001package org.apache.archiva.redback.integration.filter.authentication; 002 003/* 004 * Licensed to the Apache Software Foundation (ASF) under one 005 * or more contributor license agreements. See the NOTICE file 006 * distributed with this work for additional information 007 * regarding copyright ownership. The ASF licenses this file 008 * to you under the Apache License, Version 2.0 (the 009 * "License"); you may not use this file except in compliance 010 * with the License. You may obtain a copy of the License at 011 * 012 * http://www.apache.org/licenses/LICENSE-2.0 013 * 014 * Unless required by applicable law or agreed to in writing, 015 * software distributed under the License is distributed on an 016 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 017 * KIND, either express or implied. See the License for the 018 * specific language governing permissions and limitations 019 * under the License. 020 */ 021 022import org.apache.archiva.redback.authentication.AuthenticationDataSource; 023import org.apache.archiva.redback.authentication.AuthenticationException; 024import org.apache.archiva.redback.authentication.AuthenticationResult; 025import org.apache.archiva.redback.policy.AccountLockedException; 026import org.apache.archiva.redback.policy.MustChangePasswordException; 027import org.apache.archiva.redback.system.SecuritySession; 028import org.apache.archiva.redback.system.SecuritySystem; 029import org.apache.archiva.redback.system.SecuritySystemConstants; 030import org.apache.archiva.redback.users.User; 031import org.apache.archiva.redback.users.UserManagerException; 032import org.apache.archiva.redback.users.UserNotFoundException; 033import org.slf4j.Logger; 034import org.slf4j.LoggerFactory; 035 036import javax.inject.Inject; 037import javax.servlet.http.HttpServletRequest; 038import javax.servlet.http.HttpServletResponse; 039import javax.servlet.http.HttpSession; 040import java.io.IOException; 041 042/** 043 * HttpAuthenticator 044 * 045 * @author <a href="mailto:joakim@erdfelt.com">Joakim Erdfelt</a> 046 */ 047public abstract class HttpAuthenticator 048{ 049 protected Logger log = LoggerFactory.getLogger( getClass() ); 050 051 @Inject 052 protected SecuritySystem securitySystem; 053 054 /** 055 * The Public Face of the Authenticator. 056 * 057 * @throws MustChangePasswordException 058 * @throws AccountLockedException 059 */ 060 public AuthenticationResult authenticate( AuthenticationDataSource ds, HttpSession httpSession ) 061 throws AuthenticationException, AccountLockedException, MustChangePasswordException 062 { 063 try 064 { 065 SecuritySession securitySession = securitySystem.authenticate( ds ); 066 067 setSecuritySession( securitySession, httpSession ); 068 069 return securitySession.getAuthenticationResult().user( securitySession.getUser() ); 070 } 071 catch ( AuthenticationException e ) 072 { 073 String msg = "Unable to authenticate user: " + ds; 074 log.info( msg, e ); 075 throw new HttpAuthenticationException( msg, e ); 076 } 077 catch ( UserNotFoundException e ) 078 { 079 log.info( "Login attempt against unknown user: {}", ds ); 080 throw new HttpAuthenticationException( "User name or password invalid." ); 081 } 082 catch ( UserManagerException e ) 083 { 084 log.info( "UserManagerException: {}", e.getMessage() ); 085 throw new HttpAuthenticationException( e.getMessage(), e ); 086 } 087 } 088 089 /** 090 * Entry point for a Filter. 091 * 092 * @param request 093 * @param response 094 * @throws AuthenticationException 095 */ 096 public void authenticate( HttpServletRequest request, HttpServletResponse response ) 097 throws AuthenticationException 098 { 099 try 100 { 101 AuthenticationResult result = getAuthenticationResult( request, response ); 102 103 if ( ( result == null ) || ( !result.isAuthenticated() ) ) 104 { 105 throw new HttpAuthenticationException( "You are not authenticated." ); 106 } 107 } 108 catch ( AccountLockedException e ) 109 { 110 throw new HttpAuthenticationException( "Your account is locked.", e ); 111 } 112 catch ( MustChangePasswordException e ) 113 { 114 throw new HttpAuthenticationException( "You must change your password.", e ); 115 } 116 117 } 118 119 /** 120 * Issue a Challenge Response back to the HTTP Client. 121 * 122 * @param request 123 * @param response 124 * @param realmName 125 * @param exception 126 * @throws IOException 127 */ 128 public abstract void challenge( HttpServletRequest request, HttpServletResponse response, String realmName, 129 AuthenticationException exception ) 130 throws IOException; 131 132 /** 133 * Parse the incoming request and return an AuthenticationResult. 134 * 135 * @param request 136 * @param response 137 * @return null if no http auth credentials, or the actual authentication result based on the credentials. 138 * @throws AuthenticationException 139 * @throws MustChangePasswordException 140 * @throws AccountLockedException 141 */ 142 public abstract AuthenticationResult getAuthenticationResult( HttpServletRequest request, 143 HttpServletResponse response ) 144 throws AuthenticationException, AccountLockedException, MustChangePasswordException; 145 146 147 public User getSessionUser( HttpSession httpSession ) 148 { 149 return (User) httpSession.getAttribute( SecuritySession.USERKEY ); 150 } 151 152 public boolean isAlreadyAuthenticated( HttpSession httpSession ) 153 { 154 User user = getSessionUser( httpSession ); 155 156 return ( ( user != null ) && !user.isLocked() && !user.isPasswordChangeRequired() ); 157 } 158 159 public SecuritySession getSecuritySession( HttpSession httpSession ) 160 { 161 SecuritySession securitySession = (SecuritySession) httpSession.getAttribute( SecuritySession.SESSION_KEY ); 162 if ( securitySession != null ) 163 { 164 return securitySession; 165 } 166 return (SecuritySession) httpSession.getAttribute( SecuritySystemConstants.SECURITY_SESSION_KEY ); 167 168 } 169 170 171 public void setSecuritySession( SecuritySession session, HttpSession httpSession ) 172 { 173 httpSession.setAttribute( SecuritySession.SESSION_KEY, session ); 174 httpSession.setAttribute( SecuritySession.USERKEY, session.getUser() ); 175 } 176 177 public void setSessionUser( User user, HttpSession httpSession ) 178 { 179 httpSession.setAttribute( SecuritySession.SESSION_KEY, null ); 180 httpSession.setAttribute( SecuritySession.USERKEY, user ); 181 } 182 183 184}