ServletAuthUtils.java

   1 package org.argeo.cms.servlet;
   2
   3 import java.security.AccessControlContext;
   4 import java.security.AccessController;
   5 import java.security.PrivilegedAction;
   6 import java.util.function.Supplier;
   7
   8 import javax.security.auth.Subject;
   9 import javax.servlet.http.HttpServletRequest;
  10
  11 import org.argeo.api.cms.CmsSession;
  12 import org.argeo.cms.auth.CurrentUser;
  13 import org.argeo.cms.osgi.CmsOsgiUtils;
  14 import org.osgi.framework.BundleContext;
  15 import org.osgi.framework.FrameworkUtil;
  16 import org.osgi.service.http.HttpContext;
  17
  18 /** Authentications utilities when using servlets. */
  19 public class ServletAuthUtils {
  20         private static BundleContext bundleContext = FrameworkUtil.getBundle(ServletAuthUtils.class).getBundleContext();
  21
  22         /**
  23          * Execute this supplier, using the CMS class loader as context classloader.
  24          * Useful to log in to JCR.
  25          */
  26         public final static <T> T doAs(Supplier<T> supplier, HttpServletRequest req) {
  27                 ClassLoader currentContextCl = Thread.currentThread().getContextClassLoader();
  28                 Thread.currentThread().setContextClassLoader(ServletAuthUtils.class.getClassLoader());
  29                 try {
  30                         return Subject.doAs(
  31                                         Subject.getSubject((AccessControlContext) req.getAttribute(AccessControlContext.class.getName())),
  32                                         new PrivilegedAction<T>() {
  33
  34                                                 @Override
  35                                                 public T run() {
  36                                                         return supplier.get();
  37                                                 }
  38
  39                                         });
  40                 } finally {
  41                         Thread.currentThread().setContextClassLoader(currentContextCl);
  42                 }
  43         }
  44
  45         public final static void configureRequestSecurity(HttpServletRequest req) {
  46                 if (req.getAttribute(AccessControlContext.class.getName()) != null)
  47                         throw new IllegalStateException("Request already authenticated.");
  48                 AccessControlContext acc = AccessController.getContext();
  49                 req.setAttribute(HttpContext.REMOTE_USER, CurrentUser.getUsername());
  50                 req.setAttribute(AccessControlContext.class.getName(), acc);
  51         }
  52
  53         public final static void clearRequestSecurity(HttpServletRequest req) {
  54                 if (req.getAttribute(AccessControlContext.class.getName()) == null)
  55                         throw new IllegalStateException("Cannot clear non-authenticated request.");
  56                 req.setAttribute(HttpContext.REMOTE_USER, null);
  57                 req.setAttribute(AccessControlContext.class.getName(), null);
  58         }
  59
  60         public static CmsSession getCmsSession(HttpServletRequest req) {
  61                 Subject subject = Subject
  62                                 .getSubject((AccessControlContext) req.getAttribute(AccessControlContext.class.getName()));
  63                 CmsSession cmsSession = CmsOsgiUtils.getCmsSession(bundleContext, subject);
  64                 return cmsSession;
  65         }
  66 }