001: /*
002: * Enhydra Java Application Server Project
003: *
004: * The contents of this file are subject to the Enhydra Public License
005: * Version 1.1 (the "License"); you may not use this file except in
006: * compliance with the License. You may obtain a copy of the License on
007: * the Enhydra web site ( http://www.enhydra.org/ ).
008: *
009: * Software distributed under the License is distributed on an "AS IS"
010: * basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See
011: * the License for the specific terms governing rights and limitations
012: * under the License.
013: *
014: * The Initial Developer of the Enhydra Application Server is Lutris
015: * Technologies, Inc. The Enhydra Application Server and portions created
016: * by Lutris Technologies, Inc. are Copyright Lutris Technologies, Inc.
017: * All Rights Reserved.
018: *
019: * Contributor(s):
020: *
021: * $Id: BasicAuth.java,v 1.2 2006-06-15 13:47:00 sinisa Exp $
022: */
023:
024: package com.lutris.http;
025:
026: import javax.servlet.http.HttpServletRequest;
027:
028: import com.lutris.appserver.server.httpPresentation.HttpPresentationException;
029: import com.lutris.appserver.server.httpPresentation.HttpPresentationRequest;
030: import com.lutris.util.Convert;
031:
032: /**
033: * Methods to be used to implement the HTTP Basic Auth authorization
034: * method. This is the standard username/password mechanism in use all
035: * over the web. <P>
036: *
037: * Note: the username and password are sent over the net base64 encoded,
038: * which is practically clear text. So this method is no more secure than
039: * the communication channel being used. <P>
040: *
041: * Usage: <BR>
042: * When a request comes in, before responding to it, call
043: * <CODE>getAuthentication()</CODE>. It will return the username and
044: * password that was sent along with the request. If no authorization was
045: * sent, null is returned. The caller is then responsible for deciding if
046: * the username and password are valid. <P>
047: *
048: * If the caller decides that the authorization is not sufficient,
049: * a <CODE>PageUnauthorizedException</CODE> should be thrown. <P>
050: *
051: * If you are writing a LBS application, the recommended place to put
052: * this processing is in your Application's <CODE>requestPreprocessor()</CODE>
053: * function. That function is called for every request, before the
054: * presentation objects are called.
055: *
056: * @see com.lutris.appserver.server.httpPresentation.PageUnauthorizedException
057: * @version $Revision: 1.2 $
058: * @author Andy John
059: */
060: public class BasicAuth {
061:
062: // Private constructor, so no instances. Just use the static methods.
063: private BasicAuth() {
064: }
065:
066: /**
067: * Checks to see if the authorization matches the given username
068: * and password. If not, or if no authorization was sent, false is
069: * returned. If req, username or password are null, then it is assumed
070: * that authentication is not being used, and all requests are allowed.
071: *
072: * @param req The request to authenticate.
073: * @return The username and password, or null if no authorization was
074: * sent.
075: */
076: public static BasicAuthResult getAuthentication(
077: HttpPresentationRequest req) {
078: if (req == null)
079: return null;
080: String authHeader = null;
081: try {
082: authHeader = req.getHeader("Authorization");
083: } catch (HttpPresentationException hpe) {
084: }
085: return getAuth(authHeader);
086: }
087:
088: /**
089: * Checks to see if the authorization matches the given username
090: * and password. If not, or if no authorization was sent, false is
091: * returned. If req, username or password are null, then it is assumed
092: * that authentication is not being used, and all requests are allowed.
093: *
094: * @param req The request to authenticate.
095: * @return The username and password, or null if no authorization was
096: * sent.
097: */
098: /* SV
099: public static BasicAuthResult getAuthentication(JoltRequest req) {
100: if (req == null)
101: return null;
102: String authHeader = null;
103: try {
104: authHeader = req.getHeader("Authorization");
105: } catch (HttpPresentationException hpe) {
106: }
107: return getAuth(authHeader);
108: }
109: */
110:
111: /**
112: * Extracts and returns the username and password using the HTTP
113: * Basic Auth method. If no authorization was sent, null is
114: * returned. Use this flavor if you are writing a non-Enhydra
115: * servlet.
116: *
117: * @param req The request to authenticate.
118: * @return The username and password, or null if no authorization was
119: * sent.
120: */
121: public static BasicAuthResult getAuthentication(
122: HttpServletRequest req) {
123: if (req == null)
124: return null;
125: return getAuth(req.getHeader("Authorization"));
126: }
127:
128: private static BasicAuthResult getAuth(String authHeader) {
129: if (authHeader == null)
130: // No auth header was sent. Deny the request.
131: return null;
132: /*
133: Now decode the username and password.
134: */
135: if (!authHeader.startsWith("Basic "))
136: // Syntax error in auth header.
137: return null;
138: authHeader = authHeader.substring(6);
139: byte[] bytes = Convert.fromBase64String(authHeader);
140: authHeader = new String(bytes);
141: int colon = authHeader.indexOf(":");
142: if (colon < 0)
143: // Syntax error in auth header.
144: return null;
145: String un = authHeader.substring(0, colon);
146: String pw = authHeader.substring(colon + 1);
147: return new BasicAuthResult(un, pw);
148: }
149:
150: }
|