KickJava   Java API By Example, From Geeks To Geeks.

Java > Open Source Codes > com > sun > web > security > WebProgrammaticLogin


1 /*
2  * The contents of this file are subject to the terms
3  * of the Common Development and Distribution License
4  * (the License). You may not use this file except in
5  * compliance with the License.
6  *
7  * You can obtain a copy of the license at
8  * https://glassfish.dev.java.net/public/CDDLv1.0.html or
9  * glassfish/bootstrap/legal/CDDLv1.0.txt.
10  * See the License for the specific language governing
11  * permissions and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL
14  * Header Notice in each file and include the License file
15  * at glassfish/bootstrap/legal/CDDLv1.0.txt.
16  * If applicable, add the following below the CDDL Header,
17  * with the fields enclosed by brackets [] replaced by
18  * you own identifying information:
19  * "Portions Copyrighted [year] [name of copyright owner]"
20  *
21  * Copyright 2006 Sun Microsystems, Inc. All rights reserved.
22  */

23
24 package com.sun.web.security;
25
26 import java.security.*;
27 import java.io.*;
28 import java.util.logging.Logger JavaDoc;
29 import java.util.logging.Level JavaDoc;
30 import javax.servlet.ServletRequest JavaDoc;
31 import javax.servlet.ServletRequestWrapper JavaDoc;
32 import javax.servlet.http.HttpServletRequest JavaDoc;
33 import javax.servlet.http.HttpServletResponse JavaDoc;
34 import javax.servlet.http.HttpSession JavaDoc;
35
36 import org.apache.catalina.Session;
37 import org.apache.catalina.Context;
38 import org.apache.catalina.Manager;
39 import org.apache.coyote.Request;
40
41 import com.sun.web.security.WebPrincipal;
42
43 import com.sun.logging.LogDomains;
44
45 import com.sun.enterprise.security.auth.LoginContextDriver;
46 import com.sun.enterprise.security.SecurityContext;
47
48 import org.apache.coyote.tomcat5.CoyoteRequest;
49 import org.apache.coyote.tomcat5.CoyoteRequestFacade;
50
51 /**
52  * Internal implementation for servlet programmatic login.
53  *
54  * @see com.sun.appserv.security.ProgrammaticLogin
55  *
56  */

57
58 public class WebProgrammaticLogin
59 {
60
61     // Used for the auth-type string.
62
public static final String JavaDoc WEBAUTH_PROGRAMMATIC="PROGRAMMATIC";
63
64     private static Logger JavaDoc logger =
65         LogDomains.getLogger(LogDomains.SECURITY_LOGGER);
66
67
68     /**
69      * Login and set up principal in request and session. This implements
70      * programmatic login for servlets.
71      *
72      * <P>Due to a number of bugs in RI the security context is not
73      * shared between web container and ejb container. In order for an
74      * identity established by programmatic login to be known to both
75      * containers, it needs to be set not only in the security context but
76      * also in the current request and, if applicable, the session object.
77      * If a session does not exist this method does not create one.
78      *
79      * <P>See bugs 4646134, 4688449 and other referenced bugs for more
80      * background.
81      *
82      * <P>Note also that this login does not hook up into SSO.
83      *
84      * @param user User name to login.
85      * @param password User password.
86      * @param request HTTP request object provided by caller application. It
87      * should be an instance of HttpRequestFacade.
88      * @param response HTTP response object provided by called application. It
89      * should be an instance of HttpServletResponse. This is not used
90      * currently.
91      * @param realm the realm name to be authenticated to. If the realm is null,
92      * authentication takes place in default realm
93      * @returns A Boolean object; true if login succeeded, false otherwise.
94      * @see com.sun.appserv.security.ProgrammaticLogin
95      * @throws Exception on login failure.
96      *
97      */

98     public static Boolean JavaDoc login(String JavaDoc user, String JavaDoc password, String JavaDoc realm,
99                                 HttpServletRequest JavaDoc request,
100                                 HttpServletResponse JavaDoc response)
101     {
102         // Need real request object not facade
103

104         CoyoteRequest req = getUnwrappedCoyoteRequest(request);
105         if (req == null) {
106             return Boolean.valueOf(false);
107         }
108         
109         // Try to login - this will set up security context on success
110
LoginContextDriver.login(user, password, realm);
111
112         // Create a WebPrincipal for tomcat and store in current request
113
// This will allow programmatic authorization later in this request
114
// to work as expected.
115

116         SecurityContext secCtx = SecurityContext.getCurrent();
117         assert (secCtx != null); // since login succeeded above
118

119         WebPrincipal principal = new WebPrincipal(user, password, secCtx);
120         req.setUserPrincipal(principal);
121         req.setAuthType(WEBAUTH_PROGRAMMATIC);
122
123         if(logger.isLoggable(Level.FINE)){
124             logger.log(Level.FINE, "Programmatic login set principal in http request to: "+
125                       user);
126         }
127
128         // Try to retrieve a Session object (not the facade); if it exists
129
// store the principal there as well. This will allow web container
130
// authorization to work in subsequent requests in this session.
131

132         Session JavaDoc realSession = getSession(req);
133         if (realSession != null) {
134             realSession.setPrincipal((Principal)principal);
135             realSession.setAuthType(WEBAUTH_PROGRAMMATIC);
136             if(logger.isLoggable(Level.FINE)){
137                 logger.log(Level.FINE, "Programmatic login set principal in session.");
138             }
139         } else {
140             if(logger.isLoggable(Level.FINE)){
141                 logger.log(Level.FINE,"Programmatic login: No session available.");
142             }
143         }
144
145         return Boolean.valueOf(true);
146     }
147
148
149     /**
150      * Return the unwrapped <code>CoyoteRequest</code> object.
151      */

152     private static CoyoteRequest getUnwrappedCoyoteRequest(HttpServletRequest JavaDoc request){
153         CoyoteRequest req = null;
154         ServletRequest JavaDoc servletRequest = request;
155         try{
156
157         while (servletRequest instanceof ServletRequestWrapper JavaDoc) {
158         servletRequest = ((ServletRequestWrapper JavaDoc)request).getRequest();
159         }
160
161         if (servletRequest instanceof CoyoteRequestFacade) {
162         req = ((CoyoteRequestFacade)servletRequest).getUnwrappedCoyoteRequest();
163         }
164
165         } catch (AccessControlException ex){
166             logger.log(Level.FINE, "Programmatic login faiied to get request");
167         }
168         return req;
169     }
170
171     /**
172      * Logout and remove principal in request and session.
173      *
174      * @param request HTTP request object provided by caller application. It
175      * should be an instance of HttpRequestFacade.
176      * @param response HTTP response object provided by called application. It
177      * should be an instance of HttpServletResponse. This is not used
178      * currently.
179      * @returns A Boolean object; true if login succeeded, false otherwise.
180      * @see com.sun.appserv.security.ProgrammaticLogin
181      * @throws Exception any exception encountered during logout operation
182      */

183     public static Boolean JavaDoc logout(HttpServletRequest JavaDoc request,
184                                  HttpServletResponse JavaDoc response) throws Exception JavaDoc
185     {
186         // Need real request object not facade
187

188         CoyoteRequest req = getUnwrappedCoyoteRequest(request);
189         if (req == null) {
190             return Boolean.valueOf(false);
191         }
192         
193         // Logout - clears out security context
194

195         LoginContextDriver.logout();
196         // Remove principal and auth type from request
197

198         req.setUserPrincipal(null);
199         req.setAuthType(null);
200         if(logger.isLoggable(Level.FINE)){
201             logger.log(Level.FINE, "Programmatic logout removed principal from request.");
202         }
203
204         // Remove from session if possible.
205

206         Session JavaDoc realSession = getSession(req);
207         if (realSession != null) {
208             realSession.setPrincipal(null);
209             realSession.setAuthType(null);
210             if(logger.isLoggable(Level.FINE)){
211                 logger.log(Level.FINE, "Programmatic logout removed principal from "+
212                           "session.");
213             }
214         }
215
216         return Boolean.valueOf(true);
217     }
218
219
220     /**
221      * Returns the underlying Session object from the request, if one is
222      * available, or null.
223      *
224      */

225     private static Session JavaDoc getSession(CoyoteRequest request)
226     {
227         HttpSession JavaDoc session = request.getSession(false);
228
229         if (session != null) {
230             Context context = request.getContext();
231             if (context != null) {
232                 Manager manager = context.getManager();
233                 if (manager != null) {
234                                 // need to locate the real Session obj
235
String JavaDoc sessionId = session.getId();
236                     try {
237                         Session JavaDoc realSession = manager.findSession(sessionId);
238                         return realSession;
239                     } catch (IOException e) {
240                         // ignored
241
return null;
242                     }
243                 }
244             }
245         }
246         
247         return null;
248     }
249 }
250
Popular Tags