From b9c3e8ba3e9d74c0fedb66a06a12148fd3fcd4cb Mon Sep 17 00:00:00 2001
From: Mathieu Baudier <mbaudier@argeo.org>
Date: Tue, 20 Dec 2016 09:42:19 +0100
Subject: [PATCH] Fix regression with webdav upload

---
 .../argeo/cms/internal/kernel/DataHttp.java   | 120 ++++++++++--------
 1 file changed, 67 insertions(+), 53 deletions(-)

diff --git a/org.argeo.cms/src/org/argeo/cms/internal/kernel/DataHttp.java b/org.argeo.cms/src/org/argeo/cms/internal/kernel/DataHttp.java
index 67fe44d93..97ca4bb31 100644
--- a/org.argeo.cms/src/org/argeo/cms/internal/kernel/DataHttp.java
+++ b/org.argeo.cms/src/org/argeo/cms/internal/kernel/DataHttp.java
@@ -150,6 +150,51 @@ class DataHttp implements KernelConstants {
 		}
 	}
 
+	private void requestBasicAuth(HttpServletRequest request, HttpServletResponse response) {
+		response.setStatus(401);
+		response.setHeader(HEADER_WWW_AUTHENTICATE, "basic realm=\"" + httpAuthRealm + "\"");
+		// request.getSession().setAttribute(ATTR_AUTH, Boolean.TRUE);
+	}
+
+	private CallbackHandler basicAuth(final HttpServletRequest httpRequest) {
+		String authHeader = httpRequest.getHeader(HEADER_AUTHORIZATION);
+		if (authHeader != null) {
+			StringTokenizer st = new StringTokenizer(authHeader);
+			if (st.hasMoreTokens()) {
+				String basic = st.nextToken();
+				if (basic.equalsIgnoreCase("Basic")) {
+					try {
+						// TODO manipulate char[]
+						String credentials = new String(Base64.decodeBase64(st.nextToken()), "UTF-8");
+						// log.debug("Credentials: " + credentials);
+						int p = credentials.indexOf(":");
+						if (p != -1) {
+							final String login = credentials.substring(0, p).trim();
+							final char[] password = credentials.substring(p + 1).trim().toCharArray();
+							return new CallbackHandler() {
+								public void handle(Callback[] callbacks) {
+									for (Callback cb : callbacks) {
+										if (cb instanceof NameCallback)
+											((NameCallback) cb).setName(login);
+										else if (cb instanceof PasswordCallback)
+											((PasswordCallback) cb).setPassword(password);
+										else if (cb instanceof HttpRequestCallback)
+											((HttpRequestCallback) cb).setRequest(httpRequest);
+									}
+								}
+							};
+						} else {
+							throw new CmsException("Invalid authentication token");
+						}
+					} catch (Exception e) {
+						throw new CmsException("Couldn't retrieve authentication", e);
+					}
+				}
+			}
+		}
+		return null;
+	}
+
 	private class RepositoriesStc implements ServiceTrackerCustomizer<Repository, Repository> {
 
 		@Override
@@ -208,20 +253,34 @@ class DataHttp implements KernelConstants {
 			// }
 
 			// if (log.isTraceEnabled())
-			// KernelUtils.logRequestHeaders(log, request);
+			KernelUtils.logRequestHeaders(log, request);
 			LoginContext lc;
 			try {
 				lc = new LoginContext(NodeConstants.LOGIN_CONTEXT_USER, new HttpRequestCallbackHandler(request));
 				lc.login();
 				// return true;
 			} catch (CredentialNotFoundException e) {
-				try {
-					lc = new LoginContext(NodeConstants.LOGIN_CONTEXT_USER);
-					lc.login();
-				} catch (LoginException e1) {
-					if (log.isDebugEnabled())
-						log.error("Cannot log in anonynous", e1);
-					return false;
+				CallbackHandler token = basicAuth(request);
+				if (token != null) {
+					try {
+						lc = new LoginContext(NodeConstants.LOGIN_CONTEXT_USER, token);
+						lc.login();
+						// Note: this is impossible to reliably clear the
+						// authorization header when access from a browser.
+						return true;
+					} catch (LoginException e1) {
+						throw new CmsException("Could not login", e1);
+					}
+				} else {
+					// anonymous
+					try {
+						lc = new LoginContext(NodeConstants.LOGIN_CONTEXT_USER);
+						lc.login();
+					} catch (LoginException e1) {
+						if (log.isDebugEnabled())
+							log.error("Cannot log in anonynous", e1);
+						return false;
+					}
 				}
 				// Subject subject = KernelUtils.anonymousLogin();
 				// authorization =
@@ -333,51 +392,6 @@ class DataHttp implements KernelConstants {
 			return null;
 		}
 
-		private void requestBasicAuth(HttpServletRequest request, HttpServletResponse response) {
-			response.setStatus(401);
-			response.setHeader(HEADER_WWW_AUTHENTICATE, "basic realm=\"" + httpAuthRealm + "\"");
-			// request.getSession().setAttribute(ATTR_AUTH, Boolean.TRUE);
-		}
-
-		private CallbackHandler basicAuth(final HttpServletRequest httpRequest) {
-			String authHeader = httpRequest.getHeader(HEADER_AUTHORIZATION);
-			if (authHeader != null) {
-				StringTokenizer st = new StringTokenizer(authHeader);
-				if (st.hasMoreTokens()) {
-					String basic = st.nextToken();
-					if (basic.equalsIgnoreCase("Basic")) {
-						try {
-							// TODO manipulate char[]
-							String credentials = new String(Base64.decodeBase64(st.nextToken()), "UTF-8");
-							// log.debug("Credentials: " + credentials);
-							int p = credentials.indexOf(":");
-							if (p != -1) {
-								final String login = credentials.substring(0, p).trim();
-								final char[] password = credentials.substring(p + 1).trim().toCharArray();
-								return new CallbackHandler() {
-									public void handle(Callback[] callbacks) {
-										for (Callback cb : callbacks) {
-											if (cb instanceof NameCallback)
-												((NameCallback) cb).setName(login);
-											else if (cb instanceof PasswordCallback)
-												((PasswordCallback) cb).setPassword(password);
-											else if (cb instanceof HttpRequestCallback)
-												((HttpRequestCallback) cb).setRequest(httpRequest);
-										}
-									}
-								};
-							} else {
-								throw new CmsException("Invalid authentication token");
-							}
-						} catch (Exception e) {
-							throw new CmsException("Couldn't retrieve authentication", e);
-						}
-					}
-				}
-			}
-			return null;
-		}
-
 	}
 
 	/**
-- 
2.30.2