1 package org
.argeo
.cms
.integration
;
3 import java
.io
.IOException
;
4 import java
.security
.AccessControlContext
;
7 import javax
.security
.auth
.login
.LoginContext
;
8 import javax
.security
.auth
.login
.LoginException
;
9 import javax
.servlet
.http
.HttpServletRequest
;
10 import javax
.servlet
.http
.HttpServletResponse
;
12 import org
.argeo
.api
.cms
.CmsAuth
;
13 import org
.argeo
.cms
.auth
.RemoteAuthCallbackHandler
;
14 import org
.argeo
.cms
.auth
.RemoteAuthUtils
;
15 import org
.argeo
.cms
.servlet
.ServletHttpRequest
;
16 import org
.argeo
.cms
.servlet
.ServletHttpResponse
;
17 import org
.osgi
.service
.http
.context
.ServletContextHelper
;
19 /** Manages security access to servlets. */
20 public class CmsPrivateServletContext
extends ServletContextHelper
{
21 public final static String LOGIN_PAGE
= "argeo.cms.integration.loginPage";
22 public final static String LOGIN_SERVLET
= "argeo.cms.integration.loginServlet";
23 private String loginPage
;
24 private String loginServlet
;
26 public void init(Map
<String
, String
> properties
) {
27 loginPage
= properties
.get(LOGIN_PAGE
);
28 loginServlet
= properties
.get(LOGIN_SERVLET
);
32 * Add the {@link AccessControlContext} as a request attribute, or redirect to
36 public boolean handleSecurity(final HttpServletRequest req
, HttpServletResponse resp
) throws IOException
{
37 LoginContext lc
= null;
38 ServletHttpRequest request
= new ServletHttpRequest(req
);
39 ServletHttpResponse response
= new ServletHttpResponse(resp
);
41 String pathInfo
= req
.getPathInfo();
42 String servletPath
= req
.getServletPath();
43 if ((pathInfo
!= null && (servletPath
+ pathInfo
).equals(loginPage
)) || servletPath
.contentEquals(loginServlet
))
46 lc
= CmsAuth
.USER
.newLoginContext(new RemoteAuthCallbackHandler(request
, response
));
48 } catch (LoginException e
) {
49 lc
= processUnauthorized(req
, resp
);
53 // Subject.doAs(lc.getSubject(), new PrivilegedAction<Void>() {
56 // public Void run() {
57 // // TODO also set login context in order to log out ?
58 // RemoteAuthUtils.configureRequestSecurity(request);
68 // public void finishSecurity(HttpServletRequest req, HttpServletResponse resp) {
69 // RemoteAuthUtils.clearRequestSecurity(new ServletHttpRequest(req));
72 protected LoginContext
processUnauthorized(HttpServletRequest request
, HttpServletResponse response
) {
74 response
.sendRedirect(loginPage
);
75 } catch (IOException e
) {
76 throw new RuntimeException("Cannot redirect to login page", e
);