001: /*
002: * Copyright (c) 1998-2008 Caucho Technology -- all rights reserved
003: *
004: * This file is part of Resin(R) Open Source
005: *
006: * Each copy or derived work must preserve the copyright notice and this
007: * notice unmodified.
008: *
009: * Resin Open Source is free software; you can redistribute it and/or modify
010: * it under the terms of the GNU General Public License as published by
011: * the Free Software Foundation; either version 2 of the License, or
012: * (at your option) any later version.
013: *
014: * Resin Open Source is distributed in the hope that it will be useful,
015: * but WITHOUT ANY WARRANTY; without even the implied warranty of
016: * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE, or any warranty
017: * of NON-INFRINGEMENT. See the GNU General Public License for more
018: * details.
019: *
020: * You should have received a copy of the GNU General Public License
021: * along with Resin Open Source; if not, write to the
022: *
023: * Free Software Foundation, Inc.
024: * 59 Temple Place, Suite 330
025: * Boston, MA 02111-1307 USA
026: *
027: * @author Scott Ferguson
028: */
029:
030: package com.caucho.server.security;
031:
032: import com.caucho.config.Config;
033: import com.caucho.security.BasicPrincipal;
034: import com.caucho.util.Alarm;
035: import com.caucho.vfs.Depend;
036: import com.caucho.vfs.Path;
037:
038: import javax.annotation.PostConstruct;
039: import javax.servlet.ServletContext;
040: import javax.servlet.ServletException;
041: import javax.servlet.http.HttpServletRequest;
042: import javax.servlet.http.HttpServletResponse;
043: import java.security.Principal;
044: import java.util.*;
045: import java.util.logging.*;
046: import java.io.*;
047:
048: /**
049: * Base class for authenticators which lookup passwords from a database.
050: *
051: * Implementations only need to override the <code>getUser</code> method
052: * and return a populated <code>PasswordUser</code>. Since
053: * <code>PasswordUser</code> already contains role information, the
054: * abstract authenticator can handle any authentication or authorization.
055: */
056: abstract public class AbstractPasswordAuthenticator extends
057: AbstractAuthenticator {
058: private static final Logger log = Logger
059: .getLogger(AbstractPasswordAuthenticator.class.getName());
060:
061: /**
062: * Abstract method to retrn a user based on the name
063: *
064: * @param userName the string user name
065: * @return the populated PasswordUser value
066: */
067: abstract protected PasswordUser getUser(String userName);
068:
069: /**
070: * Returns the user based on a principal
071: */
072: protected PasswordUser getUser(Principal principal) {
073: return getUser(principal.getName());
074: }
075:
076: /**
077: * Default implementation of basic username/password login
078: */
079: @Override
080: protected Principal loginImpl(HttpServletRequest request,
081: HttpServletResponse response, ServletContext application,
082: String userName, String password) throws ServletException {
083: if (userName == null)
084: return null;
085:
086: PasswordUser user = getUser(userName);
087: if (user == null || user.isDisabled())
088: return null;
089:
090: char[] userPassword = user.getPassword();
091:
092: if (isMatch(password, user.getPassword())) {
093: return user.getPrincipal();
094: } else {
095: if (log.isLoggable(Level.FINE))
096: log.fine(this + " authentication of " + userName
097: + " failed password");
098:
099: return null;
100: }
101: }
102:
103: private boolean isMatch(String password, char[] userPassword) {
104: int len = password.length();
105:
106: if (len != userPassword.length)
107: return false;
108:
109: for (int i = 0; i < len; i++) {
110: if (password.charAt(i) != userPassword[i])
111: return false;
112: }
113:
114: return true;
115: }
116:
117: /**
118: * Default implementation of basic username/password login
119: */
120: protected String getDigestPassword(HttpServletRequest request,
121: HttpServletResponse response, ServletContext application,
122: String userName, String realm) throws ServletException {
123: PasswordUser user = getUser(userName);
124: if (user == null || user.isDisabled())
125: return null;
126: else
127: return new String(user.getPassword());
128: }
129:
130: /**
131: * Default implementation to return true if the user is in a role
132: *
133: * @param request the servlet request
134: * @param user the user to test
135: * @param role the role to test
136: */
137: public boolean isUserInRole(HttpServletRequest request,
138: HttpServletResponse response, ServletContext application,
139: Principal principal, String role) throws ServletException {
140: if (principal == null)
141: return false;
142:
143: PasswordUser user = getUser(principal);
144: if (user == null)
145: return false;
146:
147: for (String userRole : user.getRoles()) {
148: // server/12h2
149: if (userRole.equalsIgnoreCase(role))
150: return true;
151: }
152:
153: return false;
154: }
155: }
|