org.argeo.cms.ee/src/org/argeo/cms/servlet/CmsServletContext.java

   1 package org.argeo.cms.servlet;
   2
   3 import java.io.IOException;
   4 import java.net.URL;
   5 import java.net.http.HttpHeaders;
   6 import java.security.PrivilegedAction;
   7 import java.util.Map;
   8
   9 import javax.security.auth.Subject;
  10 import javax.security.auth.login.LoginContext;
  11 import javax.security.auth.login.LoginException;
  12 import javax.servlet.http.HttpServletRequest;
  13 import javax.servlet.http.HttpServletResponse;
  14
  15 import org.argeo.api.cms.CmsAuth;
  16 import org.argeo.api.cms.CmsLog;
  17 import org.argeo.cms.auth.RemoteAuthCallbackHandler;
  18 import org.argeo.cms.auth.RemoteAuthRequest;
  19 import org.argeo.cms.auth.RemoteAuthResponse;
  20 import org.argeo.cms.auth.RemoteAuthUtils;
  21 import org.argeo.cms.servlet.internal.HttpUtils;
  22 import org.argeo.util.http.HttpHeader;
  23 import org.osgi.framework.Bundle;
  24 import org.osgi.framework.FrameworkUtil;
  25 import org.osgi.service.http.context.ServletContextHelper;
  26
  27 /**
  28  * Default servlet context degrading to anonymous if the the session is not
  29  * pre-authenticated.
  30  */
  31 public class CmsServletContext extends ServletContextHelper {
  32         private final static CmsLog log = CmsLog.getLog(CmsServletContext.class);
  33         // use CMS bundle for resources
  34         private Bundle bundle = FrameworkUtil.getBundle(getClass());
  35
  36         private final String httpAuthRealm = "Argeo";
  37         private final boolean forceBasic = false;
  38
  39         public void init(Map<String, String> properties) {
  40
  41         }
  42
  43         public void destroy() {
  44
  45         }
  46
  47         @Override
  48         public boolean handleSecurity(HttpServletRequest request, HttpServletResponse response) throws IOException {
  49                 if (log.isTraceEnabled())
  50                         HttpUtils.logRequestHeaders(log, request);
  51                 RemoteAuthRequest remoteAuthRequest = new ServletHttpRequest(request);
  52                 RemoteAuthResponse remoteAuthResponse = new ServletHttpResponse(response);
  53                 ClassLoader currentThreadContextClassLoader = Thread.currentThread().getContextClassLoader();
  54                 Thread.currentThread().setContextClassLoader(CmsServletContext.class.getClassLoader());
  55                 LoginContext lc;
  56                 try {
  57                         lc = CmsAuth.USER.newLoginContext(new RemoteAuthCallbackHandler(remoteAuthRequest, remoteAuthResponse));
  58                         lc.login();
  59                 } catch (LoginException e) {
  60                         if (authIsRequired(remoteAuthRequest, remoteAuthResponse)) {
  61                                 int statusCode = RemoteAuthUtils.askForWwwAuth(remoteAuthRequest,
  62                                                 remoteAuthResponse, httpAuthRealm,
  63                                                 forceBasic);
  64                                 response.setStatus(statusCode);
  65                                 return false;
  66
  67                         } else {
  68                                 lc = RemoteAuthUtils.anonymousLogin(remoteAuthRequest, remoteAuthResponse);
  69                         }
  70                         if (lc == null)
  71                                 return false;
  72                 } finally {
  73                         Thread.currentThread().setContextClassLoader(currentThreadContextClassLoader);
  74                 }
  75
  76 //              Subject subject = lc.getSubject();
  77 //              Subject.doAs(subject, new PrivilegedAction<Void>() {
  78 //
  79 //                      @Override
  80 //                      public Void run() {
  81 //                              // TODO also set login context in order to log out ?
  82 //                              RemoteAuthUtils.configureRequestSecurity(remoteAuthRequest);
  83 //                              return null;
  84 //                      }
  85 //
  86 //              });
  87                 return true;
  88         }
  89
  90 //      @Override
  91 //      public void finishSecurity(HttpServletRequest request, HttpServletResponse response) {
  92 //              RemoteAuthUtils.clearRequestSecurity(new ServletHttpRequest(request));
  93 //      }
  94
  95         protected boolean authIsRequired(RemoteAuthRequest remoteAuthRequest, RemoteAuthResponse remoteAuthResponse) {
  96                 return false;
  97         }
  98
  99 //      protected LoginContext processUnauthorized(HttpServletRequest request, HttpServletResponse response) {
 100 //              // anonymous
 101 //              ClassLoader currentContextClassLoader = Thread.currentThread().getContextClassLoader();
 102 //              try {
 103 //                      Thread.currentThread().setContextClassLoader(CmsServletContext.class.getClassLoader());
 104 //                      LoginContext lc = CmsAuth.ANONYMOUS.newLoginContext(
 105 //                                      new RemoteAuthCallbackHandler(new ServletHttpRequest(request), new ServletHttpResponse(response)));
 106 //                      lc.login();
 107 //                      return lc;
 108 //              } catch (LoginException e1) {
 109 //                      if (log.isDebugEnabled())
 110 //                              log.error("Cannot log in as anonymous", e1);
 111 //                      return null;
 112 //              } finally {
 113 //                      Thread.currentThread().setContextClassLoader(currentContextClassLoader);
 114 //              }
 115 //      }
 116
 117         @Override
 118         public URL getResource(String name) {
 119                 // TODO make it more robust and versatile
 120                 // if used directly it can only load from within this bundle
 121                 return bundle.getResource(name);
 122         }
 123
 124 }