001: /*
002: jGuard is a security framework based on top of jaas (java authentication and authorization security).
003: it is written for web applications, to resolve simply, access control problems.
004: version $Name$
005: http://sourceforge.net/projects/jguard/
006:
007: Copyright (C) 2004 Charles GAY
008:
009: This library is free software; you can redistribute it and/or
010: modify it under the terms of the GNU Lesser General Public
011: License as published by the Free Software Foundation; either
012: version 2.1 of the License, or (at your option) any later version.
013:
014: This library is distributed in the hope that it will be useful,
015: but WITHOUT ANY WARRANTY; without even the implied warranty of
016: MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
017: Lesser General Public License for more details.
018:
019: You should have received a copy of the GNU Lesser General Public
020: License along with this library; if not, write to the Free Software
021: Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
022:
023:
024: jGuard project home page:
025: http://sourceforge.net/projects/jguard/
026:
027: */
028: package net.sf.jguard.jee.authentication.http;
029:
030: import java.io.IOException;
031: import java.util.Collection;
032:
033: import javax.security.auth.Subject;
034: import javax.security.auth.login.Configuration;
035: import javax.security.auth.login.LoginException;
036: import javax.servlet.http.HttpServletRequest;
037: import javax.servlet.http.HttpServletResponse;
038: import javax.servlet.http.HttpSession;
039: import javax.servlet.http.HttpSessionActivationListener;
040: import javax.servlet.http.HttpSessionBindingEvent;
041: import javax.servlet.http.HttpSessionBindingListener;
042: import javax.servlet.http.HttpSessionEvent;
043:
044: import net.sf.jguard.core.CoreConstants;
045: import net.sf.jguard.ext.authentication.manager.AuthenticationUtils;
046: import net.sf.jguard.jee.authentication.callbacks.HttpCallbackHandler;
047:
048: import org.apache.commons.logging.Log;
049: import org.apache.commons.logging.LogFactory;
050:
051: /**
052: * Authentication utility class stored on the user's session.
053: * @author <a href="mailto:diabolo512@users.sourceforge.net">Charles Gay</a>
054: * this class was inspired by the article on jaas published at <a href="http://www.mooreds.com/jaas.html">this</a> address.
055: *
056: */
057: public class HttpAuthenticationUtils implements
058: HttpSessionActivationListener, HttpSessionBindingListener {
059: private static final Log logger = LogFactory
060: .getLog(HttpAuthenticationUtils.class);
061:
062: private AuthenticationUtils authenticationUtils = null;
063:
064: public HttpAuthenticationUtils() {
065: super ();
066: authenticationUtils = new AuthenticationUtils();
067: }
068:
069: public HttpAuthenticationUtils(Configuration configuration) {
070: super ();
071: authenticationUtils = new AuthenticationUtils(configuration);
072: }
073:
074: /**
075: * encapsulate JAAS login lifecycle.
076: * @param request
077: * @param response
078: * @param afterRegistration <code>true</code> if user registration was made just before; <code>false</code> otherwise.
079: * @throws LoginException
080: */
081: private void useLoginContext(HttpServletRequest request,
082: HttpServletResponse response, boolean afterRegistration)
083: throws LoginException {
084: HttpSession session = request.getSession();
085:
086: String applicationName = (String) session.getServletContext()
087: .getAttribute(CoreConstants.APPLICATION_NAME);
088: String scheme = (String) session.getServletContext()
089: .getAttribute(HttpConstants.AUTH_SCHEME);
090: HttpCallbackHandler cbh = new HttpCallbackHandler(request,
091: response, scheme);
092: cbh.setAfterRegistration(afterRegistration);
093: authenticationUtils.login(applicationName, cbh, request
094: .getLocale());
095:
096: }
097:
098: /**
099: * retrieve the subject from <strong>this</strong> object.
100: * @return authenticated Subject, otherwise <strong>null</strong>.
101: */
102: public Subject getSubject() {
103: return authenticationUtils.getSubject();
104: }
105:
106: /**
107: * grab the @link HttpAuthenticationUtils from the HttpServletRequest.
108: * @param req
109: * @return HttpAuthenticationUtils
110: */
111: public static HttpAuthenticationUtils getHttpAuthenticationUtils(
112: HttpServletRequest req, boolean local) {
113: HttpSession session = req.getSession(true);
114: HttpAuthenticationUtils httpAuthenticationUtils = (HttpAuthenticationUtils) session
115: .getAttribute(HttpConstants.AUTHN_UTILS);
116:
117: //auth.getSubject() can return null if the user in session has been deleted by authenticationManager
118: if (httpAuthenticationUtils != null
119: && httpAuthenticationUtils.getSubject() == null) {
120: logger
121: .debug(" subject into HttpAuthenticationUtils is null ");
122: httpAuthenticationUtils.logout();
123: session.removeAttribute(HttpConstants.AUTHN_UTILS);
124: httpAuthenticationUtils = null;
125: }
126:
127: if (httpAuthenticationUtils == null) {
128: Configuration configuration = (Configuration) req
129: .getSession().getServletContext().getAttribute(
130: HttpConstants.JGUARD_CONFIGURATION);
131: if (local) {
132: httpAuthenticationUtils = new HttpAuthenticationUtils(
133: configuration);
134: } else {
135: httpAuthenticationUtils = new HttpAuthenticationUtils();
136: }
137: session.setAttribute(HttpConstants.AUTHN_UTILS,
138: httpAuthenticationUtils);
139: }
140: return httpAuthenticationUtils;
141: }
142:
143: /**
144: * authenticate user and put the corresponding Subject in its session if succeed.
145: * @param req
146: * @param res
147: * @param afterRegistration :<code>true</code> if user registration was made just before;
148: * <code>false</code> otherwise.
149: * @return authenticationresult: <strong>true</strong> if authentication succeed,
150: * <strong>false</strong> otherwise.
151: * @throws IOException
152: */
153: public static boolean authenticate(HttpServletRequest req,
154: HttpServletResponse res, boolean afterRegistration,
155: boolean local) throws IOException {
156:
157: HttpAuthenticationUtils auth = getHttpAuthenticationUtils(req,
158: local);
159: HttpSession session = req.getSession(true);
160: boolean authenticationSucceed = true;
161: try {
162: auth.useLoginContext(req, res, afterRegistration);
163: } catch (LoginException e) {
164: authenticationSucceed = false;
165: String messageError = null;
166: messageError = e.getLocalizedMessage();
167:
168: //we store in the user' session the reason the authentication failed
169: session.setAttribute(HttpConstants.LOGIN_EXCEPTION_MESSAGE,
170: messageError);
171: session.setAttribute(HttpConstants.LOGIN_EXCEPTION_CLASS, e
172: .getClass());
173: }
174:
175: return authenticationSucceed;
176: }
177:
178: /**
179: * method called by the container when session is serialized.
180: * @param sessionEvent
181: */
182: public void sessionWillPassivate(HttpSessionEvent sessionEvent) {
183: if (authenticationUtils != null) {
184: authenticationUtils.logout();
185: }
186: HttpAuthenticationUtils authUtils = (HttpAuthenticationUtils) sessionEvent
187: .getSession().getAttribute(HttpConstants.AUTHN_UTILS);
188: if (authUtils != null) {
189: authUtils.logout();
190: }
191: sessionEvent.getSession().removeAttribute(
192: HttpConstants.AUTHN_UTILS);
193: }
194:
195: /**
196: * method called by container when session is deserialized.
197: * @param sessionEvent
198: */
199: public void sessionDidActivate(HttpSessionEvent sessionEvent) {
200:
201: }
202:
203: public void valueBound(HttpSessionBindingEvent bindingEvent) {
204: if (HttpConstants.AUTHN_UTILS.equals(bindingEvent.getName())) {
205: Collection users = (Collection) bindingEvent.getSession()
206: .getServletContext().getAttribute(
207: HttpConstants.USERS_IN_SESSION);
208: users.add(this );
209: }
210:
211: }
212:
213: public void valueUnbound(HttpSessionBindingEvent bindingEvent) {
214: if (HttpConstants.AUTHN_UTILS.equals(bindingEvent.getName())) {
215: Collection users = (Collection) bindingEvent.getSession()
216: .getServletContext().getAttribute(
217: HttpConstants.USERS_IN_SESSION);
218: if (users != null && users.contains(this )) {
219: users.remove(this );
220: }
221: }
222: }
223:
224: public void logout() {
225: authenticationUtils.logout();
226: }
227:
228: public AuthenticationUtils getAuthenticationUtils() {
229: return authenticationUtils;
230: }
231:
232: /**
233: * return the Subject from the HttpSession, or null if no Subject is present.
234: * @param session
235: * @return
236: */
237: public static Subject getSubject(HttpSession session) {
238: HttpAuthenticationUtils authutils = (HttpAuthenticationUtils) session
239: .getAttribute(HttpConstants.AUTHN_UTILS);
240: if (authutils != null) {
241: return authutils.getSubject();
242: }
243: return null;
244: }
245:
246: }
|