Authenticate


1   /*
2    * Authenticate.java
3    *
4    * Version: $Revision: 1.12 $
5    *
6    * Date: $Date: 2006/05/26 14:40:03 $
7    *
8    * Copyright (c) 2002-2005, Hewlett-Packard Company and Massachusetts
9    * Institute of Technology.  All rights reserved.
10   *
11   * Redistribution and use in source and binary forms, with or without
12   * modification, are permitted provided that the following conditions are
13   * met:
14   *
15   * - Redistributions of source code must retain the above copyright
16   * notice, this list of conditions and the following disclaimer.
17   *
18   * - Redistributions in binary form must reproduce the above copyright
19   * notice, this list of conditions and the following disclaimer in the
20   * documentation and/or other materials provided with the distribution.
21   *
22   * - Neither the name of the Hewlett-Packard Company nor the name of the
23   * Massachusetts Institute of Technology nor the names of their
24   * contributors may be used to endorse or promote products derived from
25   * this software without specific prior written permission.
26   *
27   * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
28   * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
29   * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
30   * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
31   * HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
32   * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
33   * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
34   * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
35   * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
36   * TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
37   * USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
38   * DAMAGE.
39   */
40  package org.dspace.app.webui.util;
41  
42  import java.io.IOException  ;
43  import java.util.Iterator  ;
44  
45  import javax.servlet.ServletException  ;
46  import javax.servlet.http.HttpServletRequest  ;
47  import javax.servlet.http.HttpServletResponse  ;
48  import javax.servlet.http.HttpSession  ;
49  
50  import org.apache.log4j.Logger;
51  import org.dspace.core.Context;
52  import org.dspace.core.LogManager;
53  import org.dspace.eperson.EPerson;
54  import org.dspace.eperson.AuthenticationManager;
55  import org.dspace.eperson.AuthenticationMethod;
56  
57  /**
58   * Methods for authenticating the user. This is DSpace platform code, as opposed
59   * to the site-specific authentication code, that resides in implementations of
60   * the <code>org.dspace.eperson.AuthenticationMethod</code> interface.
61   * 
62   * @author Robert Tansley
63   * @version $Revision: 1.12 $
64   */
65  public class Authenticate
66  {
67      /** log4j category */
68      private static Logger log = Logger.getLogger(Authenticate.class);
69  
70      /**
71       * Return the request that the system should be dealing with, given the
72       * request that the browse just sent. If the incoming request is from a
73       * redirect resulting from successful authentication, a request object
74       * corresponding to the original request that prompted authentication is
75       * returned. Otherwise, the request passed in is returned.
76       * 
77       * @param request
78       *            the incoming HTTP request
79       * @return the HTTP request the DSpace system should deal with
80       */
81      public static HttpServletRequest   getRealRequest(HttpServletRequest   request)
82      {
83          HttpSession   session = request.getSession();
84  
85          if (session.getAttribute("resuming.request") != null)
86          {
87              // Get info about the interrupted request
88              RequestInfo requestInfo = (RequestInfo) session
89                      .getAttribute("interrupted.request.info");
90  
91              HttpServletRequest   actualRequest;
92  
93              if (requestInfo == null)
94              {
95                  // Can't find the wrapped request information.
96                  // FIXME: Proceed with current request - correct?
97                  actualRequest = request;
98              }
99              else
100             {
101                 /*
102                  * Wrap the current request to make it look like the interruped
103                  * one
104                  */
105                 actualRequest = requestInfo.wrapRequest(request);
106             }
107 
108             // Remove the info from the session so it isn't resumed twice
109             session.removeAttribute("resuming.request");
110             session.removeAttribute("interrupted.request.info");
111             session.removeAttribute("interrupted.request.url");
112 
113             // Return the wrapped request
114             return actualRequest;
115         }
116         else
117         {
118             return request;
119         }
120     }
121 
122     /**
123      * Resume a previously interrupted request. This is invoked when a user has
124      * been successfully authenticated. The request which led to authentication
125      * will be resumed.
126      * 
127      * @param request
128      *            <em>current</em> HTTP request
129      * @param response
130      *            HTTP response
131      */
132     public static void resumeInterruptedRequest(HttpServletRequest   request,
133             HttpServletResponse   response) throws IOException  
134     {
135         HttpSession   session = request.getSession();
136         String   originalURL = (String  ) session
137                 .getAttribute("interrupted.request.url");
138 
139         if (originalURL == null)
140         {
141             // If for some reason we don't have the original URL, redirect
142             // to My DSpace
143             originalURL = request.getContextPath() + "/mydspace";
144         }
145         else
146         {
147             // Set the flag in the session, so that when the redirect is
148             // followed, we'll know to resume the interrupted request
149             session.setAttribute("resuming.request", new Boolean  (true));
150         }
151 
152         // Send the redirect
153         response.sendRedirect(response.encodeRedirectURL(originalURL));
154     }
155 
156     /**
157      * Start the authentication process. This packages up the request that led
158      * to authentication being required, and then invokes the site-specific
159      * authentication method.
160      * 
161      * If it returns true, the user was authenticated without any
162      * redirection (e.g. by an X.509 certificate or other implicit method) so
163      * the process that called this can continue and send its own response.
164      * A "false" result means this method has sent its own redirect.
165      *
166      * @param context
167      *            current DSpace context
168      * @param request
169      *            current HTTP request - the one that prompted authentication
170      * @param response
171      *            current HTTP response
172      *
173      * @return true if authentication is already finished (implicit method)
174      */
175     public static boolean startAuthentication(Context context,
176             HttpServletRequest   request, HttpServletResponse   response)
177             throws ServletException  , IOException  
178     {
179         HttpSession   session = request.getSession();
180 
181         /*
182          * Authenticate:
183          * 1. try implicit methods first, since that may work without
184          *    a redirect. return true if no redirect needed.
185          * 2. if those fail, redirect to enter credentials.
186          *    return false.
187          */
188         if (AuthenticationManager.authenticateImplicit(context, null, null,
189                 null, request) == AuthenticationMethod.SUCCESS)
190         {
191             loggedIn(context, request, context.getCurrentUser());
192             log.info(LogManager.getHeader(context, "login", "type=implicit"));
193             return true;
194         }
195         else
196         {
197         // Since we may be doing a redirect, make sure the redirect is not
198         // cached
199         response.addDateHeader("expires", 1);
200         response.addHeader("Pragma", "no-cache");
201         response.addHeader("Cache-control", "no-store");
202 
203         // Store the data from the request that led to authentication
204         RequestInfo info = new RequestInfo(request);
205         session.setAttribute("interrupted.request.info", info);
206 
207         // Store the URL of the request that led to authentication
208         session.setAttribute("interrupted.request.url", UIUtil
209                 .getOriginalURL(request));
210 
211             /*
212              * Grovel over authentication methods, counting the
213              * ones with a "redirect" login page -- if there's only one,
214              * go directly there.  If there is a choice, go to JSP chooser.
215              */
216             Iterator   ai = AuthenticationManager.authenticationMethodIterator();
217             AuthenticationMethod am;
218             int count = 0;
219             String   url = null;
220             while (ai.hasNext())
221             {
222                 String   s;
223                 am = (AuthenticationMethod)ai.next();
224                 if ((s = am.loginPageURL(context, request, response)) != null)
225                 {
226                     url = s;
227                     ++count;
228                 }
229             }
230             if (count == 1)
231                 response.sendRedirect(url);
232             else
233                 JSPManager.showJSP(request, response, "/login/chooser.jsp");
234         }
235         return false;
236     }
237 
238     /**
239      * Store information about the current user in the request and context
240      * 
241      * @param context
242      *            DSpace context
243      * @param request
244      *            HTTP request
245      * @param eperson
246      *            the eperson logged in
247      */
248     public static void loggedIn(Context context, HttpServletRequest   request,
249             EPerson eperson)
250     {
251         HttpSession   session = request.getSession();
252 
253         context.setCurrentUser(eperson);
254 
255         // We store the current user in the request as an EPerson object...
256         request.setAttribute("dspace.current.user", eperson);
257 
258         // and in the session as an ID
259         session.setAttribute("dspace.current.user.id", new Integer  (eperson
260                 .getID()));
261 
262         // and the remote IP address to compare against later requests
263         // so we can detect session hijacking.
264         session.setAttribute("dspace.current.remote.addr",
265                              request.getRemoteAddr());
266 
267     }
268 
269     /**
270      * Log the user out
271      * 
272      * @param context
273      *            DSpace context
274      * @param request
275      *            HTTP request
276      */
277     public static void loggedOut(Context context, HttpServletRequest   request)
278     {
279         HttpSession   session = request.getSession();
280 
281         context.setCurrentUser(null);
282         request.removeAttribute("dspace.current.user");
283         session.removeAttribute("dspace.current.user.id");
284     }
285 }
286
A to Z: JavaDoc & Examples Daily Java News & Articles Open Source Projects Open Source Codes Free Computer Books Remove Frame
Popular Tags