001package org.apache.archiva.redback.integration.filter.authentication.basic; 002 003/* 004 * Licensed to the Apache Software Foundation (ASF) under one 005 * or more contributor license agreements. See the NOTICE file 006 * distributed with this work for additional information 007 * regarding copyright ownership. The ASF licenses this file 008 * to you under the Apache License, Version 2.0 (the 009 * "License"); you may not use this file except in compliance 010 * with the License. You may obtain a copy of the License at 011 * 012 * http://www.apache.org/licenses/LICENSE-2.0 013 * 014 * Unless required by applicable law or agreed to in writing, 015 * software distributed under the License is distributed on an 016 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 017 * KIND, either express or implied. See the License for the 018 * specific language governing permissions and limitations 019 * under the License. 020 */ 021 022import org.apache.archiva.redback.authentication.AuthenticationException; 023import org.apache.archiva.redback.authentication.AuthenticationResult; 024import org.apache.archiva.redback.authentication.PasswordBasedAuthenticationDataSource; 025import org.apache.archiva.redback.integration.filter.authentication.HttpAuthenticator; 026import org.apache.archiva.redback.policy.AccountLockedException; 027import org.apache.archiva.redback.policy.MustChangePasswordException; 028import org.apache.archiva.redback.system.SecuritySession; 029import org.apache.commons.codec.binary.Base64; 030import org.apache.commons.lang3.StringUtils; 031import org.springframework.stereotype.Service; 032 033import javax.servlet.http.HttpServletRequest; 034import javax.servlet.http.HttpServletResponse; 035import javax.servlet.http.HttpSession; 036import java.io.IOException; 037 038/** 039 * HttpBasicAuthentication 040 * 041 * @author <a href="mailto:joakim@erdfelt.com">Joakim Erdfelt</a> 042 * 043 */ 044@Service("httpAuthenticator#basic") 045public class HttpBasicAuthentication 046 extends HttpAuthenticator 047{ 048 049 public String getId() 050 { 051 return HttpBasicAuthentication.class.getName(); 052 } 053 054 public AuthenticationResult getAuthenticationResult( HttpServletRequest request, HttpServletResponse response ) 055 throws AuthenticationException, AccountLockedException, MustChangePasswordException 056 { 057 HttpSession httpSession = request.getSession( true ); 058 SecuritySession securitySession = getSecuritySession( httpSession ); 059 if ( securitySession != null ) 060 { 061 return securitySession.getAuthenticationResult(); 062 } 063 064 PasswordBasedAuthenticationDataSource authDataSource; 065 String header = request.getHeader( "Authorization" ); 066 067 // in tomcat this is : authorization=Basic YWRtaW46TWFuYWdlMDc= 068 if ( header == null ) 069 { 070 header = request.getHeader( "authorization" ); 071 } 072 073 if ( ( header != null ) && header.startsWith( "Basic " ) ) 074 { 075 String base64Token = header.substring( 6 ); 076 String token = new String( Base64.decodeBase64( base64Token.getBytes() ) ); 077 078 String username = ""; 079 String password = ""; 080 int delim = token.indexOf( ':' ); 081 082 if ( delim != ( -1 ) ) 083 { 084 username = token.substring( 0, delim ); 085 password = token.substring( delim + 1 ); 086 } 087 088 authDataSource = new PasswordBasedAuthenticationDataSource( username, password ); 089 return super.authenticate( authDataSource, httpSession ); 090 } 091 else 092 { 093 return null; 094 } 095 } 096 097 /** 098 * Return a HTTP 403 - Access Denied response. 099 * 100 * @param request the request to use. 101 * @param response the response to use. 102 * @param realmName the realm name to state. 103 * @param exception the exception to base the message off of. 104 * @throws IOException if there was a problem with the {@link HttpServletResponse#sendError(int,String)} call. 105 */ 106 public void challenge( HttpServletRequest request, HttpServletResponse response, String realmName, 107 AuthenticationException exception ) 108 throws IOException 109 { 110 response.addHeader( "WWW-Authenticate", "Basic realm=\"" + realmName + "\"" ); 111 String message = "You must provide a username and password to access this resource."; 112 if ( ( exception != null ) && StringUtils.isNotEmpty( exception.getMessage() ) ) 113 { 114 message = exception.getMessage(); 115 } 116 response.sendError( HttpServletResponse.SC_UNAUTHORIZED, message ); 117 } 118}