X-Git-Url: https://git.argeo.org/?a=blobdiff_plain;f=org.argeo.cms%2Fsrc%2Forg%2Fargeo%2Fcms%2Finternal%2Fhttp%2FDataHttpContext.java;h=93f63530e3edfa9709f13ec4b089633230ceb9b2;hb=09d97fb1d28c9bbe4b2ec9fc511adf5127a256c1;hp=581d6cbc1323c7add3783035da642a017c3fc5f3;hpb=02a6354c17ddb160513580e9e3c7826d9475b177;p=lgpl%2Fargeo-commons.git diff --git a/org.argeo.cms/src/org/argeo/cms/internal/http/DataHttpContext.java b/org.argeo.cms/src/org/argeo/cms/internal/http/DataHttpContext.java index 581d6cbc1..93f63530e 100644 --- a/org.argeo.cms/src/org/argeo/cms/internal/http/DataHttpContext.java +++ b/org.argeo.cms/src/org/argeo/cms/internal/http/DataHttpContext.java @@ -2,41 +2,37 @@ package org.argeo.cms.internal.http; import java.io.IOException; import java.net.URL; -import java.util.StringTokenizer; -import javax.security.auth.callback.Callback; -import javax.security.auth.callback.CallbackHandler; -import javax.security.auth.callback.NameCallback; -import javax.security.auth.callback.PasswordCallback; import javax.security.auth.login.LoginContext; import javax.security.auth.login.LoginException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; -import org.apache.commons.codec.binary.Base64; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; -import org.argeo.cms.CmsException; -import org.argeo.cms.auth.HttpRequestCallback; import org.argeo.cms.auth.HttpRequestCallbackHandler; import org.argeo.node.NodeConstants; -import org.ietf.jgss.GSSContext; -import org.ietf.jgss.GSSCredential; -import org.ietf.jgss.GSSException; -import org.ietf.jgss.GSSManager; -import org.ietf.jgss.GSSName; -import org.ietf.jgss.Oid; import org.osgi.framework.BundleContext; import org.osgi.framework.FrameworkUtil; import org.osgi.service.http.HttpContext; -class DataHttpContext implements HttpContext { +public class DataHttpContext implements HttpContext { private final static Log log = LogFactory.getLog(DataHttpContext.class); private final BundleContext bc = FrameworkUtil.getBundle(getClass()).getBundleContext(); // FIXME Make it more unique - private String httpAuthRealm = "Argeo"; + private final String httpAuthRealm; + private final boolean forceBasic; + + public DataHttpContext(String httpAuthrealm, boolean forceBasic) { + this.httpAuthRealm = httpAuthrealm; + this.forceBasic = forceBasic; + } + + public DataHttpContext(String httpAuthrealm) { + this(httpAuthrealm, false); + } @Override public boolean handleSecurity(final HttpServletRequest request, HttpServletResponse response) throws IOException { @@ -47,23 +43,11 @@ class DataHttpContext implements HttpContext { try { lc = new LoginContext(NodeConstants.LOGIN_CONTEXT_USER, new HttpRequestCallbackHandler(request, response)); lc.login(); - // return true; } catch (LoginException e) { - CallbackHandler token = extractHttpAuth(request, response); - if (token != null) { - try { - lc = new LoginContext(NodeConstants.LOGIN_CONTEXT_USER, token); - lc.login(); - } catch (LoginException e1) { - throw new CmsException("Could not login", e1); - } - } else { - lc = processUnauthorized(request, response); - if (lc == null) - return false; - } + lc = processUnauthorized(request, response); + if (lc == null) + return false; } - request.setAttribute(NodeConstants.LOGIN_CONTEXT_USER, lc); return true; } @@ -80,7 +64,7 @@ class DataHttpContext implements HttpContext { protected LoginContext processUnauthorized(HttpServletRequest request, HttpServletResponse response) { // anonymous try { - LoginContext lc = new LoginContext(NodeConstants.LOGIN_CONTEXT_USER); + LoginContext lc = new LoginContext(NodeConstants.LOGIN_CONTEXT_ANONYMOUS, new HttpRequestCallbackHandler(request, response)); lc.login(); return lc; } catch (LoginException e1) { @@ -89,92 +73,15 @@ class DataHttpContext implements HttpContext { return null; } } - - protected CallbackHandler extractHttpAuth(final HttpServletRequest httpRequest, HttpServletResponse httpResponse) { - String authHeader = httpRequest.getHeader(HttpUtils.HEADER_AUTHORIZATION); - if (authHeader != null) { - StringTokenizer st = new StringTokenizer(authHeader); - if (st.hasMoreTokens()) { - String basic = st.nextToken(); - if (basic.equalsIgnoreCase("Basic")) { - try { - // TODO manipulate char[] - String credentials = new String(Base64.decodeBase64(st.nextToken()), "UTF-8"); - // log.debug("Credentials: " + credentials); - int p = credentials.indexOf(":"); - if (p != -1) { - final String login = credentials.substring(0, p).trim(); - final char[] password = credentials.substring(p + 1).trim().toCharArray(); - return new CallbackHandler() { - public void handle(Callback[] callbacks) { - for (Callback cb : callbacks) { - if (cb instanceof NameCallback) - ((NameCallback) cb).setName(login); - else if (cb instanceof PasswordCallback) - ((PasswordCallback) cb).setPassword(password); - else if (cb instanceof HttpRequestCallback) { - ((HttpRequestCallback) cb).setRequest(httpRequest); - ((HttpRequestCallback) cb).setResponse(httpResponse); - } - } - } - }; - } else { - throw new CmsException("Invalid authentication token"); - } - } catch (Exception e) { - throw new CmsException("Couldn't retrieve authentication", e); - } - } else if (basic.equalsIgnoreCase("Negotiate")) { - // FIXME generalise - String _targetName = "HTTP/mostar.desktop.argeo.pro"; - String spnegoToken = st.nextToken(); - byte[] authToken = Base64.decodeBase64(spnegoToken); - GSSManager manager = GSSManager.getInstance(); - try { - Oid krb5Oid = new Oid("1.3.6.1.5.5.2"); // http://java.sun.com/javase/6/docs/technotes/guides/security/jgss/jgss-features.html - GSSName gssName = manager.createName(_targetName, null); - GSSCredential serverCreds = manager.createCredential(gssName, GSSCredential.INDEFINITE_LIFETIME, - krb5Oid, GSSCredential.ACCEPT_ONLY); - GSSContext gContext = manager.createContext(serverCreds); - - if (gContext == null) { - log.debug("SpnegoUserRealm: failed to establish GSSContext"); - } else { - while (!gContext.isEstablished()) { - byte[] outToken = gContext.acceptSecContext(authToken, 0, authToken.length); - String outTokenStr = Base64.encodeBase64String(outToken); - httpResponse.setHeader("WWW-Authenticate", "Negotiate " + outTokenStr); - } - if (gContext.isEstablished()) { - String clientName = gContext.getSrcName().toString(); - String role = clientName.substring(clientName.indexOf('@') + 1); - - log.debug("SpnegoUserRealm: established a security context"); - log.debug("Client Principal is: " + gContext.getSrcName()); - log.debug("Server Principal is: " + gContext.getTargName()); - log.debug("Client Default Role: " + role); - - // TODO log in - } - } - - } catch (GSSException gsse) { - log.warn(gsse, gsse); - } - - } - } - } - return null; - } - protected void askForWwwAuth(HttpServletRequest request, HttpServletResponse response) { response.setStatus(401); - response.setHeader(HttpUtils.HEADER_WWW_AUTHENTICATE, "basic realm=\"" + httpAuthRealm + "\""); + // response.setHeader(HttpUtils.HEADER_WWW_AUTHENTICATE, "basic + // realm=\"" + httpAuthRealm + "\""); + if (org.argeo.cms.internal.kernel.Activator.getAcceptorCredentials() != null && !forceBasic)// SPNEGO + response.setHeader(HttpUtils.HEADER_WWW_AUTHENTICATE, "Negotiate"); + else + response.setHeader(HttpUtils.HEADER_WWW_AUTHENTICATE, "Basic realm=\"" + httpAuthRealm + "\""); - // SPNEGO - // response.setHeader(HEADER_WWW_AUTHENTICATE, "Negotiate"); // response.setDateHeader("Date", System.currentTimeMillis()); // response.setDateHeader("Expires", System.currentTimeMillis() + (24 * // 60 * 60 * 1000));