1 package org
.argeo
.cms
.servlet
;
3 import java
.security
.AccessControlContext
;
4 import java
.security
.AccessController
;
5 import java
.security
.PrivilegedAction
;
6 import java
.util
.function
.Supplier
;
8 import javax
.security
.auth
.Subject
;
9 import javax
.servlet
.http
.HttpServletRequest
;
11 import org
.argeo
.api
.cms
.CmsSession
;
12 import org
.argeo
.cms
.auth
.CurrentUser
;
13 import org
.argeo
.cms
.osgi
.CmsOsgiUtils
;
14 import org
.osgi
.framework
.BundleContext
;
15 import org
.osgi
.framework
.FrameworkUtil
;
16 import org
.osgi
.service
.http
.HttpContext
;
18 /** Authentications utilities when using servlets. */
19 public class ServletAuthUtils
{
20 private static BundleContext bundleContext
= FrameworkUtil
.getBundle(ServletAuthUtils
.class).getBundleContext();
23 * Execute this supplier, using the CMS class loader as context classloader.
24 * Useful to log in to JCR.
26 public final static <T
> T
doAs(Supplier
<T
> supplier
, HttpServletRequest req
) {
27 ClassLoader currentContextCl
= Thread
.currentThread().getContextClassLoader();
28 Thread
.currentThread().setContextClassLoader(ServletAuthUtils
.class.getClassLoader());
31 Subject
.getSubject((AccessControlContext
) req
.getAttribute(AccessControlContext
.class.getName())),
32 new PrivilegedAction
<T
>() {
36 return supplier
.get();
41 Thread
.currentThread().setContextClassLoader(currentContextCl
);
45 public final static void configureRequestSecurity(HttpServletRequest req
) {
46 if (req
.getAttribute(AccessControlContext
.class.getName()) != null)
47 throw new IllegalStateException("Request already authenticated.");
48 AccessControlContext acc
= AccessController
.getContext();
49 req
.setAttribute(HttpContext
.REMOTE_USER
, CurrentUser
.getUsername());
50 req
.setAttribute(AccessControlContext
.class.getName(), acc
);
53 public final static void clearRequestSecurity(HttpServletRequest req
) {
54 if (req
.getAttribute(AccessControlContext
.class.getName()) == null)
55 throw new IllegalStateException("Cannot clear non-authenticated request.");
56 req
.setAttribute(HttpContext
.REMOTE_USER
, null);
57 req
.setAttribute(AccessControlContext
.class.getName(), null);
60 public static CmsSession
getCmsSession(HttpServletRequest req
) {
61 Subject subject
= Subject
62 .getSubject((AccessControlContext
) req
.getAttribute(AccessControlContext
.class.getName()));
63 CmsSession cmsSession
= CmsOsgiUtils
.getCmsSession(bundleContext
, subject
);