001: package clime.messadmin.admin;
002:
003: import java.io.IOException;
004: import java.security.MessageDigest;
005: import java.security.NoSuchAlgorithmException;
006:
007: import javax.servlet.http.Cookie;
008: import javax.servlet.http.HttpServletRequest;
009: import javax.servlet.http.HttpServletResponse;
010:
011: import clime.messadmin.utils.Base64;
012:
013: /**
014: * @author Cédrik LIME
015: */
016: class HTTPAuthorizationProvider {
017:
018: private static byte[] md5(String message) {
019: try {
020: MessageDigest md = MessageDigest.getInstance("MD5");//$NON-NLS-1$
021: return md.digest(message.getBytes());
022: } catch (NoSuchAlgorithmException nsae) {
023: throw new RuntimeException(
024: "Error while computing md5 hash: " + nsae.getLocalizedMessage());//$NON-NLS-1$
025: }
026: }
027:
028: public static boolean checkAccess(
029: final String authorizationPassword,
030: HttpServletRequest request, HttpServletResponse response)
031: throws IOException {
032: // no password set => no authorization required
033: if (authorizationPassword == null
034: || "".equals(authorizationPassword.trim())) {//$NON-NLS-1$
035: return true;
036: }
037:
038: // password from a previously-set authorization cookie?
039: if (request.getCookies() != null) {
040: Cookie[] cookies = request.getCookies();
041: String authorizationPasswordHash = Base64.encodeToString(
042: md5(authorizationPassword), false);
043: // some browsers always set null for cookie.getPath()...
044: String cookieName = "MessAdmin" + request.getContextPath();//$NON-NLS-1$
045: for (int i = 0; i < cookies.length; ++i) {
046: Cookie cookie = cookies[i];
047: if (cookieName.equals(cookie.getName())) {
048: String providedPasswordHash = cookie.getValue();
049: if (authorizationPasswordHash
050: .equals(providedPasswordHash)) {
051: return true;
052: }
053: }
054: }
055: }
056:
057: // we must authenticate the user before letting her play with us
058: String providedPassword = null;
059: if (request.getParameter("password") != null) {//$NON-NLS-1$
060: // password in URL
061: providedPassword = request.getParameter("password");//$NON-NLS-1$
062: //request.setAttribute("password", providedPassword);//$NON-NLS-1$
063: } else if (request.getHeader("Authorization") != null) {//$NON-NLS-1$
064: // password from HTTP Access Authentication
065: String authorization = request.getHeader("Authorization");//$NON-NLS-1$
066: if (!authorization.startsWith("Basic ")) {//$NON-NLS-1$
067: //TODO we should use "Digest" instead of "Basic", but it is more complicated to code...
068: throw new IllegalArgumentException(
069: "Only Basic HTTP Access Authentication supported");//$NON-NLS-1$
070: }
071: String base64UserPass = authorization.substring(
072: "Basic ".length()).trim();//$NON-NLS-1$
073: // String userPass = new String(org.apache.commons.codec.binary.Base64.decodeBase64(base64UserPass.getBytes()));
074: String userPass = new String(Base64.decode(base64UserPass
075: .getBytes()));
076: int index = userPass.indexOf(':');
077: //String user = userPass.substring(0, index);
078: String password = userPass.substring(index + 1);
079: providedPassword = password;
080: } else {
081: providedPassword = null;
082: }
083:
084: if (authorizationPassword.equals(providedPassword)) {
085: // set authorization Cookie
086: // some browsers always set null for cookie.getPath()...
087: String cookieName = "MessAdmin" + request.getContextPath();//$NON-NLS-1$
088: Cookie cookie = new Cookie(cookieName, Base64
089: .encodeToString(md5(authorizationPassword), false));
090: cookie.setVersion(1);
091: cookie.setMaxAge(-1);
092: cookie.setPath(request.getContextPath());
093: response.addCookie(cookie);
094: return true;
095: } else {
096: // request Authorization Password
097: //TODO we should use "Digest" instead of "Basic", but it is more complicated to code...
098: response.setHeader("WWW-Authenticate",
099: "Basic realm=\"MessAdmin Administration for "
100: + request.getContextPath() + '"');
101: response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
102: return false;
103: }
104: }
105: }
|