1 package org
.argeo
.cms
.servlet
;
3 import java
.io
.IOException
;
5 import java
.security
.PrivilegedAction
;
8 import javax
.security
.auth
.Subject
;
9 import javax
.security
.auth
.login
.LoginContext
;
10 import javax
.security
.auth
.login
.LoginException
;
11 import javax
.servlet
.http
.HttpServletRequest
;
12 import javax
.servlet
.http
.HttpServletResponse
;
14 import org
.argeo
.api
.cms
.CmsAuth
;
15 import org
.argeo
.api
.cms
.CmsLog
;
16 import org
.argeo
.cms
.auth
.RemoteAuthCallbackHandler
;
17 import org
.argeo
.cms
.auth
.RemoteAuthUtils
;
18 import org
.argeo
.cms
.servlet
.internal
.HttpUtils
;
19 import org
.osgi
.framework
.Bundle
;
20 import org
.osgi
.framework
.FrameworkUtil
;
21 import org
.osgi
.service
.http
.context
.ServletContextHelper
;
24 * Default servlet context degrading to anonymous if the the session is not
27 public class CmsServletContext
extends ServletContextHelper
{
28 private final static CmsLog log
= CmsLog
.getLog(CmsServletContext
.class);
29 // use CMS bundle for resources
30 private Bundle bundle
= FrameworkUtil
.getBundle(getClass());
32 public void init(Map
<String
, String
> properties
) {
36 public void destroy() {
41 public boolean handleSecurity(HttpServletRequest request
, HttpServletResponse response
) throws IOException
{
42 if (log
.isTraceEnabled())
43 HttpUtils
.logRequestHeaders(log
, request
);
44 ClassLoader currentThreadContextClassLoader
= Thread
.currentThread().getContextClassLoader();
45 Thread
.currentThread().setContextClassLoader(CmsServletContext
.class.getClassLoader());
48 lc
= CmsAuth
.USER
.newLoginContext(
49 new RemoteAuthCallbackHandler(new ServletHttpRequest(request
), new ServletHttpResponse(response
)));
51 } catch (LoginException e
) {
52 lc
= processUnauthorized(request
, response
);
53 if (log
.isTraceEnabled())
54 HttpUtils
.logResponseHeaders(log
, response
);
58 Thread
.currentThread().setContextClassLoader(currentThreadContextClassLoader
);
61 Subject subject
= lc
.getSubject();
62 // log.debug("SERVLET CONTEXT: "+subject);
63 Subject
.doAs(subject
, new PrivilegedAction
<Void
>() {
67 // TODO also set login context in order to log out ?
68 RemoteAuthUtils
.configureRequestSecurity(new ServletHttpRequest(request
));
77 public void finishSecurity(HttpServletRequest request
, HttpServletResponse response
) {
78 RemoteAuthUtils
.clearRequestSecurity(new ServletHttpRequest(request
));
81 protected LoginContext
processUnauthorized(HttpServletRequest request
, HttpServletResponse response
) {
83 ClassLoader currentContextClassLoader
= Thread
.currentThread().getContextClassLoader();
85 Thread
.currentThread().setContextClassLoader(CmsServletContext
.class.getClassLoader());
86 LoginContext lc
= CmsAuth
.ANONYMOUS
.newLoginContext(
87 new RemoteAuthCallbackHandler(new ServletHttpRequest(request
), new ServletHttpResponse(response
)));
90 } catch (LoginException e1
) {
91 if (log
.isDebugEnabled())
92 log
.error("Cannot log in as anonymous", e1
);
95 Thread
.currentThread().setContextClassLoader(currentContextClassLoader
);
100 public URL
getResource(String name
) {
101 // TODO make it more robust and versatile
102 // if used directly it can only load from within this bundle
103 return bundle
.getResource(name
);