package org.argeo.cms.internal.kernel;
-import static org.argeo.cms.KernelHeader.ACCESS_CONTROL_CONTEXT;
+import static javax.jcr.Property.JCR_DESCRIPTION;
+import static javax.jcr.Property.JCR_LAST_MODIFIED;
+import static javax.jcr.Property.JCR_TITLE;
+import static org.argeo.cms.CmsTypes.CMS_IMAGE;
import java.io.IOException;
-import java.security.AccessControlContext;
-import java.security.AccessController;
-import java.security.PrivilegedActionException;
+import java.io.PrintWriter;
import java.security.PrivilegedExceptionAction;
import java.security.cert.X509Certificate;
+import java.util.Calendar;
import java.util.Enumeration;
-import java.util.Properties;
-import java.util.StringTokenizer;
+import javax.jcr.Node;
+import javax.jcr.NodeIterator;
import javax.jcr.Repository;
+import javax.jcr.RepositoryException;
+import javax.jcr.Session;
import javax.security.auth.Subject;
-import javax.security.auth.callback.Callback;
-import javax.security.auth.callback.CallbackHandler;
-import javax.security.auth.callback.NameCallback;
-import javax.security.auth.callback.PasswordCallback;
-import javax.security.auth.login.LoginContext;
-import javax.security.auth.login.LoginException;
import javax.servlet.FilterChain;
-import javax.servlet.Servlet;
import javax.servlet.ServletException;
+import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
-import org.apache.commons.codec.binary.Base64;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.argeo.cms.CmsException;
-import org.argeo.cms.KernelHeader;
-import org.argeo.jackrabbit.servlet.OpenInViewSessionProvider;
-import org.argeo.jackrabbit.servlet.RemotingServlet;
-import org.argeo.jackrabbit.servlet.WebdavServlet;
+import org.argeo.cms.util.CmsUtils;
import org.argeo.jcr.ArgeoJcrConstants;
+import org.argeo.jcr.JcrUtils;
import org.eclipse.equinox.http.servlet.ExtendedHttpService;
-import org.osgi.service.http.NamespaceException;
/**
* Intercepts and enriches http access, mainly focusing on security and
class NodeHttp implements KernelConstants, ArgeoJcrConstants {
private final static Log log = LogFactory.getLog(NodeHttp.class);
- private final static String ATTR_AUTH = "auth";
- private final static String HEADER_AUTHORIZATION = "Authorization";
- private final static String HEADER_WWW_AUTHENTICATE = "WWW-Authenticate";
-
- // private final AuthenticationManager authenticationManager;
- private final ExtendedHttpService httpService;
-
- // FIXME Make it more unique
- private String httpAuthRealm = "Argeo";
-
// Filters
- private final RootFilter rootFilter;
+ // private final RootFilter rootFilter;
+
// private final DoSFilter dosFilter;
// private final QoSFilter qosFilter;
- // WebDav / JCR remoting
- private OpenInViewSessionProvider sessionProvider;
+ private Repository repository;
- NodeHttp(ExtendedHttpService httpService, JackrabbitNode node) {
- // this.bundleContext = bundleContext;
- // this.authenticationManager = authenticationManager;
-
- this.httpService = httpService;
-
- // Filters
- rootFilter = new RootFilter();
+ NodeHttp(ExtendedHttpService httpService, NodeRepository node) {
+ this.repository = node;
+ // rootFilter = new RootFilter();
// dosFilter = new CustomDosFilter();
// qosFilter = new QoSFilter();
- // DAV
- sessionProvider = new OpenInViewSessionProvider();
-
- registerRepositoryServlets(ALIAS_NODE, node);
try {
- httpService.registerFilter("/", rootFilter, null, null);
+ httpService.registerServlet("/!", new LinkServlet(repository),
+ null, null);
+ httpService.registerServlet("/robots.txt", new RobotServlet(),
+ null, null);
} catch (Exception e) {
- throw new CmsException("Could not register root filter", e);
+ throw new CmsException("Cannot register filters", e);
}
}
public void destroy() {
- sessionProvider.destroy();
- unregisterRepositoryServlets(ALIAS_NODE);
}
- void registerRepositoryServlets(String alias, Repository repository) {
- try {
- registerWebdavServlet(alias, repository, true);
- registerWebdavServlet(alias, repository, false);
- registerRemotingServlet(alias, repository, true);
- registerRemotingServlet(alias, repository, false);
- } catch (Exception e) {
- throw new CmsException(
- "Could not register servlets for repository " + alias, e);
+ static class LinkServlet extends HttpServlet {
+ private static final long serialVersionUID = 3749990143146845708L;
+ private final Repository repository;
+
+ public LinkServlet(Repository repository) {
+ this.repository = repository;
}
- }
- void unregisterRepositoryServlets(String alias) {
- // FIXME unregister servlets
- }
+ @Override
+ protected void service(HttpServletRequest request,
+ HttpServletResponse response) throws ServletException,
+ IOException {
+ String path = request.getPathInfo();
+ String userAgent = request.getHeader("User-Agent").toLowerCase();
+ boolean isBot = false;
+ boolean isCompatibleBrowser = false;
+ if (userAgent.contains("bot") || userAgent.contains("facebook")
+ || userAgent.contains("twitter")) {
+ isBot = true;
+ } else if (userAgent.contains("webkit")
+ || userAgent.contains("gecko")
+ || userAgent.contains("firefox")
+ || userAgent.contains("msie")
+ || userAgent.contains("chrome")
+ || userAgent.contains("chromium")
+ || userAgent.contains("opera")
+ || userAgent.contains("browser")) {
+ isCompatibleBrowser = true;
+ }
- void registerWebdavServlet(String alias, Repository repository,
- boolean anonymous) throws NamespaceException, ServletException {
- WebdavServlet webdavServlet = new WebdavServlet(repository,
- sessionProvider);
- String pathPrefix = anonymous ? WEBDAV_PUBLIC : WEBDAV_PRIVATE;
- String path = pathPrefix + "/" + alias;
- Properties ip = new Properties();
- ip.setProperty(WebdavServlet.INIT_PARAM_RESOURCE_CONFIG, WEBDAV_CONFIG);
- ip.setProperty(WebdavServlet.INIT_PARAM_RESOURCE_PATH_PREFIX, path);
- httpService.registerFilter(path, anonymous ? new AnonymousFilter()
- : new DavFilter(), null, null);
- // Cast to servlet because of a weird behaviour in Eclipse
- httpService.registerServlet(path, (Servlet) webdavServlet, ip, null);
- }
+ if (isBot) {
+ log.warn("# BOT " + request.getHeader("User-Agent"));
+ canonicalAnswer(request, response, path);
+ return;
+ }
- void registerRemotingServlet(String alias, Repository repository,
- boolean anonymous) throws NamespaceException, ServletException {
- String pathPrefix = anonymous ? REMOTING_PUBLIC : REMOTING_PRIVATE;
- RemotingServlet remotingServlet = new RemotingServlet(repository,
- sessionProvider);
- String path = pathPrefix + "/" + alias;
- Properties ip = new Properties();
- ip.setProperty(RemotingServlet.INIT_PARAM_RESOURCE_PATH_PREFIX, path);
-
- // Looks like a bug in Jackrabbit remoting init
- ip.setProperty(RemotingServlet.INIT_PARAM_HOME,
- KernelUtils.getOsgiInstanceDir() + "/tmp/jackrabbit");
- ip.setProperty(RemotingServlet.INIT_PARAM_TMP_DIRECTORY, "remoting");
- // in order to avoid annoying warning.
- ip.setProperty(RemotingServlet.INIT_PARAM_PROTECTED_HANDLERS_CONFIG,
- "");
- // Cast to servlet because of a weird behaviour in Eclipse
- httpService.registerFilter(path, anonymous ? new AnonymousFilter()
- : new DavFilter(), null, null);
- httpService.registerServlet(path, (Servlet) remotingServlet, ip, null);
- }
+ if (isCompatibleBrowser && log.isTraceEnabled())
+ log.trace("# BWS " + request.getHeader("User-Agent"));
+ redirectTo(response, "/#" + path);
+ }
- // private Boolean isSessionAuthenticated(HttpSession httpSession) {
- // SecurityContext contextFromSession = (SecurityContext) httpSession
- // .getAttribute(SPRING_SECURITY_CONTEXT_KEY);
- // return contextFromSession != null;
- // }
+ private void redirectTo(HttpServletResponse response, String location) {
+ response.setHeader("Location", location);
+ response.setStatus(HttpServletResponse.SC_FOUND);
+ }
- private void requestBasicAuth(HttpSession httpSession,
- HttpServletResponse response) {
- response.setStatus(401);
- response.setHeader(HEADER_WWW_AUTHENTICATE, "basic realm=\""
- + httpAuthRealm + "\"");
- httpSession.setAttribute(ATTR_AUTH, Boolean.TRUE);
- }
+ // private boolean canonicalAnswerNeededBy(HttpServletRequest request) {
+ // String userAgent = request.getHeader("User-Agent").toLowerCase();
+ // return userAgent.startsWith("facebookexternalhit/");
+ // }
- private CallbackHandler basicAuth(String authHeader) {
- if (authHeader != null) {
- StringTokenizer st = new StringTokenizer(authHeader);
- if (st.hasMoreTokens()) {
- String basic = st.nextToken();
- if (basic.equalsIgnoreCase("Basic")) {
- try {
- // TODO manipulate char[]
- String credentials = new String(Base64.decodeBase64(st
- .nextToken()), "UTF-8");
- // log.debug("Credentials: " + credentials);
- int p = credentials.indexOf(":");
- if (p != -1) {
- final String login = credentials.substring(0, p)
- .trim();
- final char[] password = credentials
- .substring(p + 1).trim().toCharArray();
-
- return new CallbackHandler() {
- public void handle(Callback[] callbacks) {
- for (Callback cb : callbacks) {
- if (cb instanceof NameCallback)
- ((NameCallback) cb).setName(login);
- else if (cb instanceof PasswordCallback)
- ((PasswordCallback) cb)
- .setPassword(password);
- }
- }
- };
- } else {
- throw new CmsException(
- "Invalid authentication token");
- }
- } catch (Exception e) {
- throw new CmsException(
- "Couldn't retrieve authentication", e);
- }
+ /** For bots which don't understand RWT. */
+ private void canonicalAnswer(HttpServletRequest request,
+ HttpServletResponse response, String path) {
+ Session session = null;
+ try {
+ PrintWriter writer = response.getWriter();
+ session = Subject.doAs(KernelUtils.anonymousLogin(),
+ new PrivilegedExceptionAction<Session>() {
+
+ @Override
+ public Session run() throws Exception {
+ return repository.login();
+ }
+
+ });
+ Node node = session.getNode(path);
+ String title = node.hasProperty(JCR_TITLE) ? node.getProperty(
+ JCR_TITLE).getString() : node.getName();
+ String desc = node.hasProperty(JCR_DESCRIPTION) ? node
+ .getProperty(JCR_DESCRIPTION).getString() : null;
+ Calendar lastUpdate = node.hasProperty(JCR_LAST_MODIFIED) ? node
+ .getProperty(JCR_LAST_MODIFIED).getDate() : null;
+ String url = CmsUtils.getCanonicalUrl(node, request);
+ String imgUrl = null;
+ for (NodeIterator it = node.getNodes(); it.hasNext();) {
+ Node child = it.nextNode();
+ if (child.isNodeType(CMS_IMAGE))
+ imgUrl = CmsUtils.getDataUrl(child, request);
}
+ StringBuilder buf = new StringBuilder();
+ buf.append("<html>");
+ buf.append("<head>");
+ writeMeta(buf, "og:title", title);
+ writeMeta(buf, "og:type", "website");
+ buf.append("<meta name='twitter:card' content='summary' />");
+ buf.append("<meta name='twitter:site' content='@argeo_org' />");
+ writeMeta(buf, "og:url", url);
+ if (desc != null)
+ writeMeta(buf, "og:description", desc);
+ if (imgUrl != null)
+ writeMeta(buf, "og:image", imgUrl);
+ if (lastUpdate != null)
+ writeMeta(buf, "og:updated_time",
+ Long.toString(lastUpdate.getTime().getTime()));
+ buf.append("</head>");
+ buf.append("<body>");
+ buf.append(
+ "<p><b>!! This page is meant for indexing robots, not for real people,"
+ + " visit <a href='/#").append(path)
+ .append("'>").append(title)
+ .append("</a> instead.</b></p>");
+ writeCanonical(buf, node);
+ buf.append("</body>");
+ buf.append("</html>");
+ writer.print(buf.toString());
+
+ response.setHeader("Content-Type", "text/html");
+ writer.flush();
+ } catch (Exception e) {
+ throw new CmsException("Cannot write canonical answer", e);
+ } finally {
+ JcrUtils.logoutQuietly(session);
}
}
- throw new CmsException("Couldn't retrieve authentication");
+
+ private void writeMeta(StringBuilder buf, String tag, String value) {
+ buf.append("<meta property='").append(tag).append("' content='")
+ .append(value).append("'/>");
+ }
+
+ private void writeCanonical(StringBuilder buf, Node node)
+ throws RepositoryException {
+ buf.append("<div>");
+ if (node.hasProperty(JCR_TITLE))
+ buf.append("<p>")
+ .append(node.getProperty(JCR_TITLE).getString())
+ .append("</p>");
+ if (node.hasProperty(JCR_DESCRIPTION))
+ buf.append("<p>")
+ .append(node.getProperty(JCR_DESCRIPTION).getString())
+ .append("</p>");
+ NodeIterator children = node.getNodes();
+ while (children.hasNext()) {
+ writeCanonical(buf, children.nextNode());
+ }
+ buf.append("</div>");
+ }
+ }
+
+ class RobotServlet extends HttpServlet {
+ private static final long serialVersionUID = 7935661175336419089L;
+
+ @Override
+ protected void service(HttpServletRequest request,
+ HttpServletResponse response) throws ServletException,
+ IOException {
+ PrintWriter writer = response.getWriter();
+ writer.append("User-agent: *\n");
+ writer.append("Disallow:\n");
+ response.setHeader("Content-Type", "text/plain");
+ writer.flush();
+ }
+
}
/** Intercepts all requests. Authenticates. */
return null;
}
- /** Intercepts all requests. Authenticates. */
- private class AnonymousFilter extends HttpFilter {
- @Override
- public void doFilter(HttpSession httpSession,
- final HttpServletRequest request,
- final HttpServletResponse response,
- final FilterChain filterChain) throws IOException,
- ServletException {
-
- // Authenticate from session
- // if (isSessionAuthenticated(httpSession)) {
- // filterChain.doFilter(request, response);
- // return;
- // }
-
- Subject subject = KernelUtils.anonymousLogin();
- try {
- Subject.doAs(subject, new PrivilegedExceptionAction<Void>() {
- public Void run() throws IOException, ServletException {
- filterChain.doFilter(request, response);
- return null;
- }
- });
- } catch (PrivilegedActionException e) {
- if (e.getCause() instanceof ServletException)
- throw (ServletException) e.getCause();
- else if (e.getCause() instanceof IOException)
- throw (IOException) e.getCause();
- else
- throw new CmsException("Unexpected exception", e.getCause());
- }
- }
- }
-
- /** Intercepts all requests. Authenticates. */
- private class DavFilter extends HttpFilter {
-
- @Override
- public void doFilter(final HttpSession httpSession,
- final HttpServletRequest request,
- final HttpServletResponse response,
- final FilterChain filterChain) throws IOException,
- ServletException {
-
- AccessControlContext acc = (AccessControlContext) httpSession
- .getAttribute(KernelHeader.ACCESS_CONTROL_CONTEXT);
- final Subject subject;
- if (acc != null) {
- subject = Subject.getSubject(acc);
- } else {
- // Process basic auth
- String basicAuth = request.getHeader(HEADER_AUTHORIZATION);
- if (basicAuth != null) {
- CallbackHandler token = basicAuth(basicAuth);
- try {
- LoginContext lc = new LoginContext(
- KernelHeader.LOGIN_CONTEXT_USER, token);
- lc.login();
- subject = lc.getSubject();
- } catch (LoginException e) {
- throw new CmsException("Could not login", e);
- }
- } else {
- requestBasicAuth(httpSession, response);
- return;
- }
- }
- // do filter as subject
- try {
- Subject.doAs(subject, new PrivilegedExceptionAction<Void>() {
- public Void run() throws IOException, ServletException {
- // add security context to session
- httpSession.setAttribute(ACCESS_CONTROL_CONTEXT,
- AccessController.getContext());
- filterChain.doFilter(request, response);
- return null;
- }
- });
- } catch (PrivilegedActionException e) {
- if (e.getCause() instanceof ServletException)
- throw (ServletException) e.getCause();
- else if (e.getCause() instanceof IOException)
- throw (IOException) e.getCause();
- else
- throw new CmsException("Unexpected exception", e.getCause());
- }
-
- }
- }
-
// class CustomDosFilter extends DoSFilter {
// @Override
// protected String extractUserId(ServletRequest request) {