package org.argeo.cms.websocket;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
import java.util.List;
+import javax.security.auth.Subject;
import javax.security.auth.login.LoginContext;
-import javax.security.auth.login.LoginException;
import javax.servlet.http.HttpSession;
import javax.websocket.Extension;
import javax.websocket.HandshakeResponse;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
+import org.argeo.api.NodeConstants;
import org.argeo.cms.auth.HttpRequestCallbackHandler;
-import org.argeo.node.NodeConstants;
+import org.osgi.service.http.context.ServletContextHelper;
+
+/** Customises the initialisation of a new web socket. */
+public class CmsWebSocketConfigurator extends Configurator {
+ public final static String WEBSOCKET_SUBJECT = "org.argeo.cms.websocket.subject";
-public final class CmsWebSocketConfigurator extends Configurator {
private final static Log log = LogFactory.getLog(CmsWebSocketConfigurator.class);
final static String HEADER_WWW_AUTHENTICATE = "WWW-Authenticate";
log.debug("Web socket HTTP session id: " + httpSession.getId());
if (httpSession == null) {
- rejectResponse(response);
+ rejectResponse(response, null);
}
try {
LoginContext lc = new LoginContext(NodeConstants.LOGIN_CONTEXT_USER,
lc.login();
if (log.isDebugEnabled())
log.debug("Web socket logged-in as " + lc.getSubject());
- sec.getUserProperties().put("subject", lc.getSubject());
- } catch (LoginException e) {
- rejectResponse(response);
- }
+ Subject.doAs(lc.getSubject(), new PrivilegedAction<Void>() {
+
+ @Override
+ public Void run() {
+ sec.getUserProperties().put(ServletContextHelper.REMOTE_USER, AccessController.getContext());
+ return null;
+ }
-// List<String> authHeaders = request.getHeaders().get(HEADER_WWW_AUTHENTICATE);
-// String authHeader;
-// if (authHeaders != null && authHeaders.size() == 1) {
-// authHeader = authHeaders.get(0);
-// } else {
-// return;
-// }
+ });
+ } catch (Exception e) {
+ rejectResponse(response, e);
+ }
}
- private void rejectResponse(HandshakeResponse response) {
+ /**
+ * Behaviour when the web socket could not be authenticated. Throws an
+ * {@link IllegalStateException} by default.
+ *
+ * @param e can be null
+ */
+ protected void rejectResponse(HandshakeResponse response, Exception e) {
// violent implementation, as suggested in
// https://stackoverflow.com/questions/21763829/jsr-356-how-to-abort-a-websocket-connection-during-the-handshake
- throw new IllegalStateException("Web socket cannot be authenticated");
+// throw new IllegalStateException("Web socket cannot be authenticated");
}
}
projects / lgpl / argeo-commons.git / blobdiff