class DataHttp implements KernelConstants, ArgeoJcrConstants {
                }
 
                @Override
-               protected void service(final HttpServletRequest request,
-                               final HttpServletResponse response) throws ServletException,
-                               IOException {
+               protected void service(final HttpServletRequest request, final HttpServletResponse response)
+                               throws ServletException, IOException {
                        try {
                                Subject subject = subjectFromRequest(request);
                                Subject.doAs(subject, new PrivilegedExceptionAction<Void>() {
@@ -359,8 +385,7 @@ class DataHttp implements KernelConstants, ArgeoJcrConstants {
                                        }
                                });
                        } catch (PrivilegedActionException e) {
-                               throw new CmsException("Cannot process JCR remoting request",
-                                               e.getException());
+                               throw new CmsException("Cannot process JCR remoting request", e.getException());
                        }
                }
        }