MITSpecialGroup


1   /*
2    * MITSpecialGroup.java
3    *
4    * Version: $Revision: 1.1 $
5    *
6    * Date: $Date: 2005/10/17 03:41:00 $
7    *
8    * Copyright (c) 2002-2005, Hewlett-Packard Company and Massachusetts
9    * Institute of Technology.  All rights reserved.
10   *
11   * Redistribution and use in source and binary forms, with or without
12   * modification, are permitted provided that the following conditions are
13   * met:
14   *
15   * - Redistributions of source code must retain the above copyright
16   * notice, this list of conditions and the following disclaimer.
17   *
18   * - Redistributions in binary form must reproduce the above copyright
19   * notice, this list of conditions and the following disclaimer in the
20   * documentation and/or other materials provided with the distribution.
21   *
22   * - Neither the name of the Hewlett-Packard Company nor the name of the
23   * Massachusetts Institute of Technology nor the names of their
24   * contributors may be used to endorse or promote products derived from
25   * this software without specific prior written permission.
26   *
27   * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
28   * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
29   * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
30   * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
31   * HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
32   * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
33   * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
34   * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
35   * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
36   * TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
37   * USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
38   * DAMAGE.
39   */
40  package edu.mit.dspace;
41  
42  import java.io.IOException  ;
43  import java.sql.SQLException  ;
44  import javax.servlet.ServletException  ;
45  import javax.servlet.http.HttpServletRequest  ;
46  import javax.servlet.http.HttpServletResponse  ;
47  import javax.servlet.jsp.PageContext  ;
48  import javax.servlet.jsp.jstl.fmt.LocaleSupport;
49  import java.util.ArrayList  ;
50  
51  import org.apache.log4j.Logger;
52  import org.dspace.core.Context;
53  import org.dspace.core.LogManager;
54  import org.dspace.eperson.EPerson;
55  import org.dspace.eperson.Group;
56  import org.dspace.eperson.AuthenticationMethod;
57  import org.dspace.authorize.AuthorizeException;
58  
59  /**
60   * Identify members of "MIT Community" and give them membership in
61   * a special group.  It actually does two things:
62   * <p>
63   * 1. When an MIT user logs in, put them in the special MIT group (so
64   *    they get access to materials restricted to the MIT community).
65   *    The membership test is by IP address and/or email address.
66   * <p>
67   * 2. When a new user is registered, set the property that requires
68   *    certificate authentication if they have an "@mit.edu" email
69   *    address -- and thus presumably an MIT personal web cert.
70   * <p>
71   * Note that this method does <strong>not</strong> actually authenticate
72   * anyone, it just adds a special group.  With stackable authentication it
73   * can do its work from within the stack and let other methods handle
74   * the authentication.
75   *
76   * @author Larry Stone
77   * @version $Revision: 1.1 $
78   */
79  public class MITSpecialGroup
80      implements AuthenticationMethod {
81  
82      /** log4j category */
83      private static Logger log = Logger.getLogger(MITSpecialGroup.class);
84  
85      /**
86       * Name of DSpace group to which MIT-community clients are
87       * automatically added.  The DSpace Admin must create this group.
88       */
89      public static final String   MIT_GROUPNAME = "MIT Users";
90  
91      /**
92       * We don't care about self registering here.
93       * Let a real auth method return true if it wants.
94       */
95      public boolean canSelfRegister(Context   context,
96                                     HttpServletRequest   request,
97                                     String   username)
98          throws SQLException  
99      {
100         return false;
101     }
102 
103     /**
104      * Initialize new EPerson.
105      *  Policy: Require certificate access for MIT users.
106      */
107     public void initEPerson(Context   context, HttpServletRequest   request,
108             EPerson eperson)
109         throws SQLException  
110     {
111         // If an MIT user, they must use a certificate
112         if (isMITEmail(eperson.getEmail()))
113         {
114             eperson.setRequireCertificate(true);
115         }
116     }
117 
118     /**
119      * Predicate, is user allowed to set EPerson password.
120      * Anyone whose email address ends with @mit.edu must use a Web cert
121      * to log in, so can't set a password
122      */
123     public boolean allowSetPassword(Context   context,
124                                     HttpServletRequest   request,
125                                     String   username)
126         throws SQLException  
127     {
128         return !isMITEmail(username);
129     }
130 
131     /*
132      * This is an implicit method, although it doesn't do authentication.
133      * The email and IP-based checks should be run in the implicit stack.
134      */
135     public boolean isImplicit()
136     {
137         return true;
138     }
139 
140     /**
141      * Add user to special MIT group if they're a member of MIT community.
142      */
143     public int[] getSpecialGroups(Context   context, HttpServletRequest   request)
144     {
145         EPerson user = context.getCurrentUser();
146         boolean hasMITEmail = ((user != null) && isMITEmail(user.getEmail()));
147 
148         try {
149             if (hasMITEmail || (request != null && isFromMITCommunity(request)))
150             {
151                 log.debug(LogManager.getHeader(context, "getSpecialGroups",
152                             "Got an MIT user, looking for group"));
153 
154                 Group mitGroup = Group.findByName(context, MIT_GROUPNAME);
155                 if (mitGroup == null)
156                 {
157                     // Oops - the group isn't there.
158                     log.warn(LogManager.getHeader(context,
159                       "No MIT Group found!! Admin needs to create group named \""+
160                        MIT_GROUPNAME+"\"", ""));
161              
162                     return new int[0];
163                 }
164              
165                 return new int[] { mitGroup.getID() };
166             }
167             else
168                 log.debug(LogManager.getHeader(context, "getSpecialGroups",
169                             "Not an MIT user, no groups for you."));
170 
171         }
172         catch (java.sql.SQLException   e)
173         {
174         }
175         return new int[0];
176     }
177 
178     /**
179      * This method is not used.
180      * This class is only for special groups and enforcement of cert policy.
181      * Use X509Authentication to authenticate.
182      *
183      * @return One of: SUCCESS, BAD_CREDENTIALS, NO_SUCH_USER, BAD_ARGS
184      */
185     public int authenticate(Context   context,
186                             String   username,
187                             String   password,
188                             String   realm,
189                             HttpServletRequest   request)
190         throws SQLException  
191     {
192         return BAD_ARGS;
193     }
194 
195     /*
196      * Returns URL to which to redirect to obtain credentials (either password
197      * prompt or e.g. HTTPS port for client cert.); null means no redirect.
198      *
199      * @param context
200      *  DSpace context, will be modified (ePerson set) upon success.
201      *
202      * @param request
203      *  The HTTP request that started this operation, or null if not applicable.
204      *
205      * @param response
206      *  The HTTP response from the servlet method.
207      *
208      * @return fully-qualified URL
209      */
210     public String   loginPageURL(Context   context,
211                             HttpServletRequest   request,
212                             HttpServletResponse   response)
213     {
214         return null;
215     }
216 
217     public String   loginPageTitle(Context   context)
218     {
219         return null;
220     }
221 
222     /**
223      * Crude way to identify an MIT community member: does their
224      * email end in @mit.edu ?  This will be true for anyone who
225      * "logs in" with an MIT client web cert, but could also be
226      * a false positive.  Someday perhaps use Data Warehouse feed to check.
227      */
228     private static boolean isMITEmail(String   email)
229     {
230         return email.toLowerCase().trim().endsWith("@mit.edu");
231     }
232 
233     /**
234      * Check to see if the user is an MIT user. At present, it just checks the
235      * source IP address. Note this is independent of user authentication - if
236      * the user is an off-site MIT user, this will still return false.
237      * <p>
238      * XXX Note: The list of IP addresses really ought to be in a
239      * configuration property, not hardcoded, since it can change on
240      * short notice!
241      *
242      * @param request
243      *            current request
244      *
245      * @return true if the user is an MIT user.
246      */
247     private static boolean isFromMITCommunity(HttpServletRequest   request)
248     {
249         String   addr = request.getRemoteAddr();
250 
251         log.debug("checking MIT membership of IP addr="+addr);
252 
253         final String  [] mitIPs = {
254                 "18.",     // Good old Net 18
255                 "128.52.", // AI
256                 "129.55.", // Lincoln
257                 "192.52.65.", // Haystack
258                 "192.52.61.", // Haystack
259                 "198.125.160.", // Physicists/ESnet ranges purchased
260                 "198.125.161.", // ...
261                 "198.125.162.", // ...
262                 "198.125.163.", // ...
263                 "198.125.176.", // ...
264                 "198.125.177.", // ...
265                 "198.125.178.", // ...
266                 "198.125.179." // ...
267         };
268 
269         for (int i = 0; i < mitIPs.length; i++)
270         {
271             if (addr.startsWith(mitIPs[i]))
272             {
273                 return true;
274             }
275         }
276 
277         return false;
278     }
279 
280 }
281
A to Z: JavaDoc & Examples Daily Java News & Articles Open Source Projects Open Source Codes Free Computer Books Remove Frame
Popular Tags