01: /*
02: * Licensed to the Apache Software Foundation (ASF) under one or more
03: * contributor license agreements. See the NOTICE file distributed with
04: * this work for additional information regarding copyright ownership.
05: * The ASF licenses this file to You under the Apache License, Version 2.0
06: * (the "License"); you may not use this file except in compliance with
07: * the License. You may obtain a copy of the License at
08: *
09: * http://www.apache.org/licenses/LICENSE-2.0
10: *
11: * Unless required by applicable law or agreed to in writing, software
12: * distributed under the License is distributed on an "AS IS" BASIS,
13: * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14: * See the License for the specific language governing permissions and
15: * limitations under the License.
16: */
17: package org.apache.jetspeed.security.impl.ntlm;
18:
19: import java.security.Principal;
20:
21: import javax.servlet.http.HttpServletRequest;
22: import javax.servlet.http.HttpServletRequestWrapper;
23:
24: import org.apache.commons.lang.ArrayUtils;
25: import org.apache.commons.lang.StringUtils;
26:
27: /**
28: * NtlmHttpServletRequestWrapper should be used in combination with an Ntml authentication filter (jCIFS).
29: * This filter wraps the original request, setting the principal and remoteUser retrieved by Ntml
30: * authentication with the client. The wrapper Request sets the principal and remoteUser, <i>regardless</i>
31: * of the principal already present in the original request. This HttpServletRequestWrapper returns the principal
32: * from the original request when it's there, and otherwise returns the Ntml principal. When the
33: * the Ntml principal is actually returned can be influenced by a comma-separated list of servlet urls:
34: * only for these urls the Ntlm principal / remoteUser is ignored.
35: * @see NtlmHttpServletRequestFilter
36: * @author <a href="mailto:d.dam@hippo.nl">Dennis Dam</a>
37: * @version $Id$
38: */
39: public class NtlmHttpServletRequestWrapper extends
40: HttpServletRequestWrapper {
41: private Principal principal;
42: private String remoteUser;
43:
44: public NtlmHttpServletRequestWrapper(HttpServletRequest req,
45: String ignoreNtmlUrls) {
46: super (req);
47: if (req instanceof HttpServletRequestWrapper) {
48: String[] urls = ignoreNtmlUrls != null ? StringUtils.split(
49: ignoreNtmlUrls, ',') : new String[] {};
50: String servletUrl = req.getServletPath();
51: Principal reqPrincipal = req.getUserPrincipal();
52: HttpServletRequest originalRequest = (HttpServletRequest) ((HttpServletRequestWrapper) req)
53: .getRequest();
54: /*
55: * Original request principal has precedence over Ntml authenticated principal. This is needed
56: * in the case that the Ntlm authenticated principal is not authorized by Jetspeed: a fallback login
57: * method can then be used. If Ntml authentication succeeds, then the principal from the
58: * original request will be null.
59: */
60: if (originalRequest.getUserPrincipal() != null) {
61: principal = originalRequest.getUserPrincipal();
62: } else
63: /*
64: * If no principal in the original request, take principal from Ntlm authentication, but
65: * only if the current servlet url is not in the ignore list. The last
66: * requirement is necessary when falling back to another authentication method, e.g. container-based
67: * form authentication: these authentication methods might only work if there is no
68: * principal in the request.
69: */
70: if (!ArrayUtils.contains(urls, servletUrl)
71: && reqPrincipal != null
72: && req.getRemoteUser() != null) {
73: principal = reqPrincipal;
74: remoteUser = req.getRemoteUser();
75: }
76: } else {
77: principal = super .getUserPrincipal();
78: }
79: }
80:
81: public Principal getUserPrincipal() {
82: return principal;
83: }
84:
85: public String getRemoteUser() {
86: return remoteUser;
87: }
88:
89: }
|