org.argeo.cms/src/org/argeo/cms/servlet/ServletAuthUtils.java

   1 package org.argeo.cms.servlet;
   2
   3 import java.security.AccessControlContext;
   4 import java.security.AccessController;
   5 import java.security.PrivilegedAction;
   6 import java.util.function.Supplier;
   7
   8 import javax.security.auth.Subject;
   9 import javax.servlet.http.HttpServletRequest;
  10
  11 import org.argeo.cms.auth.CmsSession;
  12 import org.argeo.cms.auth.CurrentUser;
  13 import org.osgi.framework.BundleContext;
  14 import org.osgi.framework.FrameworkUtil;
  15 import org.osgi.service.http.HttpContext;
  16
  17 /** Authentications utilities when using servlets. */
  18 public class ServletAuthUtils {
  19         private static BundleContext bundleContext = FrameworkUtil.getBundle(ServletAuthUtils.class).getBundleContext();
  20
  21         /**
  22          * Execute this supplier, using the CMS class loader as context classloader.
  23          * Useful to log in to JCR.
  24          */
  25         public final static <T> T doAs(Supplier<T> supplier, HttpServletRequest req) {
  26                 ClassLoader currentContextCl = Thread.currentThread().getContextClassLoader();
  27                 Thread.currentThread().setContextClassLoader(ServletAuthUtils.class.getClassLoader());
  28                 try {
  29                         return Subject.doAs(
  30                                         Subject.getSubject((AccessControlContext) req.getAttribute(AccessControlContext.class.getName())),
  31                                         new PrivilegedAction<T>() {
  32
  33                                                 @Override
  34                                                 public T run() {
  35                                                         return supplier.get();
  36                                                 }
  37
  38                                         });
  39                 } finally {
  40                         Thread.currentThread().setContextClassLoader(currentContextCl);
  41                 }
  42         }
  43
  44         public final static void configureRequestSecurity(HttpServletRequest req) {
  45                 if (req.getAttribute(AccessControlContext.class.getName()) != null)
  46                         throw new IllegalStateException("Request already authenticated.");
  47                 AccessControlContext acc = AccessController.getContext();
  48                 req.setAttribute(HttpContext.REMOTE_USER, CurrentUser.getUsername());
  49                 req.setAttribute(AccessControlContext.class.getName(), acc);
  50         }
  51
  52         public final static void clearRequestSecurity(HttpServletRequest req) {
  53                 if (req.getAttribute(AccessControlContext.class.getName()) == null)
  54                         throw new IllegalStateException("Cannot clear non-authenticated request.");
  55                 req.setAttribute(HttpContext.REMOTE_USER, null);
  56                 req.setAttribute(AccessControlContext.class.getName(), null);
  57         }
  58
  59         public static CmsSession getCmsSession(HttpServletRequest req) {
  60                 Subject subject = Subject
  61                                 .getSubject((AccessControlContext) req.getAttribute(AccessControlContext.class.getName()));
  62                 CmsSession cmsSession = CmsSession.getCmsSession(bundleContext, subject);
  63                 return cmsSession;
  64         }
  65 }