BaseAuthenticationHandler


1   /*
2    * Copyright 2003-2006 Rick Knowles <winstone-devel at lists sourceforge net>
3    * Distributed under the terms of either:
4    * - the common development and distribution license (CDDL), v1.0; or
5    * - the GNU Lesser General Public License, v2.1 or later
6    */
7   package winstone.auth;
8   
9   import java.io.IOException  ;
10  import java.util.List  ;
11  import java.util.Set  ;
12  
13  import javax.servlet.ServletException  ;
14  import javax.servlet.ServletRequest  ;
15  import javax.servlet.ServletResponse  ;
16  import javax.servlet.http.HttpServletRequest  ;
17  import javax.servlet.http.HttpServletResponse  ;
18  
19  import org.w3c.dom.Node  ;
20  
21  import winstone.AuthenticationHandler;
22  import winstone.AuthenticationRealm;
23  import winstone.Logger;
24  import winstone.WebAppConfiguration;
25  import winstone.WinstoneResourceBundle;
26  
27  /**
28   * Base class for managers of authentication within Winstone. This class also
29   * acts as a factory, loading the appropriate subclass for the requested auth
30   * type.
31   * 
32   * @author mailto: <a HREF="rick_knowles@hotmail.com">Rick Knowles</a>
33   * @version $Id: BaseAuthenticationHandler.java,v 1.6 2006/02/28 07:32:47 rickknowles Exp $
34   */
35  public abstract class BaseAuthenticationHandler implements
36          AuthenticationHandler {
37      static final String   ELEM_REALM_NAME = "realm-name";
38      
39      protected SecurityConstraint constraints[];
40      protected AuthenticationRealm realm;
41      protected String   realmName;
42      public final static WinstoneResourceBundle AUTH_RESOURCES = new WinstoneResourceBundle("winstone.auth.LocalStrings");
43  
44      /**
45       * Factory method - this parses the web.xml nodes and builds the correct
46       * subclass for handling that auth type.
47       */
48      protected BaseAuthenticationHandler(Node   loginConfigNode,
49              List   constraintNodes, Set   rolesAllowed,
50              AuthenticationRealm realm) {
51          this.realm = realm;
52  
53          for (int m = 0; m < loginConfigNode.getChildNodes().getLength(); m++) {
54              Node   loginElm = loginConfigNode.getChildNodes().item(m);
55              if (loginElm.getNodeType() != Node.ELEMENT_NODE)
56                  continue;
57              else if (loginElm.getNodeName().equals(ELEM_REALM_NAME))
58                  realmName = WebAppConfiguration.getTextFromNode(loginElm);
59          }
60  
61          // Build security constraints
62          this.constraints = new SecurityConstraint[constraintNodes.size()];
63          for (int n = 0; n < constraints.length; n++)
64              this.constraints[n] = new SecurityConstraint((Node  ) constraintNodes
65                      .get(n), rolesAllowed, n);
66      }
67  
68      /**
69       * Evaluates any authentication constraints, intercepting if auth is
70       * required. The relevant authentication handler subclass's logic is used to
71       * actually authenticate.
72       * 
73       * @return A boolean indicating whether to continue after this request
74       */
75      public boolean processAuthentication(ServletRequest   inRequest,
76              ServletResponse   inResponse, String   pathRequested)
77              throws IOException  , ServletException   {
78          Logger.log(Logger.FULL_DEBUG, AUTH_RESOURCES,
79                  "BaseAuthenticationHandler.StartAuthCheck");
80  
81          HttpServletRequest   request = (HttpServletRequest  ) inRequest;
82          HttpServletResponse   response = (HttpServletResponse  ) inResponse;
83  
84          // Give previous attempts a chance to be validated
85          if (!validatePossibleAuthenticationResponse(request, response, pathRequested)) {
86              return false;
87          } else {
88              return doRoleCheck(request, response, pathRequested);
89          }
90      }
91  
92      protected boolean doRoleCheck(HttpServletRequest   request,
93              HttpServletResponse   response, String   pathRequested) 
94              throws IOException  , ServletException   {
95          // Loop through constraints
96          boolean foundApplicable = false;
97          for (int n = 0; (n < this.constraints.length) && !foundApplicable; n++) {
98              Logger.log(Logger.FULL_DEBUG, AUTH_RESOURCES,
99                      "BaseAuthenticationHandler.EvalConstraint",
100                     this.constraints[n].getName());
101 
102             // Find one that applies, then
103             if (this.constraints[n].isApplicable(pathRequested, request.getMethod())) {
104                 Logger.log(Logger.FULL_DEBUG, AUTH_RESOURCES,
105                         "BaseAuthenticationHandler.ApplicableConstraint",
106                         this.constraints[n].getName());
107                 foundApplicable = true;
108 
109                 if (this.constraints[n].needsSSL() && !request.isSecure()) {
110                     Logger.log(Logger.DEBUG, AUTH_RESOURCES,
111                             "BaseAuthenticationHandler.ConstraintNeedsSSL",
112                             this.constraints[n].getName());
113                     response.sendError(HttpServletResponse.SC_FORBIDDEN, 
114                             AUTH_RESOURCES.getString("BaseAuthenticationHandler.ConstraintNeedsSSL", 
115                                     this.constraints[n].getName()));
116                     return false;
117                 }
118 
119                 else if (!this.constraints[n].isAllowed(request)) {
120                     // Logger.log(Logger.FULL_DEBUG, "Not allowed - requesting auth");
121                     requestAuthentication(request, response, pathRequested);
122                     return false;
123                 } else {
124                     // Logger.log(Logger.FULL_DEBUG, "Allowed - authorization accepted");
125                     // Ensure that secured resources are not cached
126                     setNoCache(response);
127                 }
128             }
129         }
130         
131         // If we made it this far without a check being run, there must be none applicable
132         Logger.log(Logger.FULL_DEBUG, AUTH_RESOURCES, "BaseAuthenticationHandler.PassedAuthCheck");
133         return true;
134     }
135     
136     protected void setNoCache(HttpServletResponse   response) {
137         response.setHeader("Pragma", "No-cache");
138         response.setHeader("Cache-Control", "No-cache");
139         response.setDateHeader("Expires", 1);
140     }
141 
142     /**
143      * The actual auth request implementation.
144      */
145     protected abstract void requestAuthentication(HttpServletRequest   request,
146             HttpServletResponse   response, String   pathRequested)
147             throws IOException  , ServletException  ;
148 
149     /**
150      * Handling the (possible) response
151      */
152     protected abstract boolean validatePossibleAuthenticationResponse(
153             HttpServletRequest   request, HttpServletResponse   response,
154             String   pathRequested) throws ServletException  , IOException  ;
155 }
156
A to Z: JavaDoc & Examples Daily Java News & Articles Open Source Projects Open Source Codes Free Computer Books Remove Frame
Popular Tags