001package org.apache.archiva.redback.integration.filter.authentication;
002
003/*
004 * Licensed to the Apache Software Foundation (ASF) under one
005 * or more contributor license agreements.  See the NOTICE file
006 * distributed with this work for additional information
007 * regarding copyright ownership.  The ASF licenses this file
008 * to you under the Apache License, Version 2.0 (the
009 * "License"); you may not use this file except in compliance
010 * with the License.  You may obtain a copy of the License at
011 *
012 * http://www.apache.org/licenses/LICENSE-2.0
013 *
014 * Unless required by applicable law or agreed to in writing,
015 * software distributed under the License is distributed on an
016 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
017 * KIND, either express or implied.  See the License for the
018 * specific language governing permissions and limitations
019 * under the License.
020 */
021
022import org.apache.archiva.redback.authentication.AuthenticationDataSource;
023import org.apache.archiva.redback.authentication.AuthenticationException;
024import org.apache.archiva.redback.authentication.AuthenticationResult;
025import org.apache.archiva.redback.policy.AccountLockedException;
026import org.apache.archiva.redback.policy.MustChangePasswordException;
027import org.apache.archiva.redback.system.SecuritySession;
028import org.apache.archiva.redback.system.SecuritySystem;
029import org.apache.archiva.redback.system.SecuritySystemConstants;
030import org.apache.archiva.redback.users.User;
031import org.apache.archiva.redback.users.UserManagerException;
032import org.apache.archiva.redback.users.UserNotFoundException;
033import org.slf4j.Logger;
034import org.slf4j.LoggerFactory;
035
036import javax.inject.Inject;
037import javax.servlet.http.HttpServletRequest;
038import javax.servlet.http.HttpServletResponse;
039import javax.servlet.http.HttpSession;
040import java.io.IOException;
041
042/**
043 * HttpAuthenticator
044 *
045 * @author <a href="mailto:joakim@erdfelt.com">Joakim Erdfelt</a>
046 */
047public abstract class HttpAuthenticator
048{
049    protected Logger log = LoggerFactory.getLogger( getClass() );
050
051    @Inject
052    protected SecuritySystem securitySystem;
053
054    /**
055     * The Public Face of the Authenticator.
056     *
057     * @throws MustChangePasswordException
058     * @throws AccountLockedException
059     */
060    public AuthenticationResult authenticate( AuthenticationDataSource ds, HttpSession httpSession )
061        throws AuthenticationException, AccountLockedException, MustChangePasswordException
062    {
063        try
064        {
065            SecuritySession securitySession = securitySystem.authenticate( ds );
066
067            setSecuritySession( securitySession, httpSession );
068
069            return securitySession.getAuthenticationResult().user( securitySession.getUser() );
070        }
071        catch ( AuthenticationException e )
072        {
073            String msg = "Unable to authenticate user: " + ds;
074            log.info( msg, e );
075            throw new HttpAuthenticationException( msg, e );
076        }
077        catch ( UserNotFoundException e )
078        {
079            log.info( "Login attempt against unknown user: {}", ds );
080            throw new HttpAuthenticationException( "User name or password invalid." );
081        }
082        catch ( UserManagerException e )
083        {
084            log.info( "UserManagerException: {}", e.getMessage() );
085            throw new HttpAuthenticationException( e.getMessage(), e );
086        }
087    }
088
089    /**
090     * Entry point for a Filter.
091     *
092     * @param request
093     * @param response
094     * @throws AuthenticationException
095     */
096    public void authenticate( HttpServletRequest request, HttpServletResponse response )
097        throws AuthenticationException
098    {
099        try
100        {
101            AuthenticationResult result = getAuthenticationResult( request, response );
102
103            if ( ( result == null ) || ( !result.isAuthenticated() ) )
104            {
105                throw new HttpAuthenticationException( "You are not authenticated." );
106            }
107        }
108        catch ( AccountLockedException e )
109        {
110            throw new HttpAuthenticationException( "Your account is locked.", e );
111        }
112        catch ( MustChangePasswordException e )
113        {
114            throw new HttpAuthenticationException( "You must change your password.", e );
115        }
116
117    }
118
119    /**
120     * Issue a Challenge Response back to the HTTP Client.
121     *
122     * @param request
123     * @param response
124     * @param realmName
125     * @param exception
126     * @throws IOException
127     */
128    public abstract void challenge( HttpServletRequest request, HttpServletResponse response, String realmName,
129                                    AuthenticationException exception )
130        throws IOException;
131
132    /**
133     * Parse the incoming request and return an AuthenticationResult.
134     *
135     * @param request
136     * @param response
137     * @return null if no http auth credentials, or the actual authentication result based on the credentials.
138     * @throws AuthenticationException
139     * @throws MustChangePasswordException
140     * @throws AccountLockedException
141     */
142    public abstract AuthenticationResult getAuthenticationResult( HttpServletRequest request,
143                                                                  HttpServletResponse response )
144        throws AuthenticationException, AccountLockedException, MustChangePasswordException;
145
146
147    public User getSessionUser( HttpSession httpSession )
148    {
149        return (User) httpSession.getAttribute( SecuritySession.USERKEY );
150    }
151
152    public boolean isAlreadyAuthenticated( HttpSession httpSession )
153    {
154        User user = getSessionUser( httpSession );
155
156        return ( ( user != null ) && !user.isLocked() && !user.isPasswordChangeRequired() );
157    }
158
159    public SecuritySession getSecuritySession( HttpSession httpSession )
160    {
161        SecuritySession securitySession = (SecuritySession) httpSession.getAttribute( SecuritySession.SESSION_KEY );
162        if ( securitySession != null )
163        {
164            return securitySession;
165        }
166        return (SecuritySession) httpSession.getAttribute( SecuritySystemConstants.SECURITY_SESSION_KEY );
167
168    }
169
170
171    public void setSecuritySession( SecuritySession session, HttpSession httpSession )
172    {
173        httpSession.setAttribute( SecuritySession.SESSION_KEY, session );
174        httpSession.setAttribute( SecuritySession.USERKEY, session.getUser() );
175    }
176
177    public void setSessionUser( User user, HttpSession httpSession )
178    {
179        httpSession.setAttribute( SecuritySession.SESSION_KEY, null );
180        httpSession.setAttribute( SecuritySession.USERKEY, user );
181    }
182
183
184}