org.argeo.cms.ee/src/org/argeo/cms/servlet/CmsServletContext.java

   1 package org.argeo.cms.servlet;
   2
   3 import java.io.IOException;
   4 import java.net.URL;
   5 import java.security.PrivilegedAction;
   6 import java.util.Map;
   7
   8 import javax.security.auth.Subject;
   9 import javax.security.auth.login.LoginContext;
  10 import javax.security.auth.login.LoginException;
  11 import javax.servlet.http.HttpServletRequest;
  12 import javax.servlet.http.HttpServletResponse;
  13
  14 import org.argeo.api.cms.CmsAuth;
  15 import org.argeo.api.cms.CmsLog;
  16 import org.argeo.cms.auth.RemoteAuthCallbackHandler;
  17 import org.argeo.cms.auth.RemoteAuthRequest;
  18 import org.argeo.cms.auth.RemoteAuthResponse;
  19 import org.argeo.cms.auth.RemoteAuthUtils;
  20 import org.argeo.cms.servlet.internal.HttpUtils;
  21 import org.osgi.framework.Bundle;
  22 import org.osgi.framework.FrameworkUtil;
  23 import org.osgi.service.http.context.ServletContextHelper;
  24
  25 /**
  26  * Default servlet context degrading to anonymous if the the session is not
  27  * pre-authenticated.
  28  */
  29 public class CmsServletContext extends ServletContextHelper {
  30         private final static CmsLog log = CmsLog.getLog(CmsServletContext.class);
  31         // use CMS bundle for resources
  32         private Bundle bundle = FrameworkUtil.getBundle(getClass());
  33
  34         private final String httpAuthRealm = "Argeo";
  35         private final boolean forceBasic = false;
  36
  37         public void init(Map<String, String> properties) {
  38
  39         }
  40
  41         public void destroy() {
  42
  43         }
  44
  45         @Override
  46         public boolean handleSecurity(HttpServletRequest request, HttpServletResponse response) throws IOException {
  47                 if (log.isTraceEnabled())
  48                         HttpUtils.logRequestHeaders(log, request);
  49                 RemoteAuthRequest remoteAuthRequest = new ServletHttpRequest(request);
  50                 RemoteAuthResponse remoteAuthResponse = new ServletHttpResponse(response);
  51                 ClassLoader currentThreadContextClassLoader = Thread.currentThread().getContextClassLoader();
  52                 Thread.currentThread().setContextClassLoader(CmsServletContext.class.getClassLoader());
  53                 LoginContext lc;
  54                 try {
  55                         lc = CmsAuth.USER.newLoginContext(new RemoteAuthCallbackHandler(remoteAuthRequest, remoteAuthResponse));
  56                         lc.login();
  57                 } catch (LoginException e) {
  58                         // FIXME better analyse failure so as not to try endlessly
  59                         if (authIsRequired(remoteAuthRequest, remoteAuthResponse)) {
  60                                 int statusCode = RemoteAuthUtils.askForWwwAuth(remoteAuthResponse, httpAuthRealm, forceBasic);
  61                                 response.setStatus(statusCode);
  62                                 return false;
  63
  64                         } else {
  65                                 lc = RemoteAuthUtils.anonymousLogin(remoteAuthRequest, remoteAuthResponse);
  66                         }
  67                         if (lc == null)
  68                                 return false;
  69                 } finally {
  70                         Thread.currentThread().setContextClassLoader(currentThreadContextClassLoader);
  71                 }
  72
  73                 Subject subject = lc.getSubject();
  74                 Subject.doAs(subject, new PrivilegedAction<Void>() {
  75
  76                         @Override
  77                         public Void run() {
  78                                 // TODO also set login context in order to log out ?
  79                                 RemoteAuthUtils.configureRequestSecurity(remoteAuthRequest);
  80                                 return null;
  81                         }
  82
  83                 });
  84                 return true;
  85         }
  86
  87         @Override
  88         public void finishSecurity(HttpServletRequest request, HttpServletResponse response) {
  89                 RemoteAuthUtils.clearRequestSecurity(new ServletHttpRequest(request));
  90         }
  91
  92         protected boolean authIsRequired(RemoteAuthRequest remoteAuthRequest, RemoteAuthResponse remoteAuthResponse) {
  93                 return false;
  94         }
  95
  96 //      protected LoginContext processUnauthorized(HttpServletRequest request, HttpServletResponse response) {
  97 //              // anonymous
  98 //              ClassLoader currentContextClassLoader = Thread.currentThread().getContextClassLoader();
  99 //              try {
 100 //                      Thread.currentThread().setContextClassLoader(CmsServletContext.class.getClassLoader());
 101 //                      LoginContext lc = CmsAuth.ANONYMOUS.newLoginContext(
 102 //                                      new RemoteAuthCallbackHandler(new ServletHttpRequest(request), new ServletHttpResponse(response)));
 103 //                      lc.login();
 104 //                      return lc;
 105 //              } catch (LoginException e1) {
 106 //                      if (log.isDebugEnabled())
 107 //                              log.error("Cannot log in as anonymous", e1);
 108 //                      return null;
 109 //              } finally {
 110 //                      Thread.currentThread().setContextClassLoader(currentContextClassLoader);
 111 //              }
 112 //      }
 113
 114         @Override
 115         public URL getResource(String name) {
 116                 // TODO make it more robust and versatile
 117                 // if used directly it can only load from within this bundle
 118                 return bundle.getResource(name);
 119         }
 120
 121 }