This project has retired. For details please refer to its Attic page.
AuthenticationInterceptor xref
View Javadoc

1   package org.apache.archiva.redback.rest.services.interceptors;
2   
3   /*
4    * Licensed to the Apache Software Foundation (ASF) under one
5    * or more contributor license agreements.  See the NOTICE file
6    * distributed with this work for additional information
7    * regarding copyright ownership.  The ASF licenses this file
8    * to you under the Apache License, Version 2.0 (the
9    * "License"); you may not use this file except in compliance
10   * with the License.  You may obtain a copy of the License at
11   *
12   * http://www.apache.org/licenses/LICENSE-2.0
13   *
14   * Unless required by applicable law or agreed to in writing,
15   * software distributed under the License is distributed on an
16   * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
17   * KIND, either express or implied.  See the License for the
18   * specific language governing permissions and limitations
19   * under the License.
20   */
21  
22  
23  import org.apache.archiva.redback.authentication.AuthenticationException;
24  import org.apache.archiva.redback.authentication.AuthenticationResult;
25  import org.apache.archiva.redback.authorization.RedbackAuthorization;
26  import org.apache.archiva.redback.integration.filter.authentication.HttpAuthenticationException;
27  import org.apache.archiva.redback.integration.filter.authentication.basic.HttpBasicAuthentication;
28  import org.apache.archiva.redback.policy.AccountLockedException;
29  import org.apache.archiva.redback.policy.MustChangePasswordException;
30  import org.apache.archiva.redback.rest.services.RedbackAuthenticationThreadLocal;
31  import org.apache.archiva.redback.rest.services.RedbackRequestInformation;
32  import org.apache.archiva.redback.system.SecuritySession;
33  import org.apache.archiva.redback.users.User;
34  import org.apache.archiva.redback.users.UserManager;
35  import org.apache.archiva.redback.users.UserManagerException;
36  import org.apache.archiva.redback.users.UserNotFoundException;
37  import org.apache.cxf.jaxrs.ext.RequestHandler;
38  import org.apache.cxf.jaxrs.model.ClassResourceInfo;
39  import org.apache.cxf.message.Message;
40  import org.slf4j.Logger;
41  import org.slf4j.LoggerFactory;
42  import org.springframework.stereotype.Service;
43  
44  import javax.inject.Inject;
45  import javax.inject.Named;
46  import javax.servlet.http.HttpServletRequest;
47  import javax.servlet.http.HttpServletResponse;
48  import javax.ws.rs.core.Response;
49  
50  /**
51   * This interceptor will check if the user is already logged in the session.
52   * If not ask the redback system to authentication trough BASIC http
53   * If the user is logged the AuthenticationResult will in the cxf message with the key AuthenticationResult.class
54   *
55   * @author Olivier Lamy
56   * @since 1.3
57   */
58  @Service("authenticationInterceptor#rest")
59  public class AuthenticationInterceptor
60      extends AbstractInterceptor
61      implements RequestHandler
62  {
63      @Inject
64      @Named(value = "userManager#default")
65      private UserManager userManager;
66  
67      @Inject
68      @Named(value = "httpAuthenticator#basic")
69      private HttpBasicAuthentication httpAuthenticator;
70  
71      private Logger log = LoggerFactory.getLogger( getClass() );
72  
73      public Response handleRequest( Message message, ClassResourceInfo classResourceInfo )
74      {
75  
76          RedbackAuthorization redbackAuthorization = getRedbackAuthorization( message );
77          if ( redbackAuthorization == null )
78          {
79              log.warn( "http path {} doesn't contain any informations regarding permissions ",
80                        message.get( Message.REQUEST_URI ) );
81              // here we failed to authenticate so 403 as there is no detail on karma for this
82              // it must be marked as it's exposed
83              return Response.status( Response.Status.FORBIDDEN ).build();
84          }
85          HttpServletRequest request = getHttpServletRequest( message );
86          HttpServletResponse response = getHttpServletResponse( message );
87  
88          if ( redbackAuthorization.noRestriction() )
89          {
90              // maybe session exists so put it in threadLocal
91              // some services need the current user if logged
92              SecuritySession securitySession = httpAuthenticator.getSecuritySession( request.getSession( true ) );
93  
94              if ( securitySession != null )
95              {
96                  RedbackRequestInformation redbackRequestInformation =
97                      new RedbackRequestInformation( securitySession.getUser(), request.getRemoteAddr() );
98                  RedbackAuthenticationThreadLocal.set( redbackRequestInformation );
99              }
100             else
101             {
102                 // maybe there is some authz in the request so try it but not fail so catch Exception !
103                 try
104                 {
105                     AuthenticationResult authenticationResult =
106                         httpAuthenticator.getAuthenticationResult( request, response );
107 
108                     if ( ( authenticationResult == null ) || ( !authenticationResult.isAuthenticated() ) )
109                     {
110                         return null;
111                     }
112 
113                     User user = authenticationResult.getUser() == null ? userManager.findUser(
114                         authenticationResult.getPrincipal() ) : authenticationResult.getUser();
115                     RedbackRequestInformation redbackRequestInformation =
116                         new RedbackRequestInformation( user, request.getRemoteAddr() );
117 
118                     RedbackAuthenticationThreadLocal.set( redbackRequestInformation );
119                     message.put( AuthenticationResult.class, authenticationResult );
120                 }
121                 catch ( Exception e )
122                 {
123                     // ignore here
124                 }
125             }
126             return null;
127         }
128 
129         try
130         {
131             AuthenticationResult authenticationResult = httpAuthenticator.getAuthenticationResult( request, response );
132 
133             if ( ( authenticationResult == null ) || ( !authenticationResult.isAuthenticated() ) )
134             {
135                 throw new HttpAuthenticationException( "You are not authenticated." );
136             }
137 
138             User user = authenticationResult.getUser() == null
139                 ? userManager.findUser( authenticationResult.getPrincipal() )
140                 : authenticationResult.getUser();
141 
142             RedbackRequestInformation redbackRequestInformation =
143                 new RedbackRequestInformation( user, request.getRemoteAddr() );
144 
145             RedbackAuthenticationThreadLocal.set( redbackRequestInformation );
146             message.put( AuthenticationResult.class, authenticationResult );
147 
148             return null;
149         }
150         catch ( UserNotFoundException e )
151         {
152             log.debug( "UserNotFoundException for path {}", message.get( Message.REQUEST_URI ) );
153             return Response.status( Response.Status.FORBIDDEN ).build();
154         }
155         catch ( AccountLockedException e )
156         {
157             log.debug( "account locked for path {}", message.get( Message.REQUEST_URI ) );
158             return Response.status( Response.Status.FORBIDDEN ).build();
159 
160         }
161         catch ( MustChangePasswordException e )
162         {
163             log.debug( "must change password for path {}", message.get( Message.REQUEST_URI ) );
164             return Response.status( Response.Status.FORBIDDEN ).build();
165 
166         }
167         catch ( AuthenticationException e )
168         {
169             log.debug( "failed to authenticate for path {}", message.get( Message.REQUEST_URI ) );
170             return Response.status( Response.Status.FORBIDDEN ).build();
171         }
172         catch ( UserManagerException e )
173         {
174             log.debug( "UserManagerException: {} for path", e.getMessage(), message.get( Message.REQUEST_URI ) );
175             return Response.status( Response.Status.FORBIDDEN ).build();
176         }
177     }
178 }