org.argeo.cms.ee/src/org/argeo/cms/integration/CmsPrivateServletContext.java

   1 package org.argeo.cms.integration;
   2
   3 import java.io.IOException;
   4 import java.security.AccessControlContext;
   5 import java.util.Map;
   6
   7 import javax.security.auth.login.LoginContext;
   8 import javax.security.auth.login.LoginException;
   9 import javax.servlet.http.HttpServletRequest;
  10 import javax.servlet.http.HttpServletResponse;
  11
  12 import org.argeo.api.cms.CmsAuth;
  13 import org.argeo.cms.auth.RemoteAuthCallbackHandler;
  14 import org.argeo.cms.auth.RemoteAuthUtils;
  15 import org.argeo.cms.servlet.ServletHttpRequest;
  16 import org.argeo.cms.servlet.ServletHttpResponse;
  17 import org.osgi.service.http.context.ServletContextHelper;
  18
  19 /** Manages security access to servlets. */
  20 public class CmsPrivateServletContext extends ServletContextHelper {
  21         public final static String LOGIN_PAGE = "argeo.cms.integration.loginPage";
  22         public final static String LOGIN_SERVLET = "argeo.cms.integration.loginServlet";
  23         private String loginPage;
  24         private String loginServlet;
  25
  26         public void init(Map<String, String> properties) {
  27                 loginPage = properties.get(LOGIN_PAGE);
  28                 loginServlet = properties.get(LOGIN_SERVLET);
  29         }
  30
  31         /**
  32          * Add the {@link AccessControlContext} as a request attribute, or redirect to
  33          * the login page.
  34          */
  35         @Override
  36         public boolean handleSecurity(final HttpServletRequest req, HttpServletResponse resp) throws IOException {
  37                 LoginContext lc = null;
  38                 ServletHttpRequest request = new ServletHttpRequest(req);
  39                 ServletHttpResponse response = new ServletHttpResponse(resp);
  40
  41                 String pathInfo = req.getPathInfo();
  42                 String servletPath = req.getServletPath();
  43                 if ((pathInfo != null && (servletPath + pathInfo).equals(loginPage)) || servletPath.contentEquals(loginServlet))
  44                         return true;
  45                 try {
  46                         lc = CmsAuth.USER.newLoginContext(new RemoteAuthCallbackHandler(request, response));
  47                         lc.login();
  48                 } catch (LoginException e) {
  49                         lc = processUnauthorized(req, resp);
  50                         if (lc == null)
  51                                 return false;
  52                 }
  53 //              Subject.doAs(lc.getSubject(), new PrivilegedAction<Void>() {
  54 //
  55 //                      @Override
  56 //                      public Void run() {
  57 //                              // TODO also set login context in order to log out ?
  58 //                              RemoteAuthUtils.configureRequestSecurity(request);
  59 //                              return null;
  60 //                      }
  61 //
  62 //              });
  63
  64                 return true;
  65         }
  66
  67 //      @Override
  68 //      public void finishSecurity(HttpServletRequest req, HttpServletResponse resp) {
  69 //              RemoteAuthUtils.clearRequestSecurity(new ServletHttpRequest(req));
  70 //      }
  71
  72         protected LoginContext processUnauthorized(HttpServletRequest request, HttpServletResponse response) {
  73                 try {
  74                         response.sendRedirect(loginPage);
  75                 } catch (IOException e) {
  76                         throw new RuntimeException("Cannot redirect to login page", e);
  77                 }
  78                 return null;
  79         }
  80 }