1 package org
.argeo
.cms
.servlet
;
3 import java
.io
.IOException
;
5 import java
.net
.http
.HttpHeaders
;
6 import java
.security
.PrivilegedAction
;
9 import javax
.security
.auth
.Subject
;
10 import javax
.security
.auth
.login
.LoginContext
;
11 import javax
.security
.auth
.login
.LoginException
;
12 import javax
.servlet
.http
.HttpServletRequest
;
13 import javax
.servlet
.http
.HttpServletResponse
;
15 import org
.argeo
.api
.cms
.CmsAuth
;
16 import org
.argeo
.api
.cms
.CmsLog
;
17 import org
.argeo
.cms
.auth
.RemoteAuthCallbackHandler
;
18 import org
.argeo
.cms
.auth
.RemoteAuthRequest
;
19 import org
.argeo
.cms
.auth
.RemoteAuthResponse
;
20 import org
.argeo
.cms
.auth
.RemoteAuthUtils
;
21 import org
.argeo
.cms
.servlet
.internal
.HttpUtils
;
22 import org
.argeo
.util
.http
.HttpHeader
;
23 import org
.osgi
.framework
.Bundle
;
24 import org
.osgi
.framework
.FrameworkUtil
;
25 import org
.osgi
.service
.http
.context
.ServletContextHelper
;
28 * Default servlet context degrading to anonymous if the the session is not
31 public class CmsServletContext
extends ServletContextHelper
{
32 private final static CmsLog log
= CmsLog
.getLog(CmsServletContext
.class);
33 // use CMS bundle for resources
34 private Bundle bundle
= FrameworkUtil
.getBundle(getClass());
36 private final String httpAuthRealm
= "Argeo";
37 private final boolean forceBasic
= false;
39 public void init(Map
<String
, String
> properties
) {
43 public void destroy() {
48 public boolean handleSecurity(HttpServletRequest request
, HttpServletResponse response
) throws IOException
{
49 if (log
.isTraceEnabled())
50 HttpUtils
.logRequestHeaders(log
, request
);
51 RemoteAuthRequest remoteAuthRequest
= new ServletHttpRequest(request
);
52 RemoteAuthResponse remoteAuthResponse
= new ServletHttpResponse(response
);
53 ClassLoader currentThreadContextClassLoader
= Thread
.currentThread().getContextClassLoader();
54 Thread
.currentThread().setContextClassLoader(CmsServletContext
.class.getClassLoader());
57 lc
= CmsAuth
.USER
.newLoginContext(new RemoteAuthCallbackHandler(remoteAuthRequest
, remoteAuthResponse
));
59 } catch (LoginException e
) {
60 if (authIsRequired(remoteAuthRequest
, remoteAuthResponse
)) {
61 int statusCode
= RemoteAuthUtils
.askForWwwAuth(remoteAuthRequest
,
62 remoteAuthResponse
, httpAuthRealm
,
64 response
.setStatus(statusCode
);
68 lc
= RemoteAuthUtils
.anonymousLogin(remoteAuthRequest
, remoteAuthResponse
);
73 Thread
.currentThread().setContextClassLoader(currentThreadContextClassLoader
);
76 // Subject subject = lc.getSubject();
77 // Subject.doAs(subject, new PrivilegedAction<Void>() {
80 // public Void run() {
81 // // TODO also set login context in order to log out ?
82 // RemoteAuthUtils.configureRequestSecurity(remoteAuthRequest);
91 // public void finishSecurity(HttpServletRequest request, HttpServletResponse response) {
92 // RemoteAuthUtils.clearRequestSecurity(new ServletHttpRequest(request));
95 protected boolean authIsRequired(RemoteAuthRequest remoteAuthRequest
, RemoteAuthResponse remoteAuthResponse
) {
99 // protected LoginContext processUnauthorized(HttpServletRequest request, HttpServletResponse response) {
101 // ClassLoader currentContextClassLoader = Thread.currentThread().getContextClassLoader();
103 // Thread.currentThread().setContextClassLoader(CmsServletContext.class.getClassLoader());
104 // LoginContext lc = CmsAuth.ANONYMOUS.newLoginContext(
105 // new RemoteAuthCallbackHandler(new ServletHttpRequest(request), new ServletHttpResponse(response)));
108 // } catch (LoginException e1) {
109 // if (log.isDebugEnabled())
110 // log.error("Cannot log in as anonymous", e1);
113 // Thread.currentThread().setContextClassLoader(currentContextClassLoader);
118 public URL
getResource(String name
) {
119 // TODO make it more robust and versatile
120 // if used directly it can only load from within this bundle
121 return bundle
.getResource(name
);