Source Code Cross Referenced for HttpAuthenticationUtils.java in  » Authentication-Authorization » jguard » net » sf » jguard » jee » authentication » http » Java Source Code / Java DocumentationJava Source Code and Java Documentation

001:        /*
002:        jGuard is a security framework based on top of jaas (java authentication and authorization security).
003:        it is written for web applications, to resolve simply, access control problems.
004:        version $Name$
005:        http://sourceforge.net/projects/jguard/
006:
007:        Copyright (C) 2004  Charles GAY
008:
009:        This library is free software; you can redistribute it and/or
010:        modify it under the terms of the GNU Lesser General Public
011:        License as published by the Free Software Foundation; either
012:        version 2.1 of the License, or (at your option) any later version.
013:
014:        This library is distributed in the hope that it will be useful,
015:        but WITHOUT ANY WARRANTY; without even the implied warranty of
016:        MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
017:        Lesser General Public License for more details.
018:
019:        You should have received a copy of the GNU Lesser General Public
020:        License along with this library; if not, write to the Free Software
021:        Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
022:
023:
024:        jGuard project home page:
025:        http://sourceforge.net/projects/jguard/
026:
027:         */
028:        package net.sf.jguard.jee.authentication.http;
029:
030:        import java.io.IOException;
031:        import java.util.Collection;
032:
033:        import javax.security.auth.Subject;
034:        import javax.security.auth.login.Configuration;
035:        import javax.security.auth.login.LoginException;
036:        import javax.servlet.http.HttpServletRequest;
037:        import javax.servlet.http.HttpServletResponse;
038:        import javax.servlet.http.HttpSession;
039:        import javax.servlet.http.HttpSessionActivationListener;
040:        import javax.servlet.http.HttpSessionBindingEvent;
041:        import javax.servlet.http.HttpSessionBindingListener;
042:        import javax.servlet.http.HttpSessionEvent;
043:
044:        import net.sf.jguard.core.CoreConstants;
045:        import net.sf.jguard.ext.authentication.manager.AuthenticationUtils;
046:        import net.sf.jguard.jee.authentication.callbacks.HttpCallbackHandler;
047:
048:        import org.apache.commons.logging.Log;
049:        import org.apache.commons.logging.LogFactory;
050:
051:        /**
052:         * Authentication utility class stored on the user's session.
053:         * @author <a href="mailto:diabolo512@users.sourceforge.net">Charles Gay</a>
054:         * this class was inspired by the article on jaas published at <a href="http://www.mooreds.com/jaas.html">this</a> address.
055:         *
056:         */
057:        public class HttpAuthenticationUtils implements 
058:                HttpSessionActivationListener, HttpSessionBindingListener {
059:            private static final Log logger = LogFactory
060:                    .getLog(HttpAuthenticationUtils.class);
061:
062:            private AuthenticationUtils authenticationUtils = null;
063:
064:            public HttpAuthenticationUtils() {
065:                super ();
066:                authenticationUtils = new AuthenticationUtils();
067:            }
068:
069:            public HttpAuthenticationUtils(Configuration configuration) {
070:                super ();
071:                authenticationUtils = new AuthenticationUtils(configuration);
072:            }
073:
074:            /**
075:             * encapsulate JAAS login lifecycle.
076:             * @param request
077:             * @param response
078:             * @param afterRegistration <code>true</code> if user registration was made just before; <code>false</code> otherwise.
079:             * @throws LoginException
080:             */
081:            private void useLoginContext(HttpServletRequest request,
082:                    HttpServletResponse response, boolean afterRegistration)
083:                    throws LoginException {
084:                HttpSession session = request.getSession();
085:
086:                String applicationName = (String) session.getServletContext()
087:                        .getAttribute(CoreConstants.APPLICATION_NAME);
088:                String scheme = (String) session.getServletContext()
089:                        .getAttribute(HttpConstants.AUTH_SCHEME);
090:                HttpCallbackHandler cbh = new HttpCallbackHandler(request,
091:                        response, scheme);
092:                cbh.setAfterRegistration(afterRegistration);
093:                authenticationUtils.login(applicationName, cbh, request
094:                        .getLocale());
095:
096:            }
097:
098:            /**
099:             * retrieve the subject from <strong>this</strong> object.
100:             * @return authenticated Subject, otherwise <strong>null</strong>.
101:             */
102:            public Subject getSubject() {
103:                return authenticationUtils.getSubject();
104:            }
105:
106:            /**
107:             * grab the @link HttpAuthenticationUtils from the HttpServletRequest.
108:             * @param req
109:             * @return HttpAuthenticationUtils
110:             */
111:            public static HttpAuthenticationUtils getHttpAuthenticationUtils(
112:                    HttpServletRequest req, boolean local) {
113:                HttpSession session = req.getSession(true);
114:                HttpAuthenticationUtils httpAuthenticationUtils = (HttpAuthenticationUtils) session
115:                        .getAttribute(HttpConstants.AUTHN_UTILS);
116:
117:                //auth.getSubject() can return  null if the user in session has been deleted by authenticationManager
118:                if (httpAuthenticationUtils != null
119:                        && httpAuthenticationUtils.getSubject() == null) {
120:                    logger
121:                            .debug(" subject into HttpAuthenticationUtils is null ");
122:                    httpAuthenticationUtils.logout();
123:                    session.removeAttribute(HttpConstants.AUTHN_UTILS);
124:                    httpAuthenticationUtils = null;
125:                }
126:
127:                if (httpAuthenticationUtils == null) {
128:                    Configuration configuration = (Configuration) req
129:                            .getSession().getServletContext().getAttribute(
130:                                    HttpConstants.JGUARD_CONFIGURATION);
131:                    if (local) {
132:                        httpAuthenticationUtils = new HttpAuthenticationUtils(
133:                                configuration);
134:                    } else {
135:                        httpAuthenticationUtils = new HttpAuthenticationUtils();
136:                    }
137:                    session.setAttribute(HttpConstants.AUTHN_UTILS,
138:                            httpAuthenticationUtils);
139:                }
140:                return httpAuthenticationUtils;
141:            }
142:
143:            /**
144:             * authenticate user and put the corresponding Subject in its session if succeed.
145:             * @param req
146:             * @param res
147:             * @param afterRegistration :<code>true</code> if user registration was made just before;
148:             * <code>false</code> otherwise.
149:             * @return authenticationresult: <strong>true</strong> if authentication succeed,
150:             * <strong>false</strong> otherwise.
151:             * @throws IOException
152:             */
153:            public static boolean authenticate(HttpServletRequest req,
154:                    HttpServletResponse res, boolean afterRegistration,
155:                    boolean local) throws IOException {
156:
157:                HttpAuthenticationUtils auth = getHttpAuthenticationUtils(req,
158:                        local);
159:                HttpSession session = req.getSession(true);
160:                boolean authenticationSucceed = true;
161:                try {
162:                    auth.useLoginContext(req, res, afterRegistration);
163:                } catch (LoginException e) {
164:                    authenticationSucceed = false;
165:                    String messageError = null;
166:                    messageError = e.getLocalizedMessage();
167:
168:                    //we store in the user' session the reason the authentication failed
169:                    session.setAttribute(HttpConstants.LOGIN_EXCEPTION_MESSAGE,
170:                            messageError);
171:                    session.setAttribute(HttpConstants.LOGIN_EXCEPTION_CLASS, e
172:                            .getClass());
173:                }
174:
175:                return authenticationSucceed;
176:            }
177:
178:            /**
179:             * method called by the container when session is serialized.
180:             * @param sessionEvent
181:             */
182:            public void sessionWillPassivate(HttpSessionEvent sessionEvent) {
183:                if (authenticationUtils != null) {
184:                    authenticationUtils.logout();
185:                }
186:                HttpAuthenticationUtils authUtils = (HttpAuthenticationUtils) sessionEvent
187:                        .getSession().getAttribute(HttpConstants.AUTHN_UTILS);
188:                if (authUtils != null) {
189:                    authUtils.logout();
190:                }
191:                sessionEvent.getSession().removeAttribute(
192:                        HttpConstants.AUTHN_UTILS);
193:            }
194:
195:            /**
196:             * method called by container when session is deserialized.
197:             * @param sessionEvent
198:             */
199:            public void sessionDidActivate(HttpSessionEvent sessionEvent) {
200:
201:            }
202:
203:            public void valueBound(HttpSessionBindingEvent bindingEvent) {
204:                if (HttpConstants.AUTHN_UTILS.equals(bindingEvent.getName())) {
205:                    Collection users = (Collection) bindingEvent.getSession()
206:                            .getServletContext().getAttribute(
207:                                    HttpConstants.USERS_IN_SESSION);
208:                    users.add(this );
209:                }
210:
211:            }
212:
213:            public void valueUnbound(HttpSessionBindingEvent bindingEvent) {
214:                if (HttpConstants.AUTHN_UTILS.equals(bindingEvent.getName())) {
215:                    Collection users = (Collection) bindingEvent.getSession()
216:                            .getServletContext().getAttribute(
217:                                    HttpConstants.USERS_IN_SESSION);
218:                    if (users != null && users.contains(this )) {
219:                        users.remove(this );
220:                    }
221:                }
222:            }
223:
224:            public void logout() {
225:                authenticationUtils.logout();
226:            }
227:
228:            public AuthenticationUtils getAuthenticationUtils() {
229:                return authenticationUtils;
230:            }
231:
232:            /**
233:             * return the Subject from the HttpSession, or null if no Subject is present.
234:             * @param session
235:             * @return
236:             */
237:            public static Subject getSubject(HttpSession session) {
238:                HttpAuthenticationUtils authutils = (HttpAuthenticationUtils) session
239:                        .getAttribute(HttpConstants.AUTHN_UTILS);
240:                if (authutils != null) {
241:                    return authutils.getSubject();
242:                }
243:                return null;
244:            }
245:
246:        }