001: /*
002: * Copyright (c) 1998-2008 Caucho Technology -- all rights reserved
003: *
004: * This file is part of Resin(R) Open Source
005: *
006: * Each copy or derived work must preserve the copyright notice and this
007: * notice unmodified.
008: *
009: * Resin Open Source is free software; you can redistribute it and/or modify
010: * it under the terms of the GNU General Public License as published by
011: * the Free Software Foundation; either version 2 of the License, or
012: * (at your option) any later version.
013: *
014: * Resin Open Source is distributed in the hope that it will be useful,
015: * but WITHOUT ANY WARRANTY; without even the implied warranty of
016: * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE, or any warranty
017: * of NON-INFRINGEMENT. See the GNU General Public License for more
018: * details.
019: *
020: * You should have received a copy of the GNU General Public License
021: * along with Resin Open Source; if not, write to the
022: * Free SoftwareFoundation, Inc.
023: * 59 Temple Place, Suite 330
024: * Boston, MA 02111-1307 USA
025: *
026: * @author Scott Ferguson
027: */
028:
029: package com.caucho.server.security;
030:
031: import com.caucho.util.Base64;
032:
033: import javax.servlet.ServletContext;
034: import javax.servlet.ServletException;
035: import javax.servlet.http.HttpServletRequest;
036: import javax.servlet.http.HttpServletResponse;
037: import java.io.IOException;
038: import java.security.Principal;
039: import java.util.logging.Level;
040:
041: /**
042: * Implements the "basic" auth-method. Basic uses the
043: * HTTP authentication with WWW-Authenticate and SC_UNAUTHORIZE.
044: */
045: public class BasicLogin extends AbstractLogin {
046: protected String _realm;
047:
048: /**
049: * Sets the login realm.
050: */
051: public void setRealmName(String realm) {
052: _realm = realm;
053: }
054:
055: /**
056: * Gets the realm.
057: */
058: public String getRealmName() {
059: return _realm;
060: }
061:
062: /**
063: * Returns the authentication type.
064: */
065: public String getAuthType() {
066: return "Basic";
067: }
068:
069: /**
070: * Logs a user in with a user name and a password. Basic authentication
071: * extracts the user and password from the authorization header. If
072: * the user/password is missing, authenticate will send a basic challenge.
073: *
074: * @param request servlet request
075: * @param response servlet response, in case any cookie need sending.
076: * @param application servlet application
077: *
078: * @return the logged in principal on success, null on failure.
079: */
080: public Principal authenticate(HttpServletRequest request,
081: HttpServletResponse response, ServletContext application)
082: throws ServletException, IOException {
083: Principal user;
084:
085: ServletAuthenticator auth = getAuthenticator();
086:
087: // If the user is already logged-in, return the user
088: user = auth.getUserPrincipal(request, response, application);
089: if (user != null)
090: return user;
091:
092: user = getBasicPrincipal(request, response, application);
093:
094: if (user != null)
095: return user;
096:
097: sendBasicChallenge(response);
098:
099: return null;
100: }
101:
102: /**
103: * Returns the current user with the user name and password.
104: *
105: * @param request servlet request
106: * @param response servlet response, in case any cookie need sending.
107: * @param application servlet application
108: *
109: * @return the logged in principal on success, null on failure.
110: */
111: public Principal getUserPrincipal(HttpServletRequest request,
112: HttpServletResponse response, ServletContext application)
113: throws ServletException {
114: ServletAuthenticator auth = getAuthenticator();
115:
116: Principal user = auth.getUserPrincipal(request, response,
117: application);
118:
119: if (user != null)
120: return user;
121:
122: return getBasicPrincipal(request, response, application);
123: }
124:
125: /**
126: * Sends a challenge for basic authentication.
127: */
128: protected void sendBasicChallenge(HttpServletResponse res)
129: throws ServletException, IOException {
130: String realm = getRealmName();
131: if (realm == null)
132: realm = "resin";
133:
134: res.setHeader("WWW-Authenticate", "Basic realm=\"" + realm
135: + "\"");
136: res.sendError(res.SC_UNAUTHORIZED);
137: }
138:
139: /**
140: * Returns the principal from a basic authentication
141: *
142: * @param auth the authenticator for this application.
143: */
144: protected Principal getBasicPrincipal(HttpServletRequest request,
145: HttpServletResponse response, ServletContext application)
146: throws ServletException {
147: Principal principal;
148:
149: // Principal from runner
150: principal = (Principal) request
151: .getAttribute(AbstractAuthenticator.LOGIN_NAME);
152: if (principal != null)
153: return principal;
154:
155: String value = request.getHeader("authorization");
156: if (value == null)
157: return null;
158:
159: int i = value.indexOf(' ');
160: if (i <= 0)
161: return null;
162:
163: String decoded = Base64.decode(value.substring(i + 1));
164:
165: int index = decoded.indexOf(':');
166: if (index < 0)
167: return null;
168:
169: String user = decoded.substring(0, index);
170: String password = decoded.substring(index + 1);
171:
172: ServletAuthenticator auth = getAuthenticator();
173: principal = auth.login(request, response, application, user,
174: password);
175:
176: if (log.isLoggable(Level.FINE))
177: log.fine("basic: " + user + " -> " + principal);
178:
179: return principal;
180: }
181: }
|