org.argeo.cms.ee/src/org/argeo/cms/servlet/CmsServletContext.java

   1 package org.argeo.cms.servlet;
   2
   3 import java.io.IOException;
   4 import java.net.URL;
   5 import java.util.Map;
   6
   7 import javax.security.auth.login.LoginContext;
   8 import javax.security.auth.login.LoginException;
   9 import javax.servlet.http.HttpServletRequest;
  10 import javax.servlet.http.HttpServletResponse;
  11
  12 import org.argeo.api.cms.CmsAuth;
  13 import org.argeo.api.cms.CmsLog;
  14 import org.argeo.cms.auth.RemoteAuthCallbackHandler;
  15 import org.argeo.cms.auth.RemoteAuthRequest;
  16 import org.argeo.cms.auth.RemoteAuthResponse;
  17 import org.argeo.cms.auth.RemoteAuthUtils;
  18 import org.argeo.cms.servlet.internal.HttpUtils;
  19 import org.osgi.framework.Bundle;
  20 import org.osgi.framework.FrameworkUtil;
  21 import org.osgi.service.http.context.ServletContextHelper;
  22
  23 /**
  24  * Default servlet context degrading to anonymous if the the session is not
  25  * pre-authenticated.
  26  */
  27 public class CmsServletContext extends ServletContextHelper {
  28         private final static CmsLog log = CmsLog.getLog(CmsServletContext.class);
  29         // use CMS bundle for resources
  30         private Bundle bundle = FrameworkUtil.getBundle(getClass());
  31
  32         private final String httpAuthRealm = "Argeo";
  33         private final boolean forceBasic = false;
  34
  35         public void init(Map<String, String> properties) {
  36
  37         }
  38
  39         public void destroy() {
  40
  41         }
  42
  43         @Override
  44         public boolean handleSecurity(HttpServletRequest request, HttpServletResponse response) throws IOException {
  45                 if (log.isTraceEnabled())
  46                         HttpUtils.logRequestHeaders(log, request);
  47                 RemoteAuthRequest remoteAuthRequest = new ServletHttpRequest(request);
  48                 RemoteAuthResponse remoteAuthResponse = new ServletHttpResponse(response);
  49                 ClassLoader currentThreadContextClassLoader = Thread.currentThread().getContextClassLoader();
  50                 Thread.currentThread().setContextClassLoader(CmsServletContext.class.getClassLoader());
  51                 LoginContext lc;
  52                 try {
  53                         lc = CmsAuth.USER.newLoginContext(new RemoteAuthCallbackHandler(remoteAuthRequest, remoteAuthResponse));
  54                         lc.login();
  55                 } catch (LoginException e) {
  56                         if (authIsRequired(remoteAuthRequest, remoteAuthResponse)) {
  57                                 int statusCode = RemoteAuthUtils.askForWwwAuth(remoteAuthRequest,
  58                                                 remoteAuthResponse, httpAuthRealm,
  59                                                 forceBasic);
  60                                 response.setStatus(statusCode);
  61                                 return false;
  62
  63                         } else {
  64                                 lc = RemoteAuthUtils.anonymousLogin(remoteAuthRequest, remoteAuthResponse);
  65                         }
  66                         if (lc == null)
  67                                 return false;
  68                 } finally {
  69                         Thread.currentThread().setContextClassLoader(currentThreadContextClassLoader);
  70                 }
  71
  72 //              Subject subject = lc.getSubject();
  73 //              Subject.doAs(subject, new PrivilegedAction<Void>() {
  74 //
  75 //                      @Override
  76 //                      public Void run() {
  77 //                              // TODO also set login context in order to log out ?
  78 //                              RemoteAuthUtils.configureRequestSecurity(remoteAuthRequest);
  79 //                              return null;
  80 //                      }
  81 //
  82 //              });
  83                 return true;
  84         }
  85
  86 //      @Override
  87 //      public void finishSecurity(HttpServletRequest request, HttpServletResponse response) {
  88 //              RemoteAuthUtils.clearRequestSecurity(new ServletHttpRequest(request));
  89 //      }
  90
  91         protected boolean authIsRequired(RemoteAuthRequest remoteAuthRequest, RemoteAuthResponse remoteAuthResponse) {
  92                 return false;
  93         }
  94
  95 //      protected LoginContext processUnauthorized(HttpServletRequest request, HttpServletResponse response) {
  96 //              // anonymous
  97 //              ClassLoader currentContextClassLoader = Thread.currentThread().getContextClassLoader();
  98 //              try {
  99 //                      Thread.currentThread().setContextClassLoader(CmsServletContext.class.getClassLoader());
 100 //                      LoginContext lc = CmsAuth.ANONYMOUS.newLoginContext(
 101 //                                      new RemoteAuthCallbackHandler(new ServletHttpRequest(request), new ServletHttpResponse(response)));
 102 //                      lc.login();
 103 //                      return lc;
 104 //              } catch (LoginException e1) {
 105 //                      if (log.isDebugEnabled())
 106 //                              log.error("Cannot log in as anonymous", e1);
 107 //                      return null;
 108 //              } finally {
 109 //                      Thread.currentThread().setContextClassLoader(currentContextClassLoader);
 110 //              }
 111 //      }
 112
 113         @Override
 114         public URL getResource(String name) {
 115                 // TODO make it more robust and versatile
 116                 // if used directly it can only load from within this bundle
 117                 return bundle.getResource(name);
 118         }
 119
 120 }